Edit tour

Windows Analysis Report
conferma..exe

Overview

General Information

Sample name:	conferma..exe
Analysis ID:	1576067
MD5:	4ba36c8f38d57ff73fc040d86b077541
SHA1:	493543048b0fabbe6d63309d27ca5cd8eb3b59c0
SHA256:	61759e8ee0c4d6c2f00f86c40a00d44ccf92cd5489511c1975e2b0c4fbedd61f
Tags:	exeuser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

One or more processes crash

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

conferma..exe (PID: 3796 cmdline: "C:\Users\user\Desktop\conferma..exe" MD5: 4BA36C8F38D57FF73FC040D86B077541)

RegSvcs.exe (PID: 6060 cmdline: "C:\Users\user\Desktop\conferma..exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 2820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 1476 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "8138619732:AAH290KzTAyIxOODoUHLupo_iFgT4CfKzAM", "Telegram Chatid": "7455776561"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xef73:$a1: get_encryptedPassword 0xf29b:$a2: get_encryptedUsername 0xed0e:$a3: get_timePasswordChanged 0xee2f:$a4: get_passwordField 0xef89:$a5: set_encryptedPassword 0x108e5:$a7: get_logins 0x10596:$a8: GetOutlookPasswords 0x10388:$a9: StartKeylogger 0x10835:$a10: KeyLoggerEventArgs 0x103e5:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
Process Memory Space: conferma..exe PID: 3796	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: conferma..exe PID: 3796	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: conferma..exe PID: 3796	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: conferma..exe PID: 3796	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x9773db:$a1: get_encryptedPassword 0x9776f4:$a2: get_encryptedUsername 0x97718a:$a3: get_timePasswordChanged 0x9772ab:$a4: get_passwordField 0x9773f1:$a5: set_encryptedPassword 0x978cf4:$a7: get_logins 0x9789a5:$a8: GetOutlookPasswords 0x978797:$a9: StartKeylogger 0x978c44:$a10: KeyLoggerEventArgs 0x9787f4:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6060	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6060	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6060	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6060	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12f5:$a1: get_encryptedPassword 0x160e:$a2: get_encryptedUsername 0x10a4:$a3: get_timePasswordChanged 0x11c5:$a4: get_passwordField 0x130b:$a5: set_encryptedPassword 0x2c0e:$a7: get_logins 0x28bf:$a8: GetOutlookPasswords 0x26b1:$a9: StartKeylogger 0x2b5e:$a10: KeyLoggerEventArgs 0x270e:$a11: KeyLoggerEventArgsEventHandler
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.conferma..exe.1790000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.conferma..exe.1790000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.conferma..exe.1790000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.conferma..exe.1790000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd373:$a1: get_encryptedPassword 0xd69b:$a2: get_encryptedUsername 0xd10e:$a3: get_timePasswordChanged 0xd22f:$a4: get_passwordField 0xd389:$a5: set_encryptedPassword 0xece5:$a7: get_logins 0xe996:$a8: GetOutlookPasswords 0xe788:$a9: StartKeylogger 0xec35:$a10: KeyLoggerEventArgs 0xe7e5:$a11: KeyLoggerEventArgsEventHandler
0.2.conferma..exe.1790000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12325:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11823:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b31:$a4: \Orbitum\User Data\Default\Login Data 0x12929:$a5: \Kometa\User Data\Default\Login Data
0.2.conferma..exe.1790000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.conferma..exe.1790000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.conferma..exe.1790000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.conferma..exe.1790000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
0.2.conferma..exe.1790000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
Click to see the 10 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.2414581560.0000000003371000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "8138619732:AAH290KzTAyIxOODoUHLupo_iFgT4CfKzAM", "Telegram Chatid": "7455776561"}

Multi AV Scanner detection for submitted file

Source: conferma..exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: conferma..exe

Joe Sandbox ML: detected

Source: conferma..exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbr=$? source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbl source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: conferma..exe, 00000000.00000003.2303671981.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, conferma..exe, 00000000.00000003.2304933431.0000000004030000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbs source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbd source: WERF262.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERF262.tmp.dmp.5.dr
Source:	Binary string: HP,o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @8o.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbc source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdbD4u>98 source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbX source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb@yQ source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb@ source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdbm source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb` source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERF262.tmp.dmp.5.dr
Source:	Binary string: ?8oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbt source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: conferma..exe, 00000000.00000003.2303671981.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, conferma..exe, 00000000.00000003.2304933431.0000000004030000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbd4 source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdbMZ source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF262.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb. source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C8445A
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8C6D1 FindFirstFileW,FindClose,	0_2_00C8C6D1
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C8C75C
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8EF95
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8F0F2
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8F3F3
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C837EF
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C83B12
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8BCBC

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: unknown

DNS query: name: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00C922EE

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: checkip.dyndns.org

Source: RegSvcs.exe, 00000002.00000002.2414581560.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.2414581560.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2414581560.00000000033E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.2414581560.0000000003371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: conferma..exe, 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.2414581560.0000000003371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: conferma..exe, 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: conferma..exe, 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.conferma..exe.1790000.1.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C94164

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C94164

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C93F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C93F66

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C8001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00C8001C

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00CACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CACABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.conferma..exe.1790000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.conferma..exe.1790000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.conferma..exe.1790000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.conferma..exe.1790000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: conferma..exe PID: 3796, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6060, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\conferma..exe	Code function: This is a third-party compiled AutoIt script.	0_2_00C23B3A
Source: conferma..exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: conferma..exe, 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cd52e5dc-f
Source: conferma..exe, 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b36a9531-a
Source: conferma..exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f7542eec-d
Source: conferma..exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_63fdbcda-9

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C8A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00C8A1EF

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C78310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C78310

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C851BD

Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C2E6A0	0_2_00C2E6A0
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C4D975	0_2_00C4D975
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C2FCE0	0_2_00C2FCE0
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C421C5	0_2_00C421C5
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C562D2	0_2_00C562D2
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00CA03DA	0_2_00CA03DA
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C5242E	0_2_00C5242E
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C425FA	0_2_00C425FA
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C366E1	0_2_00C366E1
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C7E616	0_2_00C7E616
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C5878F	0_2_00C5878F
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C88889	0_2_00C88889
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C56844	0_2_00C56844
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00CA0857	0_2_00CA0857
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C38808	0_2_00C38808
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C4CB21	0_2_00C4CB21
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C56DB6	0_2_00C56DB6
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C36F9E	0_2_00C36F9E
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C33030	0_2_00C33030
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C4F1D9	0_2_00C4F1D9
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C43187	0_2_00C43187
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C21287	0_2_00C21287
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C41484	0_2_00C41484
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C35520	0_2_00C35520
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C47696	0_2_00C47696
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C35760	0_2_00C35760
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C41978	0_2_00C41978
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C59AB5	0_2_00C59AB5
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00CA7DDB	0_2_00CA7DDB
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C41D90	0_2_00C41D90
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C4BDA6	0_2_00C4BDA6
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C33FE0	0_2_00C33FE0
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C2DF00	0_2_00C2DF00
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_01878200	0_2_01878200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_014E19B8	2_2_014E19B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_014E2DD1	2_2_014E2DD1

Source: C:\Users\user\Desktop\conferma..exe	Code function: String function: 00C48900 appears 42 times
Source: C:\Users\user\Desktop\conferma..exe	Code function: String function: 00C27DE1 appears 35 times
Source: C:\Users\user\Desktop\conferma..exe	Code function: String function: 00C40AE3 appears 70 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 1476

Source: conferma..exe, 00000000.00000003.2305981491.00000000042FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs conferma..exe
Source: conferma..exe, 00000000.00000003.2303518926.0000000004153000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs conferma..exe
Source: conferma..exe, 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs conferma..exe

Source: conferma..exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.conferma..exe.1790000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.conferma..exe.1790000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.conferma..exe.1790000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.conferma..exe.1790000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: conferma..exe PID: 3796, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6060, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.conferma..exe.1790000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.conferma..exe.1790000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/7@1/1

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C8A06A GetLastError,FormatMessageW,

0_2_00C8A06A

Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C781CB AdjustTokenPrivileges,CloseHandle,		0_2_00C781CB
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C787E1

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C8B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C8B3FB

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C9EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C9EE0D

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C8C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C8C397

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C24E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C24E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6060

Source: C:\Users\user\Desktop\conferma..exe

File created: C:\Users\user\AppData\Local\Temp\autD43B.tmp

Jump to behavior

Source: conferma..exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\conferma..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: conferma..exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\conferma..exe "C:\Users\user\Desktop\conferma..exe"
Source: C:\Users\user\Desktop\conferma..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\conferma..exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 1476
Source: C:\Users\user\Desktop\conferma..exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\conferma..exe"	Jump to behavior

Source: C:\Users\user\Desktop\conferma..exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\conferma..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\conferma..exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\conferma..exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\conferma..exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\conferma..exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\conferma..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\conferma..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\conferma..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\conferma..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\conferma..exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: conferma..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: conferma..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: conferma..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: conferma..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: conferma..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: conferma..exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: conferma..exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbr=$? source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbl source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: conferma..exe, 00000000.00000003.2303671981.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, conferma..exe, 00000000.00000003.2304933431.0000000004030000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbs source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbd source: WERF262.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERF262.tmp.dmp.5.dr
Source:	Binary string: HP,o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @8o.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbc source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdbD4u>98 source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbX source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb@yQ source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb@ source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdbm source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb` source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERF262.tmp.dmp.5.dr
Source:	Binary string: ?8oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbt source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: conferma..exe, 00000000.00000003.2303671981.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, conferma..exe, 00000000.00000003.2304933431.0000000004030000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.2413692110.00000000012F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdbd4 source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdbMZ source: WERF262.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERF262.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF262.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb. source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp

Source: conferma..exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: conferma..exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: conferma..exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: conferma..exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: conferma..exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C24B37 LoadLibraryA,GetProcAddress,

0_2_00C24B37

Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C70080 push eax; ret	0_2_00C70082
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C7007C push eax; ret	0_2_00C7007E
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C70079 push eax; ret	0_2_00C7007A
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C48945 push ecx; ret	0_2_00C48958
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C352AC push edx; ret	0_2_00C352D6
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C353E4 push edx; ret	0_2_00C353EA
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C353ED push edx; ret	0_2_00C353EE
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C35373 push ecx; ret	0_2_00C3538A
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C31692 push ss; ret	0_2_00C3169C

Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C248D7
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00CA5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CA5376

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C43187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C43187

Source: C:\Users\user\Desktop\conferma..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conferma..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\conferma..exe

API/Special instruction interceptor: Address: 1877E24

Source: C:\Users\user\Desktop\conferma..exe

API coverage: 4.6 %

Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C8445A
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8C6D1 FindFirstFileW,FindClose,	0_2_00C8C6D1
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C8C75C
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8EF95
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8F0F2
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8F3F3
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C837EF
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C83B12
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C8BCBC

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C249A0

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegSvcs.exe, 00000002.00000002.2414039041.000000000152D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: conferma..exe, 00000000.00000003.2267492049.0000000001804000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C93F09 BlockInput,

0_2_00C93F09

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C23B3A

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C55A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00C55A7C

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C24B37 LoadLibraryA,GetProcAddress,

0_2_00C24B37

Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_01878090 mov eax, dword ptr fs:[00000030h]	0_2_01878090
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_018780F0 mov eax, dword ptr fs:[00000030h]	0_2_018780F0
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_01876A60 mov eax, dword ptr fs:[00000030h]	0_2_01876A60

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00C780A9

Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C4A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00C4A155
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C4A124 SetUnhandledExceptionFilter,		0_2_00C4A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.conferma..exe.1790000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.conferma..exe.1790000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.conferma..exe.1790000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\conferma..exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\conferma..exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1125008

Jump to behavior

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C787B1 LogonUserW,

0_2_00C787B1

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C23B3A

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00C248D7

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C84C53 mouse_event,

0_2_00C84C53

Source: C:\Users\user\Desktop\conferma..exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\conferma..exe"

Jump to behavior

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C77CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00C77CAF

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C7874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C7874B

Source: conferma..exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: conferma..exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C4862B cpuid

0_2_00C4862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C54E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00C54E87

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C61E06 GetUserNameW,

0_2_00C61E06

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C53F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C53F3A

Source: C:\Users\user\Desktop\conferma..exe

Code function: 0_2_00C249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C249A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.conferma..exe.1790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.conferma..exe.1790000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conferma..exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6060, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.conferma..exe.1790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.conferma..exe.1790000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conferma..exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6060, type: MEMORYSTR

Source: conferma..exe	Binary or memory string: WIN_81
Source: conferma..exe	Binary or memory string: WIN_XP
Source: conferma..exe	Binary or memory string: WIN_XPe
Source: conferma..exe	Binary or memory string: WIN_VISTA
Source: conferma..exe	Binary or memory string: WIN_7
Source: conferma..exe	Binary or memory string: WIN_8
Source: conferma..exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.conferma..exe.1790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.conferma..exe.1790000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conferma..exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6060, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.conferma..exe.1790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.conferma..exe.1790000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conferma..exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6060, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.conferma..exe.1790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.conferma..exe.1790000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conferma..exe PID: 3796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6060, type: MEMORYSTR

Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C96283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00C96283
Source: C:\Users\user\Desktop\conferma..exe	Code function: 0_2_00C96747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C96747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	121 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	126 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	151 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
conferma..exe	55%	ReversingLabs	Win32.Trojan.AutoitInject
conferma..exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://upx.sf.net	Amcache.hve.5.dr	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.2414581560.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2414581560.00000000033E4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.2414581560.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2414581560.0000000003371000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	conferma..exe, 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	conferma..exe, 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	conferma..exe, 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576067
Start date and time:	2024-12-16 14:06:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	conferma..exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/7@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.107.246.63, 40.126.53.15, 4.175.87.197
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 6060 because it is empty
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: conferma..exe

Simulations

Behavior and APIs

Time	Type	Description
08:07:33	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	EXCqTnY5mh.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	13.107.246.63
	Oz2UhFBTHy.exe	Get hash	malicious	Socks5Systemz	Browse	13.107.246.63
	tWKuskUD7s.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	download.ps1	Get hash	malicious	Unknown	Browse	13.107.246.63
	msimg32.dll	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	https://e.gsclinks.net/go/texastribuneorgevents.buzz/7xkxr9yg/dXJsPWh0dHBzJTNBJTJGJTJGdGV4YXN0cmlidW5lb3JnZXZlbnRzLmJ1enolMkYlM0Z0dWV0c3ZibiZsYWJlbD1FWFBMT1JFK09CSkVDVFM=	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	4JQ3DknDmR.exe	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	8569FUNo1b.exe	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	TEqX8vWilW.exe	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
checkip.dyndns.com	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	file.exe	Get hash	malicious	Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc	Browse	193.122.130.0
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_bfd87b7ea0584859ac8cca28a4eb33afabceb_91a5ebd2_42d4d99a-0729-44f7-96fd-9a69e014a27d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0962656404636915
Encrypted:	false
SSDEEP:	192:xn3k8Q87OT0BU/Sa6ce36izuiFVZ24IO8G:hVQIOABU/SarVizuiFVY4IO8G
MD5:	38198C0F433E94B4A9CAD344FD2AC43F
SHA1:	47A16606BD05A32B5A23D51008C128AAF2B3FC0E
SHA-256:	604E00230969B5FB03587F09E61426FF169AE2205A282840B910552E2250268E
SHA-512:	E2A48CC336FACD0AA2D188E44EAF15F404957001AEC9988491AA794664F3D10DEADFCBE3760BA1D3FF11FCD11300B91C1361FBCEE68652684F3E91C6E6B2CDAC
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.2.8.0.4.6.7.4.3.8.4.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.2.8.0.4.8.0.7.1.9.7.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.d.4.d.9.9.a.-.0.7.2.9.-.4.4.f.7.-.9.6.f.d.-.9.a.6.9.e.0.1.4.a.2.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.9.0.e.4.d.8.-.4.c.e.c.-.4.4.4.0.-.a.1.b.6.-.b.c.2.4.7.b.7.5.0.c.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.a.c.-.0.0.0.1.-.0.0.1.5.-.9.e.4.e.-.e.8.7.1.b.b.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.6.9.7.7.1.b.2.f.0.2.2.f.9.a.8.6.d.7.7.a.c.4.d.4.d.2.3.9.b.e.c.d.f.0.8.d.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF262.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 16 13:07:27 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	252102
Entropy (8bit):	3.8530330788167295
Encrypted:	false
SSDEEP:	3072:03Z9c0tx2DCGrc4uEq+ykKPLTghrw36ykX:03Z9jnGrc4TykmTgV
MD5:	32BF22EDC7EA89CB257C0767D4BD2E17
SHA1:	E0A907D17287642B23BE9A084E1136FDD7618B38
SHA-256:	9EAC18811BFD3A100762BAC46F428E287FEDEC87CE665A5999BDA0A32166A39A
SHA-512:	A9021E7877ED09D4C7DE4686EEFAD4541EBBB0F0D287681B5BB72CD84B8F1140F8991DB16BE6E5BDDE3FB4982C214B12540E20EA740D02FC68928A337EFD06BE
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........&`g....................................<....#......t$.."M..........`.......8...........T............:...............#...........%..............................................................................eJ......P&......GenuineIntel............T............&`g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF61C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8276
Entropy (8bit):	3.696593916494547
Encrypted:	false
SSDEEP:	192:R6l7wVeJkG6Y6YZP6SsgmfQ40yprQ89b5kUsfvDym:R6lXJl6Y6YR6pgmfQ40q5kHfLj
MD5:	8548F9540312062D1BE87E778D8D50A2
SHA1:	011444679EC51905ADCC9CC17C1B3D02FEB9A466
SHA-256:	914A63FA17AAC9DB95F2EB3B5A4AFB036048321A6F6CADC886C3833162854F1D
SHA-512:	F6E374184E34083E0C8CD6CADB84DC8C893BEDC00F3D7F54E662E20E6E39B84DEBA72CE32F583062E70E539DA72FA884F0F41B27A88DA315F18611E88A06277C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF66B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4651
Entropy (8bit):	4.4741964115320485
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg77aI9d6WpW8VY4Ym8M4JVjFn7n+q8YemDIeJd:uIjfNI7n77V8JbnomDIUd
MD5:	3E4F37142DFC914385DF994243354B8A
SHA1:	FAAD994D31CD29EF137159DB46F2B7811B68CDAC
SHA-256:	7C79DEFB5876C107508F22C2D5606E82F68DB37AA4F3A80E649BE53BA6BABAC4
SHA-512:	85E09A0845845EFB16AD4E732A41335A19F51135974AF1A70EC60EA08EA0C3590EF05EC190319A002F41907854856E0D718B928706FAEBEEDC33A28452C2612C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="633850" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\autD43B.tmp

Download File

Process:	C:\Users\user\Desktop\conferma..exe
File Type:	data
Category:	dropped
Size (bytes):	60348
Entropy (8bit):	7.771598876519704
Encrypted:	false
SSDEEP:	1536:S+/9Q/NFwZV+btACGQz59T1M7HBBOuXmgO4BAcDT7Ij6MK:SU9Q/bC0Gc9eNcmBLI4
MD5:	51C1FEA145F63B44354389140AA68B38
SHA1:	0D1502B50AA9408E47C9CEDDBDA296E34F64A62F
SHA-256:	1E3A67405933CC1B1EF5455C0D02A2A1D8013A8041B5717F07DA23D6255B8F97
SHA-512:	2ACA2D386CA9323E5D39DDCDFC554410D75982EDBD1C95DAFE85030919C134027692E561F7E3A07614BB4BDFA89D9F3BE8BD5B3AA33322BC873B5EC05127CCFF
Malicious:	false
Reputation:	low
Preview:	EA06..n..D:.).B.6.R......9...)......)U...b.!........'._.2g.~.?,..q..k..4.?.Q'2{$.W>....$.'".V/.9U....Fk.Y..;].O/.......+.F.6..&?...t..Y.N...R.......".J.\...U..@.......Y..@$3\.......Pb.P..&4...g@..j..U....0...ytz...A.QiX....... .P....@P..;P.. @...O.3)...%..X....]E...=j.Vk1...aP..3...... S.........(.k..C&...3...... ).......B................\..p.j.o.G.V....B.?....,X..........+....1K.Pf.j\|...T.............+.....4. .\.@......... W......e.uvgP../.5.....l...J.G.v)tJU:G{..h.j..C...TJ...@NlT).k.2.R...x.....S{.vm[.T........Q..:..G^.Q6..fw...S...!X....fE..Q..:...`.Nj.".f..@I).,...J.Wb`....A.M..UR.9..'.`..;X.Y....f{..[,..0..a.X-..t.cN..5kmR.8.Q.R..Z.J.Q#.j<.b.R.Uj.N.J.S......D.P..=.....L..x.:.D.R... ..g.Q....D..6..A.\#tJU2.s..f.Z..k.. "..G.R..nmZ.6.S&.JUB....@@..mX.Q,.....1.P(Q...m^.[ ...~s..Q.SZ...X.P.V(Efs7.[......@.\...E....M.T......f.....`.R'.`..#U..".+..J.R....F...Fo.J.............@P.5&o...).)..G.\..JF.L..i.J.:..`R'Q....d..&4i....a).-...F...).b.l...

C:\Users\user\AppData\Local\Temp\drawlingly

Download File

Process:	C:\Users\user\Desktop\conferma..exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.752551525554862
Encrypted:	false
SSDEEP:	1536:2ClPt2urZ4SDUEGNtgG5/8Gq8+GKM2Gpa3GHdQGaUqGiYWG6X6MESCQXE1Wfs2bY:PPZ43j5//DRVnrlMElQXPsZSDAjN
MD5:	2D18E643A1ED55FE4DBC44E5D3D31CE2
SHA1:	05B61F2A56F86C15CDEE6B5E6709AD309A9C0CE8
SHA-256:	8577CBECA89459631BDA712D038A3F4A56CC80265C1E58C7EEC6F9C2CCF30877
SHA-512:	23AE52F02A7946E02B5EE14D38DE0E8EE60FD52D6A7CC6632F17C45E198C00EA312A73FE4EB47EA03D73FC7F5B379F70215F6E7E10ABAB488123981E133D31AC
Malicious:	false
Reputation:	low
Preview:	\|..B0PG6\JDJ..Y9.JFB3PG6.JDJJPY91JFB3PG6XJDJJPY91JFB3PG6XJDJ.PY9?U.L3.N.y.E..q.QX9f2A? D9'd)+>7VEj$'."2Xx#j....\%"'.]J<\|JDJJPY9a.FB.QD6.p1.JPY91JFB.PE7SK.JJ4X91BFB3PG6V.EJJpY91.GB3P.6XjDJJRY95JFB3PG6\JDJJPY91.GB3RG6XJDJHP..1JVB3@G6XJTJJ@Y91JFB#PG6XJDJJPY9..GBxPG6X.EJ.UY91JFB3PG6XJDJJPY91.GB?PG6XJDJJPY91JFB3PG6XJDJJPY91JFB3PG6XJDJJPY91JFB3PG6XjDJBPY91JFB3PG6PjDJ.PY91JFB3PG6v>!2>PY9%(GB3pG6X.EJJRY91JFB3PG6XJDJjPYY.850PPG6.ODJJ.X91LFB36F6XJDJJPY91JFBsPGvv8!&%3Y9=JFB3.F6XHDJJ<X91JFB3PG6XJDJ.PY{1JFB3PG6XJDJJPY9..GB3PG6.JDJHP\9).FB..G6[JDJ.PY?Q.FB.PG6XJDJJPY91JFB3PG6XJDJJPY91JFB3PG6XJDJJPY9.7.M.._+.JJPY91KDA7VO>XJDJJPY9OJFBuPG6.JDJ}PY9.JFB^PG6\|JDJ4PY9OJFBWPG6JDJ+PY9vJFB\PG66JDJ4PY9/Hn]3PM.~JFbjPY31`.1.PG<.KDJN#{91@.@3PCE{JD@.SY959bB3Z.2XJ@9oPY3.OFB7z.6[.RLJPBV.JFH3S.#^JDQ`vY;.sFB9Pm.XI._LPY".hF@.YG6\`.9WPY?..FB9$N6XH.@JP]./Hn.3PM.z4WJJTr9.h8V3PC.X`f4_PY=.Jl`MFG6\aD`h.N91NmB.VmTX8.FJ ZVPJFD..G6Rb.JJVY..J8L3PC47.DJ@vs.1b.B3VG..JDLJx.91LFjgPG0Xb.JJVY..Jn.3PA6p.DJLPs.14uB3Tk1&yDJN{OG.JFF.V?6

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469479133840942
Encrypted:	false
SSDEEP:	6144:2zZfpi6ceLPx9skLmb0f/ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNLjDH5S:YZHt/ZWOKnMM6bFppj4
MD5:	457DF684BE8975C0C6396E0FEC9CF979
SHA1:	D2E4806CFDB79305B893103025EFDC7E94A8C7CF
SHA-256:	992004447C886FE6AB20C0FE55A6828A4083B27387542F8E011C8BA6A5EC93F6
SHA-512:	CD3D94147829202C7CC896945021EC657945D4B9DD6BEE2E1B403A06AF63A5E13A32DE0157FC92E41EB8F7EF50D2D9830DB23AEA3AB76B465D98B4F1C471EF31
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.Kt.O................................................................................................................................................................................................................................................................................................................................................]@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.882674665823283
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	conferma..exe
File size:	977'920 bytes
MD5:	4ba36c8f38d57ff73fc040d86b077541
SHA1:	493543048b0fabbe6d63309d27ca5cd8eb3b59c0
SHA256:	61759e8ee0c4d6c2f00f86c40a00d44ccf92cd5489511c1975e2b0c4fbedd61f
SHA512:	cefc88ed3b6fd17f42400fb4d7ae7493eb2de2bb9ed624265a5a9bcb9871268b227449d9edc7ee31464a2c91b425de1aa107a73c66da5971c8eb9af9832d3a37
SSDEEP:	24576:Ru6J33O0c+JY5UZ+XC0kGso6Fa/RfX++qaOuWY:Du0c++OCvkGs9Fa/RP++FmY
TLSH:	D025BE2273DDC360CB669173BF69B7016EBF7C650630B85B2F881D79A960171162C7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	0b1888c999ad811f

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6756BDE9 [Mon Dec 9 09:52:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F3800EE70EAh
jmp 00007F3800ED9EB4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F3800EDA03Ah
cmp edi, eax
jc 00007F3800EDA39Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F3800EDA039h
rep movsb
jmp 00007F3800EDA34Ch
cmp ecx, 00000080h
jc 00007F3800EDA204h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F3800EDA040h
bt dword ptr [004BE324h], 01h
jc 00007F3800EDA510h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F3800EDA1DDh
test edi, 00000003h
jne 00007F3800EDA1EEh
test esi, 00000003h
jne 00007F3800EDA1CDh
bt edi, 02h
jnc 00007F3800EDA03Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F3800EDA043h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F3800EDA095h
bt esi, 03h
jnc 00007F3800EDA0E8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x26248	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xee000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x26248	0x26400	9716bf71211616e2ea385f10418ec484	False	0.8667917687908496	data	7.692722036972697	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xee000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc76a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc77d0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 60472 x 60472 px/m	English	Great Britain	0.2639348134152102
RT_MENU	0xcb9f8	0x50	data	English	Great Britain	0.9
RT_STRING	0xcba48	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcbfdc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcc668	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xccaf8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcd0f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcd750	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcdbb8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcdd10	0x1f019	data			1.0003622018724263
RT_GROUP_ICON	0xecd2c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xecd40	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xecd54	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xecd68	0x14	data	English	Great Britain	1.25
RT_VERSION	0xecd7c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xece58	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 14:07:24.072304964 CET	49731	80	192.168.2.6	132.226.8.169
Dec 16, 2024 14:07:24.192419052 CET	80	49731	132.226.8.169	192.168.2.6
Dec 16, 2024 14:07:24.192565918 CET	49731	80	192.168.2.6	132.226.8.169
Dec 16, 2024 14:07:24.192971945 CET	49731	80	192.168.2.6	132.226.8.169
Dec 16, 2024 14:07:24.312772036 CET	80	49731	132.226.8.169	192.168.2.6
Dec 16, 2024 14:07:26.862634897 CET	80	49731	132.226.8.169	192.168.2.6
Dec 16, 2024 14:07:26.916373014 CET	49731	80	192.168.2.6	132.226.8.169
Dec 16, 2024 14:07:34.621669054 CET	49731	80	192.168.2.6	132.226.8.169

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 14:07:23.920064926 CET	59350	53	192.168.2.6	1.1.1.1
Dec 16, 2024 14:07:24.060184002 CET	53	59350	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 14:07:23.920064926 CET	192.168.2.6	1.1.1.1	0xba80	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 14:07:15.380491018 CET	1.1.1.1	192.168.2.6	0xd0ad	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 14:07:15.380491018 CET	1.1.1.1	192.168.2.6	0xd0ad	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:07:24.060184002 CET	1.1.1.1	192.168.2.6	0xba80	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 14:07:24.060184002 CET	1.1.1.1	192.168.2.6	0xba80	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:07:24.060184002 CET	1.1.1.1	192.168.2.6	0xba80	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:07:24.060184002 CET	1.1.1.1	192.168.2.6	0xba80	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:07:24.060184002 CET	1.1.1.1	192.168.2.6	0xba80	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:07:24.060184002 CET	1.1.1.1	192.168.2.6	0xba80	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49731	132.226.8.169	80	6060	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:07:24.192971945 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:07:26.862634897 CET	682	IN	HTTP/1.1 502 Bad Gateway Date: Mon, 16 Dec 2024 13:07:26 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	08:07:18
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\conferma..exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\conferma..exe"
Imagebase:	0xc20000
File size:	977'920 bytes
MD5 hash:	4BA36C8F38D57FF73FC040D86B077541
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.2306887297.0000000001790000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:07:22
Start date:	16/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\conferma..exe"
Imagebase:	0xec0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2413595132.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:07:26
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 1476
Imagebase:	0xa00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	182

Executed Functions

Function 00C23B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C23B68
IsDebuggerPresent.KERNEL32 ref: 00C23B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00CE52F8,00CE52E0,?,?), ref: 00C23BEB

Part of subcall function 00C27BCC: _memmove.LIBCMT ref: 00C27C06

Part of subcall function 00C3092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C23C14,00CE52F8,?,?,?), ref: 00C3096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00C23C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CD7770,00000010), ref: 00C5D281
SetCurrentDirectoryW.KERNEL32(?,00CE52F8,?,?,?), ref: 00C5D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CD4260,00CE52F8,?,?,?), ref: 00C5D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00C5D346

Part of subcall function 00C23A46: GetSysColorBrush.USER32(0000000F), ref: 00C23A50
Part of subcall function 00C23A46: LoadCursorW.USER32(00000000,00007F00), ref: 00C23A5F
Part of subcall function 00C23A46: LoadIconW.USER32(00000063), ref: 00C23A76
Part of subcall function 00C23A46: LoadIconW.USER32(000000A4), ref: 00C23A88
Part of subcall function 00C23A46: LoadIconW.USER32(000000A2), ref: 00C23A9A
Part of subcall function 00C23A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C23AC0
Part of subcall function 00C23A46: RegisterClassExW.USER32(?), ref: 00C23B16

Part of subcall function 00C239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C23A03
Part of subcall function 00C239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C23A24
Part of subcall function 00C239D5: ShowWindow.USER32(00000000,?,?), ref: 00C23A38
Part of subcall function 00C239D5: ShowWindow.USER32(00000000,?,?), ref: 00C23A41

Part of subcall function 00C2434A: _memset.LIBCMT ref: 00C24370
Part of subcall function 00C2434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C24415

Strings

runas, xrefs: 00C5D33A
This is a third-party compiled AutoIt script., xrefs: 00C5D279

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 439caf6facab213b7632f2d73e346b750c009d8d4cb5cdbffe28bdbb6d8920bc
Instruction ID: 7fbdac2b7f1931abdb904d18f844d6c8c9d6587f818b0037d11afe182c9608c6
Opcode Fuzzy Hash: 439caf6facab213b7632f2d73e346b750c009d8d4cb5cdbffe28bdbb6d8920bc
Instruction Fuzzy Hash: A0511870E08298AECF11EBF5FC85FED7B78AF45744F004269F622A7161DA744A46DB20

Function 00C249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C249CD

Part of subcall function 00C27BCC: _memmove.LIBCMT ref: 00C27C06

GetCurrentProcess.KERNEL32(?,00CAFAEC,00000000,00000000,?), ref: 00C24A9A
IsWow64Process.KERNEL32(00000000), ref: 00C24AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C24AE7
FreeLibrary.KERNEL32(00000000), ref: 00C24AF2
GetSystemInfo.KERNEL32(00000000), ref: 00C24B23
GetSystemInfo.KERNEL32(00000000), ref: 00C24B2F

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 22fa4d171cd21e9cd44811e9032ae9d0be4a43e94f6591828f9b49a24387e810
Instruction ID: 825341f9f5504279ceb643e9fc40de40e811f22c870867fa00874043e003d957
Opcode Fuzzy Hash: 22fa4d171cd21e9cd44811e9032ae9d0be4a43e94f6591828f9b49a24387e810
Instruction Fuzzy Hash: 6091E431989BD0DFC735CB7894502AABFF5AF2A301B4449ADD0DB93A41D230AA4CD76D

Function 00C24E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C24D8E,?,?,00000000,00000000), ref: 00C24E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C24D8E,?,?,00000000,00000000), ref: 00C24EB0
LoadResource.KERNEL32(?,00000000,?,?,00C24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C24E2F), ref: 00C5D937
SizeofResource.KERNEL32(?,00000000,?,?,00C24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C24E2F), ref: 00C5D94C
LockResource.KERNEL32(00C24D8E,?,?,00C24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C24E2F,00000000), ref: 00C5D95F

Strings

SCRIPT, xrefs: 00C24EA6

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 04f6154b335f4f11aa1f2a750253071eec16e86ec872c059d9e428ffae49ebbb
Instruction ID: fd3f4bfff6556ddb5518fd2617d12a1ee821e2735e5ff3dfc7366a710589ecef
Opcode Fuzzy Hash: 04f6154b335f4f11aa1f2a750253071eec16e86ec872c059d9e428ffae49ebbb
Instruction Fuzzy Hash: 54115A75240701BFE7258BA5EC48F6BBBBAFBC6B15F20426CF41686650DB71EC018A60

Function 00C2FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 318b92a97757af887463739a22da8ea1e34d58803797669ee7f717d1e30c031a
Instruction ID: 8360d6d4f9fc88548f611c282751355dfda4bf7bcaa50372d3019f534bf0e6de
Opcode Fuzzy Hash: 318b92a97757af887463739a22da8ea1e34d58803797669ee7f717d1e30c031a
Instruction Fuzzy Hash: B29278716183418FD724DF25C490B2ABBE5BF89304F24892DF89A8B362D771ED45CB92

Function 00C8445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00C5E398), ref: 00C8446A
FindFirstFileW.KERNELBASE(?,?), ref: 00C8447B
FindClose.KERNEL32(00000000), ref: 00C8448B

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 7b26cd2ecd3adb3af32de3d48e59ab572508956c0ccf81126a262f61bbd9e76a
Instruction ID: 55807b0e2e372d035b663aef135409366f502fc0b9d473c89018ee6e616f7afc
Opcode Fuzzy Hash: 7b26cd2ecd3adb3af32de3d48e59ab572508956c0ccf81126a262f61bbd9e76a
Instruction Fuzzy Hash: E4E0D8324105116742147B78EC0D7ED7B9C9E4633DF100719F935C20E0E7B46D009699

Function 00C2E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00C63E62

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 0c2563587e4fe312953cd678d9dbb1c50f06c484975177a228f9f53e70b2cfc2
Instruction ID: 04a8e7f637c9f65d506effdbfad78942096811a076f98e2571e623869264a914
Opcode Fuzzy Hash: 0c2563587e4fe312953cd678d9dbb1c50f06c484975177a228f9f53e70b2cfc2
Instruction Fuzzy Hash: 4EA2AF74A00229CFCB24CF99D4C0AAEB7B1FF59314F648069E915AB751D731EE82DB90

Function 00C309D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C30A5B
timeGetTime.WINMM ref: 00C30D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C30E53
Sleep.KERNEL32(0000000A), ref: 00C30E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00C30EFA
DestroyWindow.USER32 ref: 00C30F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C30F20
Sleep.KERNEL32(0000000A,?,?), ref: 00C64E83
TranslateMessage.USER32(?), ref: 00C65C60
DispatchMessageW.USER32(?), ref: 00C65C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C65C82

Strings

@GUI_CTRLHANDLE, xrefs: 00C64FE4
@TRAY_ID, xrefs: 00C6578F
@COM_EVENTOBJ, xrefs: 00C654F0
@GUI_WINHANDLE, xrefs: 00C64F8F
@GUI_CTRLID, xrefs: 00C64F3A

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 5fea8a6364e0df0770cf61f756f558e5e326918fd9002828f5abeb08e36e2e62
Instruction ID: 48d4e2c3bb0906bcd7680bfd30c486d4b15866c4cda24951a6a78fa05e5c72a4
Opcode Fuzzy Hash: 5fea8a6364e0df0770cf61f756f558e5e326918fd9002828f5abeb08e36e2e62
Instruction Fuzzy Hash: C9B2DD71608741DFD738DF24C894BAEB7E0BF85304F24491DE59A8B2A1CB71E985DB82

Function 00C89155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C88F5F: __time64.LIBCMT ref: 00C88F69

Part of subcall function 00C24EE5: _fseek.LIBCMT ref: 00C24EFD

__wsplitpath.LIBCMT ref: 00C89234

Part of subcall function 00C440FB: __wsplitpath_helper.LIBCMT ref: 00C4413B

_wcscpy.LIBCMT ref: 00C89247
_wcscat.LIBCMT ref: 00C8925A
__wsplitpath.LIBCMT ref: 00C8927F
_wcscat.LIBCMT ref: 00C89295
_wcscat.LIBCMT ref: 00C892A8

Part of subcall function 00C88FA5: _memmove.LIBCMT ref: 00C88FDE
Part of subcall function 00C88FA5: _memmove.LIBCMT ref: 00C88FED

_wcscmp.LIBCMT ref: 00C891EF

Part of subcall function 00C89734: _wcscmp.LIBCMT ref: 00C89824
Part of subcall function 00C89734: _wcscmp.LIBCMT ref: 00C89837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C89452
_wcsncpy.LIBCMT ref: 00C894C5
DeleteFileW.KERNEL32(?,?), ref: 00C894FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C89511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C89522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C89534

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 22166f71119a6e36921539ee43b26eab780e21989145f911bd74511ccaeb9091
Instruction ID: 7050ef92d26ead919da57eef5abdf9b734601c18be57ad38f2da73e25d3ca343
Opcode Fuzzy Hash: 22166f71119a6e36921539ee43b26eab780e21989145f911bd74511ccaeb9091
Instruction Fuzzy Hash: 61C15EB1D00129ABDF21EF95CC85AEEB7BCEF85314F0040AAF609E7151EB309A449F65

Function 00C2301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C23074
RegisterClassExW.USER32(00000030), ref: 00C2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C230AF
InitCommonControlsEx.COMCTL32(?), ref: 00C230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C230DC
LoadIconW.USER32(000000A9), ref: 00C230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C23101

Strings

TaskbarCreated, xrefs: 00C230A4
0, xrefs: 00C23056
+, xrefs: 00C2305D
AutoIt v3 GUI, xrefs: 00C23090

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e0c42f9d9102d5d5aeed12c814bc2d6dbca56c53f52b101456cc582bb440a7d0
Instruction ID: da2319a2ed14f631c1e7c84b44b4966ddec4f8982b4e3badb95903f066aa7ba6
Opcode Fuzzy Hash: e0c42f9d9102d5d5aeed12c814bc2d6dbca56c53f52b101456cc582bb440a7d0
Instruction Fuzzy Hash: 0B3107B1840359EFDB508FE4D889BDDBBF0FB0A318F10412AE580EA2A0D7B54586CF90

Function 00C23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C23074
RegisterClassExW.USER32(00000030), ref: 00C2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C230AF
InitCommonControlsEx.COMCTL32(?), ref: 00C230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C230DC
LoadIconW.USER32(000000A9), ref: 00C230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C23101

Strings

TaskbarCreated, xrefs: 00C230A4
0, xrefs: 00C23056
+, xrefs: 00C2305D
AutoIt v3 GUI, xrefs: 00C23090

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d22585d15ac728ae695d2893bc5da48aa0c354f7fb2e952f5a4df25facec3f31
Instruction ID: 200d57ec7fbf9b4fcad532c01b9e683178e72307111b186fcb06fd0ab99d07b0
Opcode Fuzzy Hash: d22585d15ac728ae695d2893bc5da48aa0c354f7fb2e952f5a4df25facec3f31
Instruction Fuzzy Hash: E021C3B1D41258AFDB10DFE4E889B9DBBF4FB09708F00412AFA10EB2A0D7B145458F95

Function 00C2708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C24706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CE52F8,?,00C237AE,?), ref: 00C24724

Part of subcall function 00C4050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C27165), ref: 00C4052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C271A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C5E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C5E909
RegCloseKey.ADVAPI32(?), ref: 00C5E947
_wcscat.LIBCMT ref: 00C5E9A0

Strings

\, xrefs: 00C5E9C3
\Include\, xrefs: 00C27165
Software\AutoIt v3\AutoIt, xrefs: 00C2719E
Include, xrefs: 00C5E8BF, 00C5E900

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: b15bd50f7dd05a9425e3fdf12aabd641df9d90994c4dea7b25d4b9d3e33fc87c
Instruction ID: 39d24cf9d07abbf635142e9f1b567d09555b92b463a582ae9893427d7045c4cd
Opcode Fuzzy Hash: b15bd50f7dd05a9425e3fdf12aabd641df9d90994c4dea7b25d4b9d3e33fc87c
Instruction Fuzzy Hash: F371BD715183519EC304EF65E881AAFBBE8FFA5390F40092EF545CB1A0DB309A48DB92

Function 00C23A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C23A50
LoadCursorW.USER32(00000000,00007F00), ref: 00C23A5F
LoadIconW.USER32(00000063), ref: 00C23A76
LoadIconW.USER32(000000A4), ref: 00C23A88
LoadIconW.USER32(000000A2), ref: 00C23A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C23AC0
RegisterClassExW.USER32(?), ref: 00C23B16

Part of subcall function 00C23041: GetSysColorBrush.USER32(0000000F), ref: 00C23074
Part of subcall function 00C23041: RegisterClassExW.USER32(00000030), ref: 00C2309E
Part of subcall function 00C23041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C230AF
Part of subcall function 00C23041: InitCommonControlsEx.COMCTL32(?), ref: 00C230CC
Part of subcall function 00C23041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C230DC
Part of subcall function 00C23041: LoadIconW.USER32(000000A9), ref: 00C230F2
Part of subcall function 00C23041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C23101

Strings

#, xrefs: 00C23AFB
AutoIt v3, xrefs: 00C23B05
0, xrefs: 00C23AF4

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3d598a5a8f48fea3ccac662a6f7a52d8df550312b2abbf2f716827002c52f291
Instruction ID: 6fffb4c06c29ccbc237b1c506bedacda0a58c1ef868b31636c2672cf29023157
Opcode Fuzzy Hash: 3d598a5a8f48fea3ccac662a6f7a52d8df550312b2abbf2f716827002c52f291
Instruction Fuzzy Hash: A6211571D00358AFEB10DFA4EC89B9D7BB4FB08719F10012AF604AB2A1D7B55A519F94

Function 00C23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00C236D2
KillTimer.USER32(?,00000001), ref: 00C236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C2371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C2372A
CreatePopupMenu.USER32 ref: 00C2373E
PostQuitMessage.USER32(00000000), ref: 00C2374D

Strings

TaskbarCreated, xrefs: 00C23725

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: fd0cfa4af248a640a1abf2058f3ce9bd91bb1d7505349a5af61a32f07ef91932
Instruction ID: 0ff5b8c56085043905b059f620b5be74fbc3af6a555db31029e76a9a0e39ae0b
Opcode Fuzzy Hash: fd0cfa4af248a640a1abf2058f3ce9bd91bb1d7505349a5af61a32f07ef91932
Instruction Fuzzy Hash: AC4155B22006D5BBCF246F68FD49B7D3658EB40304F100129FA129A6E1CA799A46A765

Function 00C23766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 00C2387D
CMDLINE, xrefs: 00C23822
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00C237AE
/AutoIt3ExecuteLine, xrefs: 00C238A7
/AutoIt3OutputDebug, xrefs: 00C23892
CMDLINERAW, xrefs: 00C237FB
/AutoIt3ExecuteScript, xrefs: 00C238BC

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 75fe33e2975826422bef43895d27a7df312a0a17256cfd5d1f16ba654fc6bff1
Instruction ID: c982427d64c1c488d4b918a326374d3ace7050a00f023605813ba0defd14daef
Opcode Fuzzy Hash: 75fe33e2975826422bef43895d27a7df312a0a17256cfd5d1f16ba654fc6bff1
Instruction Fuzzy Hash: 83A1AE7290026D9ACF05EBA0EC92EEEB778FF15300F400429F416B7591DF749A09DBA0

Function 018771E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 018772B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 018774D7

Memory Dump Source

Source File: 00000000.00000002.2306995760.0000000001874000.00000040.00000020.00020000.00000000.sdmp, Offset: 01874000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1874000_conferma.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: c941e240137a001ffe3ffda52e1fca2e6a8ff21d994a7d2edf6b4a784b8d9ba6
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 56A11970E00209EBDB14CFA8C998BEEBBB5FF48304F208559E615BB280D7759A45CF95

Function 00C239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C23A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C23A24
ShowWindow.USER32(00000000,?,?), ref: 00C23A38
ShowWindow.USER32(00000000,?,?), ref: 00C23A41

Strings

edit, xrefs: 00C23A1E
AutoIt v3, xrefs: 00C239FB, 00C23A00, 00C23A01

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b1e8b27d9fffafb6176d775da310171f66bad7f4a651df31066d10f648e5aeef
Instruction ID: 6ec02e9f94c0e65916433309f66d69fdceca039bcb295ff84acf3c6bba136bcd
Opcode Fuzzy Hash: b1e8b27d9fffafb6176d775da310171f66bad7f4a651df31066d10f648e5aeef
Instruction Fuzzy Hash: E6F017746002907EEA205763AC88F6F3E7DD7C7F58B01002EBA00AA171C6710841DAB0

Function 01876FA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01876E90: Sleep.KERNELBASE(000001F4), ref: 01876EA1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 018770CA

Strings

1JFB3PG6XJDJJPY9, xrefs: 0187712D, 01877130

Memory Dump Source

Source File: 00000000.00000002.2306995760.0000000001874000.00000040.00000020.00020000.00000000.sdmp, Offset: 01874000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1874000_conferma.jbxd

Similarity

API ID: CreateFileSleep
String ID: 1JFB3PG6XJDJJPY9
API String ID: 2694422964-210415504
Opcode ID: 58e0b9371551c43cea8267e45d97ca69d599a49530c1fd4d14775177c62feac6
Instruction ID: bdc648a6571db2621946e137f9fa7dacaec707a09836c01f8af74eb5e6dfecfb
Opcode Fuzzy Hash: 58e0b9371551c43cea8267e45d97ca69d599a49530c1fd4d14775177c62feac6
Instruction Fuzzy Hash: 0B519231E04249EBEF11DBE4D858BEEBB79AF19300F004599E608BB2C0D7794B45CB66

Function 00C2407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C5D3D7

Part of subcall function 00C27BCC: _memmove.LIBCMT ref: 00C27C06

_memset.LIBCMT ref: 00C240FC
_wcscpy.LIBCMT ref: 00C24150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C24160

Strings

Line: , xrefs: 00C5D400

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 95c9d2c07fc287847fa266264a5fa9e33789245a9c16b870df164b31ca51a869
Instruction ID: e9540b7c83fc63f7573186b7667c60cfe6472efc977e5141eb797fdc1b0d7f85
Opcode Fuzzy Hash: 95c9d2c07fc287847fa266264a5fa9e33789245a9c16b870df164b31ca51a869
Instruction Fuzzy Hash: 4F31D171008754AFD724EB60EC86FDF77E8AF44304F104A1EF685964A1EB70A688D792

Function 00C4541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00C4547B
_memcpy_s.LIBCMT ref: 00C454ED
__read_nolock.LIBCMT ref: 00C4554B
__filbuf.LIBCMT ref: 00C4556E
_memset.LIBCMT ref: 00C455B2

Part of subcall function 00C48B28: __getptd_noexit.LIBCMT ref: 00C48B28

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 46be7cab5daba7b4119114f0b1627cada8f23774592c61affdb9e0d50769d4f6
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 4151B470A00B05DBDB249FA9D8806BE77B6FF41331F248729F8359A2D2D7709E949B41

Function 00C2686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00C24DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24E0F

_free.LIBCMT ref: 00C5E263
_free.LIBCMT ref: 00C5E2AA

Part of subcall function 00C26A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C26BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00C5E039
Bad directive syntax error, xrefs: 00C5E292

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 2a7a7a23162199b0857217e838c1c3f912e8571cab7ee9b8aca4003522af0863
Instruction ID: 66db245bce02979fad3fb68adae016c2650b8f865defa5d3432c7df3afb86ed2
Opcode Fuzzy Hash: 2a7a7a23162199b0857217e838c1c3f912e8571cab7ee9b8aca4003522af0863
Instruction Fuzzy Hash: AD919275900229DFCF08EFA4DC819EEB7B4FF09315F10452AF815AB2A1DB709A49EB54

Function 00C235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C235A1,SwapMouseButtons,00000004,?), ref: 00C235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C235A1,SwapMouseButtons,00000004,?,?,?,?,00C22754), ref: 00C235F5
RegCloseKey.KERNELBASE(00000000,?,?,00C235A1,SwapMouseButtons,00000004,?,?,?,?,00C22754), ref: 00C23617

Strings

Control Panel\Mouse, xrefs: 00C235D2

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9818bfb9cddc11c7c4293e9e39d454ca701b82b4a5c4660207cfb5545eb575d8
Instruction ID: 6f70d9ecd90f347b6fb930384128d87cdde285c0240ef6dec30a6d667b14a221
Opcode Fuzzy Hash: 9818bfb9cddc11c7c4293e9e39d454ca701b82b4a5c4660207cfb5545eb575d8
Instruction Fuzzy Hash: BD114571610268BFDB208FA8EC80AEEBBBCFF05744F018469F805D7210E2719F419BA4

Function 01875E90 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018766BD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018766E1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01876703

Memory Dump Source

Source File: 00000000.00000002.2306995760.0000000001874000.00000040.00000020.00020000.00000000.sdmp, Offset: 01874000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1874000_conferma.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: d54a5e78aef9d41683f3b49b2258a55b3610771e91022cb83046c8aa91a7340a
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 4A621C30A14658DBEB24CFA4C850BDEB772EF58304F2091A9D10DEB394E7759E81CB59

Function 00C8955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00C24EE5: _fseek.LIBCMT ref: 00C24EFD

Part of subcall function 00C89734: _wcscmp.LIBCMT ref: 00C89824
Part of subcall function 00C89734: _wcscmp.LIBCMT ref: 00C89837

_free.LIBCMT ref: 00C896A2
_free.LIBCMT ref: 00C896A9
_free.LIBCMT ref: 00C89714

Part of subcall function 00C42D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C49A24), ref: 00C42D69
Part of subcall function 00C42D55: GetLastError.KERNEL32(00000000,?,00C49A24), ref: 00C42D7B

_free.LIBCMT ref: 00C8971C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
Instruction ID: 111467c2daab47bfab6762119c79e1fd5a9e78b430bb9de4e373793b763944ff
Opcode Fuzzy Hash: 50af52b8f22919c11c7515362fb071ee60fc7e1c9e9e4129b0e36dbf2dd802cb
Instruction Fuzzy Hash: DF5140B1D04258AFDF249FA4DC81AAEBB79FF48314F14449EF609A3241DB715A80DF58

Function 00C4470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C447A0
__flush.LIBCMT ref: 00C447C0
__write.LIBCMT ref: 00C447F3
__flsbuf.LIBCMT ref: 00C44821

Part of subcall function 00C48B28: __getptd_noexit.LIBCMT ref: 00C48B28

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 7b0a464f981cd525283d285d3343d203d456b3aec4d08087c6bc4b0fca7bc94c
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: DC41B775A007459BDB1CCF69C880AAE7BA6FF45364B34853DE825C7680EB70DE42DB40

Function 00C244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C244CF

Part of subcall function 00C2407C: _memset.LIBCMT ref: 00C240FC
Part of subcall function 00C2407C: _wcscpy.LIBCMT ref: 00C24150
Part of subcall function 00C2407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C24160

KillTimer.USER32(?,00000001,?,?), ref: 00C24524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C24533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C5D4B9

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 6db92f17a099c6214c19cdc8d08dcbeb3535712ac9fec4be0bbd5f61cb5a152e
Instruction ID: 50d532e6a92992eb8ede641d8dd162f8a02fa022730d757c461d3da8db1ac72d
Opcode Fuzzy Hash: 6db92f17a099c6214c19cdc8d08dcbeb3535712ac9fec4be0bbd5f61cb5a152e
Instruction Fuzzy Hash: 4F2107749047949FE732CB249845BEABBECAF05309F04009DE7DE5B141C3742A88DB45

Function 00C27285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C5EA39
GetOpenFileNameW.COMDLG32(?), ref: 00C5EA83

Part of subcall function 00C24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C24743,?,?,00C237AE,?), ref: 00C24770

Part of subcall function 00C40791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C407B0

Strings

X, xrefs: 00C5EA51

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 9978939af3692b46f8397b2c05eb0568b9a302d910f387ac633e565c2c1bbdf6
Instruction ID: a58f23315b89ecd62145dd33c11dbcb9c111b08cd716bb29f76c235ce8bab5b2
Opcode Fuzzy Hash: 9978939af3692b46f8397b2c05eb0568b9a302d910f387ac633e565c2c1bbdf6
Instruction Fuzzy Hash: E121D270A002589BCF01DF94D885BEE7BF8AF49714F00401AE908AB241DFB45A8DDFA1

Function 00C88D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C88DAC
__fread_nolock.LIBCMT ref: 00C88DC1

Strings

EA06, xrefs: 00C88DF3

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 2e91a3c5283e622906c5c21b34f980bcdafd7fcc3ce35a28dde869158e70d2cc
Instruction ID: 55cf9b65d55ff26e3a05b5ba3c63c83f7aef3bf3a02804074b9dc5377d1322cb
Opcode Fuzzy Hash: 2e91a3c5283e622906c5c21b34f980bcdafd7fcc3ce35a28dde869158e70d2cc
Instruction Fuzzy Hash: ED01F9719042187FDB18DBA8CC16EFE7BF8DB11301F00419BF552D2281E874A6089760

Function 00C898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00C898F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C8990F

Strings

aut, xrefs: 00C89909

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 2d2fd8a41b0ca48b5c38ed2e989dea544981c2647d2adaa5aa8804555db01561
Instruction ID: c9a958ce785d05f38ae918ecbbd72df8f1a446ee83ed5d781cc0501cf0c69b52
Opcode Fuzzy Hash: 2d2fd8a41b0ca48b5c38ed2e989dea544981c2647d2adaa5aa8804555db01561
Instruction Fuzzy Hash: 47D05E7954030DABDB50ABE0DC0EFDA773CE704705F0003B1BB94921A1EAB095998B91

Function 00C9CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd5f3e5c63f0a22ad8eb8ce9e698f06af3a88107df7513c93d7706e631f012e
Instruction ID: 4c04873b435e28655ae065bdf899b23b6854a4f2acae2b96cae00aa496451798
Opcode Fuzzy Hash: cdd5f3e5c63f0a22ad8eb8ce9e698f06af3a88107df7513c93d7706e631f012e
Instruction Fuzzy Hash: 04F138716083019FCB14DF29C484A6ABBE5FF89314F54896EF8A99B352D730E945CF82

Function 00C2F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C40162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C40193
Part of subcall function 00C40162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C4019B
Part of subcall function 00C40162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C401A6
Part of subcall function 00C40162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C401B1
Part of subcall function 00C40162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C401B9
Part of subcall function 00C40162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C401C1

Part of subcall function 00C360F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C2F930), ref: 00C36154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C2F9CD
OleInitialize.OLE32(00000000), ref: 00C2FA4A
CloseHandle.KERNEL32(00000000), ref: 00C645C8

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e8c853336711449a8fc16fc8d14bc2f3a588c062010a1c0eee53a73390d89c83
Instruction ID: 4a9c251ac36005a611fa2928b0d5a59484a30ed30abf9d8ab3cfc20e6e9fd086
Opcode Fuzzy Hash: e8c853336711449a8fc16fc8d14bc2f3a588c062010a1c0eee53a73390d89c83
Instruction Fuzzy Hash: EA81ACB0911BC0CFC784DF39A9C5B5D7BE5EB8830E790852AA119CF2B2EB7444858F11

Function 00C2434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C24370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C24415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C24432

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 6b86fc69ee16fe1c1564348d2370ed5a6aebd9763af82d73036b111a72a14d8e
Instruction ID: de8f613ed4cd4e079c300c189c1a3b9181d0f367b6d0d8c3254fbbf26d5c0074
Opcode Fuzzy Hash: 6b86fc69ee16fe1c1564348d2370ed5a6aebd9763af82d73036b111a72a14d8e
Instruction Fuzzy Hash: 9C3171B05047118FD725EF64E88479BBBF8FB49309F00092EF69AC7651E771AA44CB52

Function 00C4571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00C45733

Part of subcall function 00C4A16B: __NMSG_WRITE.LIBCMT ref: 00C4A192
Part of subcall function 00C4A16B: __NMSG_WRITE.LIBCMT ref: 00C4A19C

__NMSG_WRITE.LIBCMT ref: 00C4573A

Part of subcall function 00C4A1C8: GetModuleFileNameW.KERNEL32(00000000,00CE33BA,00000104,?,00000001,00000000), ref: 00C4A25A
Part of subcall function 00C4A1C8: ___crtMessageBoxW.LIBCMT ref: 00C4A308

Part of subcall function 00C4309F: ___crtCorExitProcess.LIBCMT ref: 00C430A5
Part of subcall function 00C4309F: ExitProcess.KERNEL32 ref: 00C430AE

Part of subcall function 00C48B28: __getptd_noexit.LIBCMT ref: 00C48B28

RtlAllocateHeap.NTDLL(017D0000,00000000,00000001,00000000,?,?,?,00C40DD3,?), ref: 00C4575F

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: e962b69d596dde6eff416dd6f336542024003c78e99521d41978f2e01929635c
Instruction ID: 2ede399abc5061b130d2847474c42520d47254bc54aa4406d8d88f0633eed848
Opcode Fuzzy Hash: e962b69d596dde6eff416dd6f336542024003c78e99521d41978f2e01929635c
Instruction Fuzzy Hash: B901F135250B41DFE6103B39EC86B2E7388FF82362F100539F925AB193DF709E016A61

Function 00C898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C89548,?,?,?,?,?,00000004), ref: 00C898BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C89548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C898D1
CloseHandle.KERNEL32(00000000,?,00C89548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C898D8

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 9d8ba466b79e47d9ba802dc754f5a7c5f2eeac536d8c156e14c318a00470d1eb
Instruction ID: 645698c15a33d709bfb467b86a386237aec23fee9a392d85607732b87326444d
Opcode Fuzzy Hash: 9d8ba466b79e47d9ba802dc754f5a7c5f2eeac536d8c156e14c318a00470d1eb
Instruction Fuzzy Hash: 2FE08632241214BBEB312B94EC09FDE7B19EB07769F144124FB646A0F087B116129798

Function 00C88D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C88D1B

Part of subcall function 00C42D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C49A24), ref: 00C42D69
Part of subcall function 00C42D55: GetLastError.KERNEL32(00000000,?,00C49A24), ref: 00C42D7B

_free.LIBCMT ref: 00C88D2C
_free.LIBCMT ref: 00C88D3E

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction ID: b7ee73866b9ad349f8bab7159b4a69bdc6987162034ca956ec7debb04a40d2d2
Opcode Fuzzy Hash: c56cf7ee783aa8295308e84720220828ccc4d403300e1e82c1220f1652f177a4
Instruction Fuzzy Hash: 3FE0C2A1A0160242CB20B678A841A8313DC5F483A6F84080EB41DD7182CE60F882D228

Function 00C2A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00C5FC01

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: a2d5aa55640ce77672048c99e01da56fc9c54b9705648fa1da66efce97531149
Instruction ID: 78a66f8d9431fdcba2d3a28648ff4aa319a1a35a675d57392d720145648bf6a8
Opcode Fuzzy Hash: a2d5aa55640ce77672048c99e01da56fc9c54b9705648fa1da66efce97531149
Instruction Fuzzy Hash: 2B225874508321DFC724DF24D494A2ABBE1FF84304F14896DE89A9B762D731ED85DB82

Function 00C24C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C24CBA

Strings

EA06, xrefs: 00C5D8CC

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 3cc521675ceb6bbfb9a7a766c5a936fd52a7391b3ac6a369a7ee8c2b172eb857
Instruction ID: 3038b388111172e0d83978a5f20deab59a84326acd77b91cc0f1443875dc3b02
Opcode Fuzzy Hash: 3cc521675ceb6bbfb9a7a766c5a936fd52a7391b3ac6a369a7ee8c2b172eb857
Instruction Fuzzy Hash: 77418D31A0427857DF2A9F64FC517BE7FA2DB45300F684474EC82DBA87D6309E4493A1

Function 00C27A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C27AAB
_memmove.LIBCMT ref: 00C27B16

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction ID: 769c7946c2c9628fe4c0169faf07d3559ead6c28c3e6cfadf519fe07737fa153
Opcode Fuzzy Hash: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction Fuzzy Hash: 5331A4B1604616EFC704DF68D8D1D69B3A9FF483207158729E529CB791EB30EA60DB90

Function 00C247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00C24834

Part of subcall function 00C4336C: __lock.LIBCMT ref: 00C43372
Part of subcall function 00C4336C: DecodePointer.KERNEL32(00000001,?,00C24849,00C77C74), ref: 00C4337E
Part of subcall function 00C4336C: EncodePointer.KERNEL32(?,?,00C24849,00C77C74), ref: 00C43389

Part of subcall function 00C248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C24915
Part of subcall function 00C248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C2492A

Part of subcall function 00C23B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C23B68
Part of subcall function 00C23B3A: IsDebuggerPresent.KERNEL32 ref: 00C23B7A
Part of subcall function 00C23B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00CE52F8,00CE52E0,?,?), ref: 00C23BEB
Part of subcall function 00C23B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00C23C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C24874

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: a65295f38ddb2284667ac7daaba69a1b0c653884117d51f9ee4b005f4ee10245
Instruction ID: a3147ac75a863d76c6dd8670d347a1ca42c2fbb855ae4125b6385fb4ea7b7531
Opcode Fuzzy Hash: a65295f38ddb2284667ac7daaba69a1b0c653884117d51f9ee4b005f4ee10245
Instruction Fuzzy Hash: 48119A719183919FC700EF69E885B0EBBE8FF99754F10491EF1448B2B1DBB09649CB92

Function 00C40DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C4571C: __FF_MSGBANNER.LIBCMT ref: 00C45733
Part of subcall function 00C4571C: __NMSG_WRITE.LIBCMT ref: 00C4573A
Part of subcall function 00C4571C: RtlAllocateHeap.NTDLL(017D0000,00000000,00000001,00000000,?,?,?,00C40DD3,?), ref: 00C4575F

std::exception::exception.LIBCMT ref: 00C40DEC
__CxxThrowException@8.LIBCMT ref: 00C40E01

Part of subcall function 00C4859B: RaiseException.KERNEL32(?,?,?,00CD9E78,00000000,?,?,?,?,00C40E06,?,00CD9E78,?,00000001), ref: 00C485F0

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: e6602adc027c26cfd003dddb5acd2b1c3cd47cda93deba1761d1b9346de9b757
Instruction ID: 72a2449ed9dd2326d5f2407400e5435eac06a18d6e15f708e3a637f35d381ab7
Opcode Fuzzy Hash: e6602adc027c26cfd003dddb5acd2b1c3cd47cda93deba1761d1b9346de9b757
Instruction Fuzzy Hash: 65F0C87594031D66DB10BAA8EC119DF7BACFF01311F20082AFE1496691DF709A54E2D1

Function 00C455FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C4562C
__lock_file.LIBCMT ref: 00C4564D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 422dfe5cc29754b763ac0bc251e1a3c2737447b4db5f425bffd38862b13fb0e8
Instruction ID: 14fd384bfd8bfad24d4c1e045a4a9f9c21e357c5737df053649f411b5b6b85b7
Opcode Fuzzy Hash: 422dfe5cc29754b763ac0bc251e1a3c2737447b4db5f425bffd38862b13fb0e8
Instruction Fuzzy Hash: B301D671C01A09EBCF12AFA99C068DE7B71FF92361F554215F8241B292DB318A51FF92

Function 00C453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C48B28: __getptd_noexit.LIBCMT ref: 00C48B28

__lock_file.LIBCMT ref: 00C453EB

Part of subcall function 00C46C11: __lock.LIBCMT ref: 00C46C34

__fclose_nolock.LIBCMT ref: 00C453F6

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 4d9b07c52a6c645c42fff215a6f58b53560a80497f4c8ee0e68d4605bfa9d1a8
Instruction ID: 2e052c8ad437838dbee12620f16eeddd5b27b9dac8d7daddf49c94ea5c3630fd
Opcode Fuzzy Hash: 4d9b07c52a6c645c42fff215a6f58b53560a80497f4c8ee0e68d4605bfa9d1a8
Instruction Fuzzy Hash: 5FF09031901A049BDB10AF6598067AD7AA07F41374F208209A464AB1D2CBBC8A49BB52

Function 01875E8D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 018766BD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018766E1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01876703

Memory Dump Source

Source File: 00000000.00000002.2306995760.0000000001874000.00000040.00000020.00020000.00000000.sdmp, Offset: 01874000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1874000_conferma.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 3f6c3c8385ed0c8b67697a7be4422ae1b99d1e998c501e5263f75f2267e7a6a3
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 0012CF24E14658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A8F85CF5A

Function 00C40C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00C40CB7

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 85830c233d2f3f54f35e948c3e4b96628816647b5b7dd15d7fbd8029454a8060
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4231E070A40105DBC718DF19D4C4A69FBB6FB89300B3486A5E91ACB351DA31EEC1DBC2

Function 00C5FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00C5FCB7

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e4691073671dac8a63230db1ebc3bcc157bba5fc7d2022103007355328198576
Instruction ID: 3390c141c2c80f72a88d1beda3384e466cfaa67e34ffa40bc8303c37e4bc1ba5
Opcode Fuzzy Hash: e4691073671dac8a63230db1ebc3bcc157bba5fc7d2022103007355328198576
Instruction Fuzzy Hash: CA4138745043518FDB25DF14D484B1ABBE0BF45318F1988ACE9998B762C332ED85CF52

Function 00C27B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C27BB3

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e4b77e66e6a85d7ee92ca496425412018a1b00f3c91844d8881a7096f4499b14
Instruction ID: 1d571421966bec6908884999b243ca08e40692235896a8c1012dee2ed7f6c4d7
Opcode Fuzzy Hash: e4b77e66e6a85d7ee92ca496425412018a1b00f3c91844d8881a7096f4499b14
Instruction Fuzzy Hash: 46216A72A04A19EBDB188F16FC8176E7BB4FF14352F20852EE886C5490EB30D2D4D749

Function 00C24DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C24BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00C24BEF

Part of subcall function 00C4525B: __wfsopen.LIBCMT ref: 00C45266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24E0F

Part of subcall function 00C24B6A: FreeLibrary.KERNEL32(00000000), ref: 00C24BA4

Part of subcall function 00C24C70: _memmove.LIBCMT ref: 00C24CBA

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 8be9ebb54a2d445337089d8a8b3768e3c28c659fba8ca4ca90cf80bb8463695d
Instruction ID: c5236879f6bcdd57972c84eff8e6649ad0972a681cc0b094cf24a91cb47bf982
Opcode Fuzzy Hash: 8be9ebb54a2d445337089d8a8b3768e3c28c659fba8ca4ca90cf80bb8463695d
Instruction Fuzzy Hash: 0011E731600316ABDF28BFB0D816FADB7A8AF44710F10842DF942AB581DBB19A05BB51

Function 00C5FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00C5FD91

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 668981100dd8b5b36e0aa2f435d8f2912ba07b55df25da53f4c79f8c969a7238
Instruction ID: 09b8d07f51fea63350569a5e0b20625d99919b92bd45ed0a2079217e3905dd53
Opcode Fuzzy Hash: 668981100dd8b5b36e0aa2f435d8f2912ba07b55df25da53f4c79f8c969a7238
Instruction Fuzzy Hash: 4B2153B4908311DFCB24DF64D444B1ABBE0BF88314F14886CF99A57B22C731E809DB92

Function 00C4072A Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C407B0

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c9a5e4ecb07e42cbccd3f48f4ef2d886bdd8714e08262d272ca3531f38acfd3f
Instruction ID: 6598c52b6e60b4e77ab8ca535646a7848fddd3636bc3c005a361b649786aae2d
Opcode Fuzzy Hash: c9a5e4ecb07e42cbccd3f48f4ef2d886bdd8714e08262d272ca3531f38acfd3f
Instruction Fuzzy Hash: E2F0C2755012289FCB129F58DC40BE877A9FF8AB50B1041A9F844CB550D7704C0D87E0

Function 00C44863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00C448A6

Part of subcall function 00C48B28: __getptd_noexit.LIBCMT ref: 00C48B28

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 9d51520255001b4fec59b0f97c7f993ea41bf531f777d59c3cb97c543e0d9ccf
Instruction ID: 22b1cd789a7c83e6440cba134f8594c4ef8a02b4810bd718444ab86c2c311720
Opcode Fuzzy Hash: 9d51520255001b4fec59b0f97c7f993ea41bf531f777d59c3cb97c543e0d9ccf
Instruction Fuzzy Hash: C2F0CD31901609EBDF15AFB48C067EE36A0FF01325F258414F824EA1D2CBB88A51EF52

Function 00C24E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00CE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24E7E

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d3cdadfaff368a678d4292b65be54fb47d327fb5c9d3b106f65d619d594d265d
Instruction ID: 87e5115f75acfaa56bd2abeddc08623d22a5638dd8aa85547a973bced169e535
Opcode Fuzzy Hash: d3cdadfaff368a678d4292b65be54fb47d327fb5c9d3b106f65d619d594d265d
Instruction Fuzzy Hash: 0AF03971501721CFEB389F65E494816FBE1BF143293218A3EE2E682A20C7329C80DF40

Function 00C40791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C407B0

Part of subcall function 00C27BCC: _memmove.LIBCMT ref: 00C27C06

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: ba9ef20ddf9941c75c2e11010209a9ab21df2a25fad4a6ca84e2d319bded2b00
Instruction ID: 096cd79e99adaf7a4e75253002a8fa7be611b63aabc2c0bffed819ac35696658
Opcode Fuzzy Hash: ba9ef20ddf9941c75c2e11010209a9ab21df2a25fad4a6ca84e2d319bded2b00
Instruction Fuzzy Hash: 7CE0CD369052285BC720D6999C05FEA77DDDFC97A1F0442B5FC0CD7214D9709C8086D0

Function 00C88E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00C88EC1

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: df500411cecbf86daa2866f5c11daa338d781597be3f048e0fe9c7dde1a625c3
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: D9E092B0204B045BD7389A24D800BA373E1AB05309F00081DF2AA93242EB627845875D

Function 00C4525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00C45266

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: a96652e1e714010d4a8043f99fc45b81ad21e343466f4e8ff2137b79dc222b20
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: B3B0927684020C7BCE112A82EC02A493B19AB41764F408021FB0C18162A6B3A664AA89

Function 01876E90 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01876EA1

Memory Dump Source

Source File: 00000000.00000002.2306995760.0000000001874000.00000040.00000020.00020000.00000000.sdmp, Offset: 01874000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1874000_conferma.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 5616034fe5da2a63789e582d2909738cd6f701e1d5728bab3167b4eff8dd145e
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 1CE0E67594410DDFDB00EFB4D54969E7FB4EF04701F100565FD05D2281D6319E509A72

Non-executed Functions

Function 00CACABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CACB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CACB95
GetWindowLongW.USER32(?,000000F0), ref: 00CACBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CACC00
SendMessageW.USER32 ref: 00CACC29
_wcsncpy.LIBCMT ref: 00CACC95
GetKeyState.USER32(00000011), ref: 00CACCB6
GetKeyState.USER32(00000009), ref: 00CACCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CACCD9
GetKeyState.USER32(00000010), ref: 00CACCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CACD0C
SendMessageW.USER32 ref: 00CACD33
SendMessageW.USER32(?,00001030,?,00CAB348), ref: 00CACE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CACE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CACE60
SetCapture.USER32(?), ref: 00CACE69
ClientToScreen.USER32(?,?), ref: 00CACECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CACEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CACEF5
ReleaseCapture.USER32 ref: 00CACF00
GetCursorPos.USER32(?), ref: 00CACF3A
ScreenToClient.USER32(?,?), ref: 00CACF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CACFA3
SendMessageW.USER32 ref: 00CACFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CAD00E
SendMessageW.USER32 ref: 00CAD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CAD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CAD06D
GetCursorPos.USER32(?), ref: 00CAD08D
ScreenToClient.USER32(?,?), ref: 00CAD09A
GetParent.USER32(?), ref: 00CAD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CAD123
SendMessageW.USER32 ref: 00CAD154
ClientToScreen.USER32(?,?), ref: 00CAD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CAD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CAD20C
SendMessageW.USER32 ref: 00CAD22F
ClientToScreen.USER32(?,?), ref: 00CAD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CAD2B5

Part of subcall function 00C225DB: GetWindowLongW.USER32(?,000000EB), ref: 00C225EC

GetWindowLongW.USER32(?,000000F0), ref: 00CAD351

Strings

@GUI_DRAGID, xrefs: 00CACE9C
F, xrefs: 00CAD235

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 475c8f01dd0303a6ca6765ff60526e1b84731a754731348a47f77add41f82c34
Instruction ID: dd343d04eec9962e8015c678d2d2d8d2222772e146cfa9beb3c64d464f9c8233
Opcode Fuzzy Hash: 475c8f01dd0303a6ca6765ff60526e1b84731a754731348a47f77add41f82c34
Instruction Fuzzy Hash: B842CE74604242AFDB20CF64D888BAABBF5FF4A318F14051DF666872B1C732D951DBA1

Function 00CA7DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00CA84D0

Strings

%d/%02d/%02d, xrefs: 00CA8209

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 778f15acdd32f36b6323cae97b5d1bfc954137cd3b495e9ce25d7391929a1f9f
Instruction ID: b83b018275804d3b47d0382d6e19b21a298390ec36398d6f2f0ead51da7e7f6a
Opcode Fuzzy Hash: 778f15acdd32f36b6323cae97b5d1bfc954137cd3b495e9ce25d7391929a1f9f
Instruction Fuzzy Hash: 6812BF7150020AABEB259F65CC49FAF7BB4FF4A318F144229F915EB2E1DB708A45CB50

Function 00C36F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C371C3
_memset.LIBCMT ref: 00C37539
_memmove.LIBCMT ref: 00C376AC

Strings

Q\E, xrefs: 00C37FCB
\b(?<=\w), xrefs: 00C73773
\b(?=\w), xrefs: 00C73769
[:<:]], xrefs: 00C37479
DEFINE, xrefs: 00C72103
[:>:]], xrefs: 00C37492

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 6b52a9905a668e3c85e048ee0dc125290d69d7665742a40db5ec1c01a25c1413
Instruction ID: dc7bf53b8dfdf788ec6eb76db58850817a158e6e8037e4132e4d42d3641da1a9
Opcode Fuzzy Hash: 6b52a9905a668e3c85e048ee0dc125290d69d7665742a40db5ec1c01a25c1413
Instruction Fuzzy Hash: 2393A171E00219DFDB24CF99C881BADB7B1FF48310F25816AE959AB391E7709E81DB50

Function 00C248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00C248DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C5D665
IsIconic.USER32(?), ref: 00C5D66E
ShowWindow.USER32(?,00000009), ref: 00C5D67B
SetForegroundWindow.USER32(?), ref: 00C5D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C5D69B
GetCurrentThreadId.KERNEL32 ref: 00C5D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C5D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C5D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C5D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00C5D6CF
SetForegroundWindow.USER32(?), ref: 00C5D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5D6E7
keybd_event.USER32(00000012,00000000), ref: 00C5D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5D6FC
keybd_event.USER32(00000012,00000000), ref: 00C5D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5D70A
keybd_event.USER32(00000012,00000000), ref: 00C5D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C5D719
keybd_event.USER32(00000012,00000000), ref: 00C5D71E
SetForegroundWindow.USER32(?), ref: 00C5D721
AttachThreadInput.USER32(?,?,00000000), ref: 00C5D748

Strings

Shell_TrayWnd, xrefs: 00C5D660

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7c7240bf9ca009f46ec70b5961f1a71e43a3f44bcc727c10b8e2d3748184305f
Instruction ID: 13ef3df7b1253a70ac09692d5b11b0158fa94832547577c570899f8d029464cf
Opcode Fuzzy Hash: 7c7240bf9ca009f46ec70b5961f1a71e43a3f44bcc727c10b8e2d3748184305f
Instruction Fuzzy Hash: A8319375A40318BBEB306FA19C49F7F3E6CEB45B51F104029FA05EB1D1CAB05942ABA5

Function 00C78310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00C787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7882B
Part of subcall function 00C787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C78858
Part of subcall function 00C787E1: GetLastError.KERNEL32 ref: 00C78865

_memset.LIBCMT ref: 00C78353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C783A5
CloseHandle.KERNEL32(?), ref: 00C783B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C783CD
GetProcessWindowStation.USER32 ref: 00C783E6
SetProcessWindowStation.USER32(00000000), ref: 00C783F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C7840A

Part of subcall function 00C781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C78309), ref: 00C781E0
Part of subcall function 00C781CB: CloseHandle.KERNEL32(?,?,00C78309), ref: 00C781F2

Strings

default, xrefs: 00C78405
, xrefs: 00C78362
winsta0, xrefs: 00C783C8

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 252de99576f76518bdd20527362d59398654334fbc96855838bed227dae4b6cb
Instruction ID: a739ba1d08775a33cc5f2c5282a8d2cedce7d64a2ceeed1d89a3612f68a135ac
Opcode Fuzzy Hash: 252de99576f76518bdd20527362d59398654334fbc96855838bed227dae4b6cb
Instruction Fuzzy Hash: FA814F71940209AFEF51DFA4CC49BEE7B79FF05304F148169FA29A6161DB318E19EB20

Function 00C8C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C8C78D
FindClose.KERNEL32(00000000), ref: 00C8C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C8C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C8C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C8C844
__swprintf.LIBCMT ref: 00C8C890
__swprintf.LIBCMT ref: 00C8C8D3

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

__swprintf.LIBCMT ref: 00C8C927

Part of subcall function 00C43698: __woutput_l.LIBCMT ref: 00C436F1

__swprintf.LIBCMT ref: 00C8C975

Part of subcall function 00C43698: __flsbuf.LIBCMT ref: 00C43713
Part of subcall function 00C43698: __flsbuf.LIBCMT ref: 00C4372B

__swprintf.LIBCMT ref: 00C8C9C4
__swprintf.LIBCMT ref: 00C8CA13
__swprintf.LIBCMT ref: 00C8CA62

Strings

%4d, xrefs: 00C8C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00C8C88A
%02d, xrefs: 00C8C91B, 00C8C925, 00C8C973, 00C8C9C2, 00C8CA11, 00C8CA60

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 9be2afeeeb4d4318bbc4e995f7ffa625433866c33af27a6e7e1cd5e3173d1891
Instruction ID: 754d1d11e5a518726ed412795fe7bacfcee5699c514075335e33e3034571903f
Opcode Fuzzy Hash: 9be2afeeeb4d4318bbc4e995f7ffa625433866c33af27a6e7e1cd5e3173d1891
Instruction Fuzzy Hash: 06A15BB1408354ABC704EFA4D886EAFB7ECFF85704F40092DF59587191EA30DA08DB62

Function 00C8EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00C8EFB6
_wcscmp.LIBCMT ref: 00C8EFCB
_wcscmp.LIBCMT ref: 00C8EFE2
GetFileAttributesW.KERNEL32(?), ref: 00C8EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00C8F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00C8F026
FindClose.KERNEL32(00000000), ref: 00C8F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00C8F04D
_wcscmp.LIBCMT ref: 00C8F074
_wcscmp.LIBCMT ref: 00C8F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8F09D
SetCurrentDirectoryW.KERNEL32(00CD8920), ref: 00C8F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8F0C5
FindClose.KERNEL32(00000000), ref: 00C8F0D2
FindClose.KERNEL32(00000000), ref: 00C8F0E4

Strings

*.*, xrefs: 00C8F048

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: f297438eb8c8da1244d851b733919972514f57ba72b269203bb8cf76dbdf2c24
Instruction ID: 19dfdbf487f7d1dbf79fe430388d93a1b640a9004e8cc9db73f6f1780af80553
Opcode Fuzzy Hash: f297438eb8c8da1244d851b733919972514f57ba72b269203bb8cf76dbdf2c24
Instruction Fuzzy Hash: 1531E5325012097ECB14ABE4DC48BEE77AC9F49368F10027AE950D31A1DB70DB46DB69

Function 00CA0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CAF910,00000000,?,00000000,?,?), ref: 00CA09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00CA0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00CA0A92
RegCloseKey.ADVAPI32(?), ref: 00CA0DB2
RegCloseKey.ADVAPI32(00000000), ref: 00CA0DBF

Strings

REG_SZ, xrefs: 00CA0AD0
REG_DWORD, xrefs: 00CA0C83
REG_MULTI_SZ, xrefs: 00CA0B7A
REG_QWORD, xrefs: 00CA0D00
REG_EXPAND_SZ, xrefs: 00CA0A2F
REG_BINARY, xrefs: 00CA0D4D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 31306f8c6926aad93a2cab53c26d5a952ed79c5ee7598d2e6fdcb203bddf01fe
Instruction ID: c0e24e99f992ba8eb5cd50e3b39e33317c7b505a673b407c33531923335361f8
Opcode Fuzzy Hash: 31306f8c6926aad93a2cab53c26d5a952ed79c5ee7598d2e6fdcb203bddf01fe
Instruction Fuzzy Hash: 4B029E756006119FCB14EF24D841E2AB7E5FF8A724F14895CF89A9B7A2CB30ED41DB81

Function 00C8F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00C8F113
_wcscmp.LIBCMT ref: 00C8F128
_wcscmp.LIBCMT ref: 00C8F13F

Part of subcall function 00C84385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C843A0

FindNextFileW.KERNEL32(00000000,?), ref: 00C8F16E
FindClose.KERNEL32(00000000), ref: 00C8F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00C8F195
_wcscmp.LIBCMT ref: 00C8F1BC
_wcscmp.LIBCMT ref: 00C8F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8F1E5
SetCurrentDirectoryW.KERNEL32(00CD8920), ref: 00C8F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8F20D
FindClose.KERNEL32(00000000), ref: 00C8F21A
FindClose.KERNEL32(00000000), ref: 00C8F22C

Strings

*.*, xrefs: 00C8F190

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 9143c173b80830cd9e3103d8cbd79300a9412b21d320bf1e23e7676435d27a77
Instruction ID: 7ad894df0758918b898ef66829ee3a281d93dbcb567a0dce5bf4b2c6c149dc73
Opcode Fuzzy Hash: 9143c173b80830cd9e3103d8cbd79300a9412b21d320bf1e23e7676435d27a77
Instruction Fuzzy Hash: 3C31E7365002196ADF10BBA4EC59BEE77BC9F85368F100279E910E31A0DB30DF46DB68

Function 00C8A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C8A20F
__swprintf.LIBCMT ref: 00C8A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C8A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C8A293
_memset.LIBCMT ref: 00C8A2B2
_wcsncpy.LIBCMT ref: 00C8A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C8A323
CloseHandle.KERNEL32(00000000), ref: 00C8A32E
RemoveDirectoryW.KERNEL32(?), ref: 00C8A337
CloseHandle.KERNEL32(00000000), ref: 00C8A341

Strings

:, xrefs: 00C8A252
\??\%s, xrefs: 00C8A22B
\, xrefs: 00C8A247

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: aa2847aecd2ac1d88319fae80b767606527821558db309afcf4ac9fb9ba6ac4a
Instruction ID: 763f94a2ced7b05e6e727b26ca8605bee14fa8762cb42c9c4c80ed10279a0a3e
Opcode Fuzzy Hash: aa2847aecd2ac1d88319fae80b767606527821558db309afcf4ac9fb9ba6ac4a
Instruction Fuzzy Hash: 80318EB1900109ABDB219FA0DC49FEF37BCEF89744F1041BAFA19D2160EB7097458B29

Function 00C77CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C78202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C7821E
Part of subcall function 00C78202: GetLastError.KERNEL32(?,00C77CE2,?,?,?), ref: 00C78228
Part of subcall function 00C78202: GetProcessHeap.KERNEL32(00000008,?,?,00C77CE2,?,?,?), ref: 00C78237
Part of subcall function 00C78202: HeapAlloc.KERNEL32(00000000,?,00C77CE2,?,?,?), ref: 00C7823E
Part of subcall function 00C78202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C78255

Part of subcall function 00C7829F: GetProcessHeap.KERNEL32(00000008,00C77CF8,00000000,00000000,?,00C77CF8,?), ref: 00C782AB
Part of subcall function 00C7829F: HeapAlloc.KERNEL32(00000000,?,00C77CF8,?), ref: 00C782B2
Part of subcall function 00C7829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C77CF8,?), ref: 00C782C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C77D13
_memset.LIBCMT ref: 00C77D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C77D47
GetLengthSid.ADVAPI32(?), ref: 00C77D58
GetAce.ADVAPI32(?,00000000,?), ref: 00C77D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C77DB1
GetLengthSid.ADVAPI32(?), ref: 00C77DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C77DDD
HeapAlloc.KERNEL32(00000000), ref: 00C77DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C77E05
CopySid.ADVAPI32(00000000), ref: 00C77E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C77E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C77E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C77E77

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 06a9b4ef3c1c671ded44a46f0cb75671ce64d74eacb4f72b7d94376e3c16d423
Instruction ID: f16d6c880fad9628fd76f8160e2b30f4638b69d73c789b08467c2f892c907222
Opcode Fuzzy Hash: 06a9b4ef3c1c671ded44a46f0cb75671ce64d74eacb4f72b7d94376e3c16d423
Instruction Fuzzy Hash: F3613A71904609AFDF10DFA5DC85AEEBB79FF05304F048269F929A7291DB319A06CB60

Function 00C366E1 Relevance: 19.6, Strings: 15, Instructions: 889COMMON

Download Yara Rule

Strings

UTF16), xrefs: 00C710CF
LF), xrefs: 00C712A4
CRLF), xrefs: 00C712C1
NO_AUTO_POSSESS), xrefs: 00C7112E
csdee6tcsdfe6tcsdfe6tcsdfe6tcsdfe6tcsdce6tcsd7e6tcsd8e6tcsd5e6tcsd0e6tcsdce6tcsdfe, xrefs: 00C367AB
BSR_ANYCRLF), xrefs: 00C7131E
NO_START_OPT), xrefs: 00C7114F
UCP), xrefs: 00C7110D
ANYCRLF), xrefs: 00C712FB
UTF), xrefs: 00C710FA
BSR_UNICODE), xrefs: 00C71338
LIMIT_MATCH=, xrefs: 00C71170
CR), xrefs: 00C71287
ANY), xrefs: 00C712DE
LIMIT_RECURSION=, xrefs: 00C711FC

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$csdee6tcsdfe6tcsdfe6tcsdfe6tcsdfe6tcsdce6tcsd7e6tcsd8e6tcsd5e6tcsd0e6tcsdce6tcsdfe
API String ID: 0-2898629036
Opcode ID: fc54c9a8a5c5905e0d458cd622cc08c3bcddd905ad668f3f9836e61c032f0544
Instruction ID: 372f4e2c438a0aa861f8276d590d06c90057fa9e883b3dba3c585778ec0ffdf7
Opcode Fuzzy Hash: fc54c9a8a5c5905e0d458cd622cc08c3bcddd905ad668f3f9836e61c032f0544
Instruction Fuzzy Hash: 61727FB5E102199BDF24CF59C8807AEB7B5FF44710F14C16AE959EB290EB309E81DB90

Function 00C8001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C80097
SetKeyboardState.USER32(?), ref: 00C80102
GetAsyncKeyState.USER32(000000A0), ref: 00C80122
GetKeyState.USER32(000000A0), ref: 00C80139
GetAsyncKeyState.USER32(000000A1), ref: 00C80168
GetKeyState.USER32(000000A1), ref: 00C80179
GetAsyncKeyState.USER32(00000011), ref: 00C801A5
GetKeyState.USER32(00000011), ref: 00C801B3
GetAsyncKeyState.USER32(00000012), ref: 00C801DC
GetKeyState.USER32(00000012), ref: 00C801EA
GetAsyncKeyState.USER32(0000005B), ref: 00C80213
GetKeyState.USER32(0000005B), ref: 00C80221

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c9adea10c514d68ede992772668f55e6b71b6abb402658fdb51dfe3e144b649b
Instruction ID: 7a1a83c1ec2c167731515c9fda470c0cc586ffd1f3ce45bfe074a80594209dbe
Opcode Fuzzy Hash: c9adea10c514d68ede992772668f55e6b71b6abb402658fdb51dfe3e144b649b
Instruction Fuzzy Hash: 7951F9309047882DFB75FBA088557AEBFB49F02388F18459D89D2571C3DBA49B8CC769

Function 00CA03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9FDAD,?,?), ref: 00CA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA04AC

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CA054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CA05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00CA0822
RegCloseKey.ADVAPI32(00000000), ref: 00CA082F

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 533a8816e70df90f5da55f8738d45a5b5bb3dba9322343ea74c2b14800087393
Instruction ID: e614fecac3a933ea4c2c3055da5f14b076983240ac4550bbf4ef5837def4b06f
Opcode Fuzzy Hash: 533a8816e70df90f5da55f8738d45a5b5bb3dba9322343ea74c2b14800087393
Instruction Fuzzy Hash: 3BE16171604211AFCB14DF24C895E2ABBE4FF8A358F14896DF859DB2A1DB30ED01DB91

Function 00C94164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C9418B
EmptyClipboard.USER32 ref: 00C94191
GlobalAlloc.KERNEL32(00000002,?), ref: 00C941A6
CloseClipboard.USER32 ref: 00C94245

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 36227fb7c85d9db2f3beb410aa9d8481be9ac38bd72773aaec5f9646a139338b
Instruction ID: 8d1f1efa4caeebf8af463d0b8adedc54a69c823a14ab16ea2e99365f640ba59b
Opcode Fuzzy Hash: 36227fb7c85d9db2f3beb410aa9d8481be9ac38bd72773aaec5f9646a139338b
Instruction Fuzzy Hash: 7721C1752006109FDB14AFA4EC59F6E7BA8FF05715F14802AF946DB2B1DB30AD02DB54

Function 00C837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C24743,?,?,00C237AE,?), ref: 00C24770

Part of subcall function 00C84A31: GetFileAttributesW.KERNEL32(?,00C8370B), ref: 00C84A32

FindFirstFileW.KERNEL32(?,?), ref: 00C838A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C8394B
MoveFileW.KERNEL32(?,?), ref: 00C8395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C8397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C8399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C839B9

Strings

\*.*, xrefs: 00C8384E, 00C83857, 00C8386C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: d50a8857adf8449e34979d888570071c3af90b4e3f5b1fc10c9722c8d8f10a97
Instruction ID: 92065db902f25bc8d3df3f30f3e2909fb0fac896638be1a008d128cbb45f0500
Opcode Fuzzy Hash: d50a8857adf8449e34979d888570071c3af90b4e3f5b1fc10c9722c8d8f10a97
Instruction Fuzzy Hash: 6C51A03180519DAACF05FBA0E9929EDB779AF11304F600169F41277191EF316F0AEB64

Function 00C8F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C8F440
Sleep.KERNEL32(0000000A), ref: 00C8F470
_wcscmp.LIBCMT ref: 00C8F484
_wcscmp.LIBCMT ref: 00C8F49F
FindNextFileW.KERNEL32(?,?), ref: 00C8F53D
FindClose.KERNEL32(00000000), ref: 00C8F553

Strings

*.*, xrefs: 00C8F425

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: f213cad76526d391c7d8291bfff29e1a9689a461824304cdb5eda17f6f2d7a47
Instruction ID: 6d2cde5646cfa1eb6a36482fa1d86661f2fc7e68d4ddbb0f900e14df25930d9e
Opcode Fuzzy Hash: f213cad76526d391c7d8291bfff29e1a9689a461824304cdb5eda17f6f2d7a47
Instruction Fuzzy Hash: 1B416C7190021A9BCF14EFA4DC45BEEBBB4FF05318F10456AE825A3190DB309A86DB94

Function 00C35760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C358A5
_memmove.LIBCMT ref: 00C358F5
_memmove.LIBCMT ref: 00C3595B

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 54d5469c9fb43d0a4e806bc2975db9494c892582499c1796596c62db9e3f43b4
Instruction ID: 5059cf672beb16f7af5fc94f047207b110f29c3a5b8367a94c206c51114d7f4a
Opcode Fuzzy Hash: 54d5469c9fb43d0a4e806bc2975db9494c892582499c1796596c62db9e3f43b4
Instruction Fuzzy Hash: B1128B70A00619DFDF04DFA5D981AAEB7F5FF48300F208529E84AE7290EB35AE15DB51

Function 00C83B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C24743,?,?,00C237AE,?), ref: 00C24770

Part of subcall function 00C84A31: GetFileAttributesW.KERNEL32(?,00C8370B), ref: 00C84A32

FindFirstFileW.KERNEL32(?,?), ref: 00C83B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C83BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C83BEA
FindClose.KERNEL32(00000000), ref: 00C83C01
FindClose.KERNEL32(00000000), ref: 00C83C0A

Strings

\*.*, xrefs: 00C83B5B

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 54618c97730d2798ed29da8f80112ad6b7d90031b8715492fecbe6222e7911bb
Instruction ID: 4a40042c80f27a4c6d2db0f634f94adbda6810ceae50d6fa9fa6734319ca8ac8
Opcode Fuzzy Hash: 54618c97730d2798ed29da8f80112ad6b7d90031b8715492fecbe6222e7911bb
Instruction Fuzzy Hash: 6831A0310093959BC300FF64D8919AFB7E8AE92718F400E2DF4E593191EB31DA09D767

Function 00C851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7882B
Part of subcall function 00C787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C78858
Part of subcall function 00C787E1: GetLastError.KERNEL32 ref: 00C78865

ExitWindowsEx.USER32(?,00000000), ref: 00C851F9

Strings

SeShutdownPrivilege, xrefs: 00C851C9
@, xrefs: 00C851EC
, xrefs: 00C851E7

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 29ecf8b0c0d72658e1ae4fe4a0c9cd855a13d0b3659278d4613f628a31e464a2
Instruction ID: ee6a8d13c473f9eac86748ecea6ea9cd0e3acd540f0db8d1bb1ed580b110f95a
Opcode Fuzzy Hash: 29ecf8b0c0d72658e1ae4fe4a0c9cd855a13d0b3659278d4613f628a31e464a2
Instruction Fuzzy Hash: 7701F7317916116BEB2C72A89C8AFBA7258AB05748F200429F967E30D2DDE11D018798

Function 00C96283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C962DC
WSAGetLastError.WSOCK32(00000000), ref: 00C962EB
bind.WSOCK32(00000000,?,00000010), ref: 00C96307
listen.WSOCK32(00000000,00000005), ref: 00C96316
WSAGetLastError.WSOCK32(00000000), ref: 00C96330
closesocket.WSOCK32(00000000,00000000), ref: 00C96344

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 2be53d4a00a3a90a4f07e133814c0c4358e6de5d0707ae1e35d7afb9a9d7a108
Instruction ID: 048bf56d448a56e0aed47fdbf7bd291260fdbb50711741ae258b94a89e6f40c7
Opcode Fuzzy Hash: 2be53d4a00a3a90a4f07e133814c0c4358e6de5d0707ae1e35d7afb9a9d7a108
Instruction Fuzzy Hash: 4721D0316002109FCF10EF64D889B6EB7A9EF49724F148159E866A73E1C770AD01DB51

Function 00C35520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00C40DB6: std::exception::exception.LIBCMT ref: 00C40DEC
Part of subcall function 00C40DB6: __CxxThrowException@8.LIBCMT ref: 00C40E01

_memmove.LIBCMT ref: 00C70258
_memmove.LIBCMT ref: 00C7036D
_memmove.LIBCMT ref: 00C70414

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: ff45838115ca8d8fdf54be5bc3b0b2bd618ace1d0a8f5ba02868cfe1653ab371
Instruction ID: be84cd590d84d037bfbf0959a9c4d5f90d9be059897878f723433f227c3158c1
Opcode Fuzzy Hash: ff45838115ca8d8fdf54be5bc3b0b2bd618ace1d0a8f5ba02868cfe1653ab371
Instruction Fuzzy Hash: C302BEB0A10209DBCF04DF65D982AAEBBB5FF44300F648069E80ADB355EB31DA55DB91

Function 00C21287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C219FA
GetSysColor.USER32(0000000F), ref: 00C21A4E
SetBkColor.GDI32(?,00000000), ref: 00C21A61

Part of subcall function 00C21290: DefDlgProcW.USER32(?,00000020,?), ref: 00C212D8

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 66b194991c924f97cc62e2e4091cce083b9ebd174a2338ade4fff55a19fe0f37
Instruction ID: 6130384fb4cb4b1a5e94e7326e3581c70bc38f18a5420c725ce7a44eec391baf
Opcode Fuzzy Hash: 66b194991c924f97cc62e2e4091cce083b9ebd174a2338ade4fff55a19fe0f37
Instruction Fuzzy Hash: 8CA19D711025A4FED738AB2A6C85F7F296CDF62346B1C0109FC12C69D2CE229F41B2B5

Function 00C8BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C8BCE6
_wcscmp.LIBCMT ref: 00C8BD16
_wcscmp.LIBCMT ref: 00C8BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00C8BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00C8BD6C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 267a3d5837814e5bfb3d808a42cc78836637efc78a487e66ba3bd05f56e98ab0
Instruction ID: 6aa8300472573a216dba409b153f168be9f78d80a61a3a1239a1c887889dbbd4
Opcode Fuzzy Hash: 267a3d5837814e5bfb3d808a42cc78836637efc78a487e66ba3bd05f56e98ab0
Instruction Fuzzy Hash: 9A519D35604602AFC714EF68D490EAAB3E4FF49324F14461EF966873A1DB30ED05DB95

Function 00C96747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C97DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C9679E
WSAGetLastError.WSOCK32(00000000), ref: 00C967C7
bind.WSOCK32(00000000,?,00000010), ref: 00C96800
WSAGetLastError.WSOCK32(00000000), ref: 00C9680D
closesocket.WSOCK32(00000000,00000000), ref: 00C96821

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 528c26ca3f1eb12f45b03e5e26344d83c14be79a07772f953bb6d96bde5e963e
Instruction ID: 16ebcc3912e8e2b05cf4c5fcf792f34bdf7990b2aa654774410a2967e9ef60d4
Opcode Fuzzy Hash: 528c26ca3f1eb12f45b03e5e26344d83c14be79a07772f953bb6d96bde5e963e
Instruction Fuzzy Hash: 7741C275A00220AFDB10BF649C86F7E77E8EF09714F44845CF91AAB3D2CA709D01A791

Function 00CA5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CA53C5
IsWindowEnabled.USER32 ref: 00CA53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00CA53E0
IsIconic.USER32 ref: 00CA53EE
IsZoomed.USER32 ref: 00CA53FC

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7e37e014e92b88787504a336980c485d6de82b1384d962ff0a8734f86f76a206
Instruction ID: 6c24838e22d07b31b2a4579b92e9dcf72229bbdcd43d4f79597965b7465b7668
Opcode Fuzzy Hash: 7e37e014e92b88787504a336980c485d6de82b1384d962ff0a8734f86f76a206
Instruction Fuzzy Hash: 5A11C4317019226FDB215F669C44B6EBB98FF867A9B448428F946D7251CBB0DD0286A0

Function 00C780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C780C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C780CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C780D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C780E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C780F6

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c8f01ff8c59f355aa19f6095312d9a24e99c2e24ee6cd8cbbe97cde2df3861af
Instruction ID: ea03db68b710e6cd3ed378821ecbf3ece07e1d4ae236ed335832fe799e9e190c
Opcode Fuzzy Hash: c8f01ff8c59f355aa19f6095312d9a24e99c2e24ee6cd8cbbe97cde2df3861af
Instruction Fuzzy Hash: D4F06231241204AFEB100FA5EC8DFAF3BACEF4A759B404029FA49C7150CB719D46EA60

Function 00C8C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C8C432
CoCreateInstance.OLE32(00CB2D6C,00000000,00000001,00CB2BDC,?), ref: 00C8C44A

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

CoUninitialize.OLE32 ref: 00C8C6B7

Strings

.lnk, xrefs: 00C8C3C6, 00C8C3EE, 00C8C3F8

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: b0714a6fa937d28362183ac78e79e8eb6696f09dedfff727e48718403286a6ba
Instruction ID: 59378db26d81c34d35fe289b8d7d8ac7d6ec4b48e431fca9988d0d0815cc011e
Opcode Fuzzy Hash: b0714a6fa937d28362183ac78e79e8eb6696f09dedfff727e48718403286a6ba
Instruction Fuzzy Hash: A6A14B71104205AFD704EF64D881EAFB7E8FF89358F00492CF5558B1A2EB71EA49CB62

Function 00C24B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C24AD0), ref: 00C24B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C24B57

Strings

GetNativeSystemInfo, xrefs: 00C24B51
kernel32.dll, xrefs: 00C24B40

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: e4b8e4016f118a31ca36f31296e755224581d09d59c7dad19705c022826c0a10
Instruction ID: 3c3128935bb3a545e87c3c78c6d4932b9e5276745172d2f1433e0e294c2f5766
Opcode Fuzzy Hash: e4b8e4016f118a31ca36f31296e755224581d09d59c7dad19705c022826c0a10
Instruction Fuzzy Hash: 28D01235A10727CFD7209FB1F858B4A76E4AF06355B11883DD496D6550D670D481CA68

Function 00C33030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: fa9b590c1100163e27237f952172b183dc0e6bab8a99696fab3ae2d381568498
Instruction ID: d7666e0e06b24cb0a87362a4c1e5bc611092b3d43bf6ccb5deddf1a382373ffe
Opcode Fuzzy Hash: fa9b590c1100163e27237f952172b183dc0e6bab8a99696fab3ae2d381568498
Instruction Fuzzy Hash: 4922A8716183409FC724DF24D881BAEBBE4FF84310F14892DF89A97291DB31EA45DB92

Function 00C9EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C9EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00C9EE4B

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

Process32NextW.KERNEL32(00000000,?), ref: 00C9EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C9EF1A

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 83a2f74ff23378f2432cb146e284e34725b2de75dfacca1b0d0d0c6e1f4b5175
Instruction ID: 9bcff8954c169df6fdda997fea90c8340a9dcbc435a4076f4a6c4b40937e85b8
Opcode Fuzzy Hash: 83a2f74ff23378f2432cb146e284e34725b2de75dfacca1b0d0d0c6e1f4b5175
Instruction Fuzzy Hash: 39519C71108321AFD720EF20D885E6FB7E8EF94700F40492DF595972A1EB70E909DB92

Function 00C7E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C7E628

Strings

(, xrefs: 00C7E66E
|, xrefs: 00C7E658

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 6a83f7b85757d63cbd5ec5dd716a6ef7f39b78fa0a5cd89e6ec9c3b77ae32858
Instruction ID: 147140e9ef6d66c950a373f81174327bed7268fa7779a27ed589f93bc111726a
Opcode Fuzzy Hash: 6a83f7b85757d63cbd5ec5dd716a6ef7f39b78fa0a5cd89e6ec9c3b77ae32858
Instruction Fuzzy Hash: 54322775A007059FDB28DF29C48196AB7F1FF48320B15C4AEE9AADB3A1D770E941CB44

Function 00C922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C9180A,00000000), ref: 00C923E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C92418

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 13a46fede04c9bec51263c74c260296602bdf825539f65a9f26784dfb22ccfe8
Instruction ID: 8303a259aa8abd29a5a9f5d5713c450e7c11575d9b01894bd769a45c29b474bb
Opcode Fuzzy Hash: 13a46fede04c9bec51263c74c260296602bdf825539f65a9f26784dfb22ccfe8
Instruction Fuzzy Hash: 0D41D371904209FFEF209E95DC89FBFB7BCFB40724F10406EF691A6151DA749E41AA60

Function 00C8B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C8B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C8B4B2

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a2451a6535579eded9490f0f849e35a50ef99c307cdfe45c5aa3bd9aca169124
Instruction ID: 5e2183c3a624b577f3469ad895521cc8ee2456f611a7ac1fbe03128233e1711f
Opcode Fuzzy Hash: a2451a6535579eded9490f0f849e35a50ef99c307cdfe45c5aa3bd9aca169124
Instruction Fuzzy Hash: 2C217435A00118DFCB00EF95D881BEDBBB8FF49314F1480A9E905AB351CB319956DB55

Function 00C787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C40DB6: std::exception::exception.LIBCMT ref: 00C40DEC
Part of subcall function 00C40DB6: __CxxThrowException@8.LIBCMT ref: 00C40E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C78858
GetLastError.KERNEL32 ref: 00C78865

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 5d9998539f7ba078107697ced01d8d1e94a14fb0086913100694f3778e011d29
Instruction ID: e97dd2a63a26c664ac17c4c843ba845d3f75e144a2445eba6776b0858c634d02
Opcode Fuzzy Hash: 5d9998539f7ba078107697ced01d8d1e94a14fb0086913100694f3778e011d29
Instruction Fuzzy Hash: EC11BFB2814204AFE718DFA4DC89E2BB7F8FB05314B20C52EF59983241EB70BC058B60

Function 00C7874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C78774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C7878B
FreeSid.ADVAPI32(?), ref: 00C7879B

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 85e113e7a4bc97a3f01f0bf28f0b36a143ac88231ccd3f3cd2400ba81029e45d
Instruction ID: cb543c98ad8996be4f25c3e5a5f8e68b5d9ff9d628c2f58b27a76f89362e19f5
Opcode Fuzzy Hash: 85e113e7a4bc97a3f01f0bf28f0b36a143ac88231ccd3f3cd2400ba81029e45d
Instruction Fuzzy Hash: A3F04F7595130CBFDF04DFF4DC89AAEB7BCEF08205F104469A501E3181E7755A048B50

Function 00C8C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C8C6FB
FindClose.KERNEL32(00000000), ref: 00C8C72B

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 716b84c412c51f3e519209e3aff1d742bf727cc3badfb3b1d4d7f285a27a2472
Instruction ID: 9148d49785cbe3fa22634a576635bd75e2dac156c9cb8196d1926cfa51f6c3a7
Opcode Fuzzy Hash: 716b84c412c51f3e519209e3aff1d742bf727cc3badfb3b1d4d7f285a27a2472
Instruction Fuzzy Hash: F9118E726006009FDB10EF29D885A2AF7E8EF85324F04851DF9A9872A0DB30AC01DB91

Function 00C8A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C99468,?,00CAFB84,?), ref: 00C8A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C99468,?,00CAFB84,?), ref: 00C8A0A9

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ff497590ce563a31a31be4630ab7e6f8cec70cead17808d79229d1ac4040e9b9
Instruction ID: d0f4d391157bb65ee7028185128541c3d0ad01f243515582da3f90fdf756acfa
Opcode Fuzzy Hash: ff497590ce563a31a31be4630ab7e6f8cec70cead17808d79229d1ac4040e9b9
Instruction Fuzzy Hash: 26F0823510522DABDB21AFA4DC48FEE776CBF09362F00426AF919D7191D770AA44CBA1

Function 00C781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C78309), ref: 00C781E0
CloseHandle.KERNEL32(?,?,00C78309), ref: 00C781F2

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: dd97d371d974b70e71998df11d677ccc0cdb6839a20dbd439be6aeec1e7a514e
Instruction ID: f226f6e2b011696d00c94306fd625fdbbd40d98be115d18ed671f2804f9672c1
Opcode Fuzzy Hash: dd97d371d974b70e71998df11d677ccc0cdb6839a20dbd439be6aeec1e7a514e
Instruction Fuzzy Hash: 98E0E675011510AFE7252B61EC09E7777EDFF04315724892DF5A585470DB715CA1DB10

Function 00C4A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C48D57,?,?,?,00000001), ref: 00C4A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C4A163

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5eb7b0a60ce4fc28f2875a96dbb31379cccf7592c09c232226e7918044425d26
Instruction ID: 4e53ea655d0227f3e52aaf8b81d5d77004409a4d8e6c9e57cb63653d64a50a9d
Opcode Fuzzy Hash: 5eb7b0a60ce4fc28f2875a96dbb31379cccf7592c09c232226e7918044425d26
Instruction Fuzzy Hash: D1B09231055208ABCF002BD1EC59B8C3F68EB46AAAF404024F60D86070CBB254528A91

Function 00C4F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f4ab5f0fdcce883bf6cb04a5e74f2ef05149d992bae3cee1d7013ef2951645
Instruction ID: 7719c46af42e92db4834220df85e71d66c7046bc5915ea8631ff584199aabdac
Opcode Fuzzy Hash: d2f4ab5f0fdcce883bf6cb04a5e74f2ef05149d992bae3cee1d7013ef2951645
Instruction Fuzzy Hash: 4232F331D29F414EDB239634D87233AA249AFB73D4F15D73BE829B5DA6EB28C5834100

Function 00C5242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d1c36ce49db769d8528405afb425ceb078f1c6f5abd5fff5ccd86964d941bc
Instruction ID: a199641fd202f503a83cf52ac687fbd6434f4c97ca3e39f6a6d28b0f16f8c6d0
Opcode Fuzzy Hash: a7d1c36ce49db769d8528405afb425ceb078f1c6f5abd5fff5ccd86964d941bc
Instruction Fuzzy Hash: 80B10031E2AF404DD7239639883133ABA9CAFBB2D5F51E71BFC6674D22EB2185834141

Function 00C88889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00C8889B

Part of subcall function 00C4520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C88F6E,00000000,?,?,?,?,00C8911F,00000000,?), ref: 00C45213
Part of subcall function 00C4520A: __aulldiv.LIBCMT ref: 00C45233

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 9b137779aa7b8ebe8c3ce2a1b47eacb755b290a8a331a64f8d45cad189f8a3d3
Instruction ID: db506b4bfc3fc6c832d3c77fe0d2e89e283096105154e23321cf60297f230e46
Opcode Fuzzy Hash: 9b137779aa7b8ebe8c3ce2a1b47eacb755b290a8a331a64f8d45cad189f8a3d3
Instruction Fuzzy Hash: 3121B1726356508BC729CF29D881B56B3E1EFA5321B688E6CD1F5CF2C0CA74B909CB54

Function 00C84C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00C84C76

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 832c149f4b0b80d64bc569be6c685c7b34e684c121357ba8ea4083e73ca3dfdb
Instruction ID: 886fb5c7c10f9f73c33788eba06146eb64ca992beb997e2591f65cb996a63eb6
Opcode Fuzzy Hash: 832c149f4b0b80d64bc569be6c685c7b34e684c121357ba8ea4083e73ca3dfdb
Instruction Fuzzy Hash: 89D05EA012260B39EC2C2B608D8BF7A110DE38078DF84814E7251850C0E8E85D00A23C

Function 00C787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C78389), ref: 00C787D1

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 4ee6e3149753b9b78f78bcc46bc7805d201d4239552a996a3fe81e85d038e07d
Instruction ID: 9f353ecb36a79f4127ce251b1641cc1b252dda701583e4f55384ed5d9abb5e02
Opcode Fuzzy Hash: 4ee6e3149753b9b78f78bcc46bc7805d201d4239552a996a3fe81e85d038e07d
Instruction Fuzzy Hash: 7ED05E322A050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C60A1C775D835AB60

Function 00C4A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C4A12A

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b2bb3a47191434f22a200cc348037cc9ec2fa58b4dfd278eda713314872ef49e
Instruction ID: 70ca8e2b0b051b0975c6d36cc52265962e8e6f8a730e52bea7e507c43922f765
Opcode Fuzzy Hash: b2bb3a47191434f22a200cc348037cc9ec2fa58b4dfd278eda713314872ef49e
Instruction Fuzzy Hash: 94A0123000010CA78F001BC1EC045487F5CD6011947004020F40C41031873254114580

Function 00C38808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d66ad9a4ee85723944e676da3bce39ba76b95d4315528112792cebffaf1f9ae
Instruction ID: a424cadb9fd2f19b21a765c772f7b0294f52711fe94e1e7f7a25732085c69ea6
Opcode Fuzzy Hash: 2d66ad9a4ee85723944e676da3bce39ba76b95d4315528112792cebffaf1f9ae
Instruction Fuzzy Hash: 40223930A14706CBDF388A25C49477CB7A1FF01344F68C46BF56A8B592DBB09E99DB41

Function 00C421C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 2c17a264b0582448e38817d788177d58c69cf6874cd4819d94debaff5dcf335f
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 51C186722051930ADF2E463A847513EFAA17EA27B135E176DE8F3CB1D4EE10CA65D620

Function 00C425FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 376810d1d4757f239673f4643cd78eb34d3a80a51039da39fc84a3f06e761fb8
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 79C173732051930ADF2E463AC43513EBAA17EA27F135E076DE8F2DB1D5EE10CA65D620

Function 00C41978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 797cf0001ba2475ed8eefa3868e6dd95baf4001c6c8f594b380ee42a7f4c50b9
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: B7C165726451930ADF2E463AC47413EBBA16EA27B131E176DDCF3CB1D4EE10CAA5D620

Function 00C97806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C9785B
DeleteObject.GDI32(00000000), ref: 00C9786D
DestroyWindow.USER32 ref: 00C9787B
GetDesktopWindow.USER32 ref: 00C97895
GetWindowRect.USER32(00000000), ref: 00C9789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00C979DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00C979ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97A35
GetClientRect.USER32(00000000,?), ref: 00C97A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C97A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97ABB
GlobalLock.KERNEL32(00000000), ref: 00C97AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97AD3
GlobalUnlock.KERNEL32(00000000), ref: 00C97ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97AE3
GlobalFree.KERNEL32(00000000), ref: 00C97AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00CB2CAC,00000000), ref: 00C97B16
GlobalFree.KERNEL32(00000000), ref: 00C97B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00C97B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00C97B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C97D7A

Strings

, xrefs: 00C97D00
DISPLAY, xrefs: 00C97BDD
static, xrefs: 00C97A75, 00C97BCC
AutoIt v3, xrefs: 00C97A2D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b58892f790d85160e76e3621d2d2dd19dacdc511aed0f9fd9d83581b4bef1db9
Instruction ID: e63ca295eb2c201705d452e2232299798bb3a07f010fb02c962861dcf872ed62
Opcode Fuzzy Hash: b58892f790d85160e76e3621d2d2dd19dacdc511aed0f9fd9d83581b4bef1db9
Instruction Fuzzy Hash: A6025971911115AFDF14DFA4DC89FAE7BB9EF49314F148268F915AB2A1CB30AD02CB60

Function 00CA356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00CAF910), ref: 00CA3627
IsWindowVisible.USER32(?), ref: 00CA364B

Strings

GETLINECOUNT, xrefs: 00CA38C6
UNCHECK, xrefs: 00CA3883
GETCURRENTLINE, xrefs: 00CA38ED
CHECK, xrefs: 00CA386D
EDITPASTE, xrefs: 00CA395F
FINDSTRING, xrefs: 00CA3776
SETCURRENTSELECTION, xrefs: 00CA37B6
ISENABLED, xrefs: 00CA366B
SELECTSTRING, xrefs: 00CA3806
GETCURRENTSELECTION, xrefs: 00CA37E3
DELSTRING, xrefs: 00CA3749
HIDEDROPDOWN, xrefs: 00CA3700
ISVISIBLE, xrefs: 00CA3637
SENDCOMMANDID, xrefs: 00CA39DA
TABLEFT, xrefs: 00CA3687
TABRIGHT, xrefs: 00CA369D
ISCHECKED, xrefs: 00CA3839
GETLINE, xrefs: 00CA399B
ADDSTRING, xrefs: 00CA3716
SHOWDROPDOWN, xrefs: 00CA36E0
GETSELECTED, xrefs: 00CA38A3
CURRENTTAB, xrefs: 00CA36BD
GETCURRENTCOL, xrefs: 00CA3928

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 8b3e09a9c87721103ea028ce9cfc3e56388c46cdef01c30a34547f5d2005c8cb
Instruction ID: 03f8d1973c250f33c2371817f02514a35d21f50151a654d69457c55e0c2a819e
Opcode Fuzzy Hash: 8b3e09a9c87721103ea028ce9cfc3e56388c46cdef01c30a34547f5d2005c8cb
Instruction Fuzzy Hash: 2DD1B3742443529FCB04EF10C465A6E77E1EF96348F144469F99A5B3E2CB31EE0AEB81

Function 00CAA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CAA630
GetSysColorBrush.USER32(0000000F), ref: 00CAA661
GetSysColor.USER32(0000000F), ref: 00CAA66D
SetBkColor.GDI32(?,000000FF), ref: 00CAA687
SelectObject.GDI32(?,00000000), ref: 00CAA696
InflateRect.USER32(?,000000FF,000000FF), ref: 00CAA6C1
GetSysColor.USER32(00000010), ref: 00CAA6C9
CreateSolidBrush.GDI32(00000000), ref: 00CAA6D0
FrameRect.USER32(?,?,00000000), ref: 00CAA6DF
DeleteObject.GDI32(00000000), ref: 00CAA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00CAA731
FillRect.USER32(?,?,00000000), ref: 00CAA763
GetWindowLongW.USER32(?,000000F0), ref: 00CAA78E

Part of subcall function 00CAA8CA: GetSysColor.USER32(00000012), ref: 00CAA903
Part of subcall function 00CAA8CA: SetTextColor.GDI32(?,?), ref: 00CAA907
Part of subcall function 00CAA8CA: GetSysColorBrush.USER32(0000000F), ref: 00CAA91D
Part of subcall function 00CAA8CA: GetSysColor.USER32(0000000F), ref: 00CAA928
Part of subcall function 00CAA8CA: GetSysColor.USER32(00000011), ref: 00CAA945
Part of subcall function 00CAA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CAA953
Part of subcall function 00CAA8CA: SelectObject.GDI32(?,00000000), ref: 00CAA964
Part of subcall function 00CAA8CA: SetBkColor.GDI32(?,00000000), ref: 00CAA96D
Part of subcall function 00CAA8CA: SelectObject.GDI32(?,?), ref: 00CAA97A
Part of subcall function 00CAA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00CAA999
Part of subcall function 00CAA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CAA9B0
Part of subcall function 00CAA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00CAA9C5
Part of subcall function 00CAA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CAA9ED

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 295161d1ef2bc60cb320a3c947c77d9393fb1136f58bb2e1b9dfb2e832c767a2
Instruction ID: bf3ad610c94f83993f0878462ebc149ebdb340081011621b2960191b7f744f5b
Opcode Fuzzy Hash: 295161d1ef2bc60cb320a3c947c77d9393fb1136f58bb2e1b9dfb2e832c767a2
Instruction Fuzzy Hash: 58915C72408305AFC7109FA4DC08B5F7BA9FB8A329F144B2DF9A2971A0D771D946CB52

Function 00C974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C974DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C9759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C975DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C975ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C97633
GetClientRect.USER32(00000000,?), ref: 00C9763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C97683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C97692
GetStockObject.GDI32(00000011), ref: 00C976A2
SelectObject.GDI32(00000000,00000000), ref: 00C976A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C976B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C976BF
DeleteDC.GDI32(00000000), ref: 00C976C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C976F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C9770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C97746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C9775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C9776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C9779B
GetStockObject.GDI32(00000011), ref: 00C977A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C977B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C977BB

Strings

DISPLAY, xrefs: 00C97688
static, xrefs: 00C9767D, 00C97795
AutoIt v3, xrefs: 00C9762B
msctls_progress32, xrefs: 00C9773C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 712dc8596e443187f0f6db32f0c0db6a3af78d80a64d23654e3af1889e3cf8cb
Instruction ID: 3d3fa40cd5aee454c8fe1acf9a051a4956b3284424213e4251b6d178f6ff07b9
Opcode Fuzzy Hash: 712dc8596e443187f0f6db32f0c0db6a3af78d80a64d23654e3af1889e3cf8cb
Instruction Fuzzy Hash: 55A160B1A40615BFEB14DBA4DC4AFAE7BB9EB05714F004218FA15AB2E0D770AD01CB64

Function 00C8AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8AD1E
GetDriveTypeW.KERNEL32(?,00CAFAC0,?,\\.\,00CAF910), ref: 00C8ADFB
SetErrorMode.KERNEL32(00000000,00CAFAC0,?,\\.\,00CAF910), ref: 00C8AF59

Strings

\\.\, xrefs: 00C8AD70
SCSI, xrefs: 00C8AEC6
RAMDisk, xrefs: 00C8AE25
Virtual, xrefs: 00C8AF21
FileBackedVirtual, xrefs: 00C8AF28
ATAPI, xrefs: 00C8AECD
Fibre, xrefs: 00C8AEE9
ATA, xrefs: 00C8AED4
USB, xrefs: 00C8AEF0
RAID, xrefs: 00C8AEF7
SSA, xrefs: 00C8AEE2
MMC, xrefs: 00C8AF1A
CDROM, xrefs: 00C8AE2F
SATA, xrefs: 00C8AF0C
SSD, xrefs: 00C8AE86
Unknown, xrefs: 00C8AE1B, 00C8AEBF
Fixed, xrefs: 00C8AE43
Removable, xrefs: 00C8AE4D
Network, xrefs: 00C8AE39
PhysicalDrive, xrefs: 00C8ADA7
SAS, xrefs: 00C8AF05
1394, xrefs: 00C8AEDB
iSCSI, xrefs: 00C8AEFE

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ec10be638c596d782ce561cdba8ae1b1e36a94f209715cb625dfe33296ff3f60
Instruction ID: ff27622873e30ed55f8712e48251c36abc619a713f25cec4bec61be48412e5be
Opcode Fuzzy Hash: ec10be638c596d782ce561cdba8ae1b1e36a94f209715cb625dfe33296ff3f60
Instruction Fuzzy Hash: F051C6B0644205EBDB10FB91CD82DBD73A0EB09708B20446BF617A7390DA719E46FB5B

Function 00C268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C26931
__wcsnicmp.LIBCMT ref: 00C26949
__wcsnicmp.LIBCMT ref: 00C26961
__wcsnicmp.LIBCMT ref: 00C26979
__wcsnicmp.LIBCMT ref: 00C26991
__wcsnicmp.LIBCMT ref: 00C269A9
__wcsnicmp.LIBCMT ref: 00C269C1
__wcsnicmp.LIBCMT ref: 00C269D5
__wcsnicmp.LIBCMT ref: 00C26A16
__wcsnicmp.LIBCMT ref: 00C26A2A
__wcsnicmp.LIBCMT ref: 00C26A3E
__wcsnicmp.LIBCMT ref: 00C26A52

Strings

#ce, xrefs: 00C26A4C
#comments-end, xrefs: 00C26A38
#cs, xrefs: 00C269CF, 00C26A24
#notrayicon, xrefs: 00C26943
#requireadmin, xrefs: 00C2695B
#pragma compile, xrefs: 00C2692B
#include-once, xrefs: 00C2698B
#include, xrefs: 00C269A3
Unterminated group of comments, xrefs: 00C5E403
#comments-start, xrefs: 00C269BB, 00C26A10
Cannot parse #include, xrefs: 00C5E3F0
Bad directive syntax error, xrefs: 00C5E31A
#OnAutoItStartRegister, xrefs: 00C26973

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 2865ec66423eed0eb075e1dd3a0d4f9fe202823831d08f89e0ae83f8e5c547d8
Instruction ID: fbb326cb0c738871ccd26998df3fca71d53b61140ecb999a7b99260763d05928
Opcode Fuzzy Hash: 2865ec66423eed0eb075e1dd3a0d4f9fe202823831d08f89e0ae83f8e5c547d8
Instruction Fuzzy Hash: 7D8125B1640225ABCB25BA61FC82FAF7768AF05700F044025FD45AA592EF71DF85E2B4

Function 00CA9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00CA9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00CA9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00CA9BA7

Strings

0, xrefs: 00CA9BE4

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 28a880a23310c7fdfaab902ae03784765604a09b914f962da0f43c66d5a036d9
Instruction ID: 5a2acf4395ac292f336f5eee1a8c9953450bb323a487566fd093626951575b14
Opcode Fuzzy Hash: 28a880a23310c7fdfaab902ae03784765604a09b914f962da0f43c66d5a036d9
Instruction Fuzzy Hash: 3D02C030104202AFDB25CF14CC8ABAABBE5FF86318F04852DF9A5D62A1C734DA45DB52

Function 00CAA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CAA903
SetTextColor.GDI32(?,?), ref: 00CAA907
GetSysColorBrush.USER32(0000000F), ref: 00CAA91D
GetSysColor.USER32(0000000F), ref: 00CAA928
CreateSolidBrush.GDI32(?), ref: 00CAA92D
GetSysColor.USER32(00000011), ref: 00CAA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CAA953
SelectObject.GDI32(?,00000000), ref: 00CAA964
SetBkColor.GDI32(?,00000000), ref: 00CAA96D
SelectObject.GDI32(?,?), ref: 00CAA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00CAA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CAA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00CAA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CAA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CAAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00CAAA32
DrawFocusRect.USER32(?,?), ref: 00CAAA3D
GetSysColor.USER32(00000011), ref: 00CAAA4B
SetTextColor.GDI32(?,00000000), ref: 00CAAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00CAAA67
SelectObject.GDI32(?,00CAA5FA), ref: 00CAAA7E
DeleteObject.GDI32(?), ref: 00CAAA89
SelectObject.GDI32(?,?), ref: 00CAAA8F
DeleteObject.GDI32(?), ref: 00CAAA94
SetTextColor.GDI32(?,?), ref: 00CAAA9A
SetBkColor.GDI32(?,?), ref: 00CAAAA4

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 50b77c028a9aa1e68307093118f722f59368cf409a31a02610f66656c969dbe7
Instruction ID: 59c2ea7963160cec2d3b17b86b51cc8dc2060e5fd948b08bbbbcdee0df78d884
Opcode Fuzzy Hash: 50b77c028a9aa1e68307093118f722f59368cf409a31a02610f66656c969dbe7
Instruction Fuzzy Hash: F3513E71900209FFDB119FA4DC48FAE7BB9EF09324F114229FA11AB2A1D7719A41DF90

Function 00CA89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CA8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA8AD2
CharNextW.USER32(0000014E), ref: 00CA8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CA8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CA8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00CA8B86
SetWindowTextW.USER32(?,0000014E), ref: 00CA8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00CA8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA8C1F
_memset.LIBCMT ref: 00CA8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00CA8C8D
_memset.LIBCMT ref: 00CA8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CA8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CA8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00CA8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00CA8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CA8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CA8EB4
DrawMenuBar.USER32(?), ref: 00CA8EC3
SetWindowTextW.USER32(?,0000014E), ref: 00CA8EEB

Strings

0, xrefs: 00CA8E55

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 772eb719a84c4415fedcd5e42fed545004f18795f759d9158469cffb21f146be
Instruction ID: c211b02a78edc1f185e2f693a1d62ef00d1be9c9bbb378678c6a565e7215f3c6
Opcode Fuzzy Hash: 772eb719a84c4415fedcd5e42fed545004f18795f759d9158469cffb21f146be
Instruction Fuzzy Hash: 25E1617490021AAFDB209F91CC84FEE7B79FF06718F14815AF925AB190DB748A85DF60

Function 00CA488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CA49CA
GetDesktopWindow.USER32 ref: 00CA49DF
GetWindowRect.USER32(00000000), ref: 00CA49E6
GetWindowLongW.USER32(?,000000F0), ref: 00CA4A48
DestroyWindow.USER32(?), ref: 00CA4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CA4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00CA4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00CA4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00CA4B09
IsWindowVisible.USER32(?), ref: 00CA4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00CA4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00CA4B58
GetWindowRect.USER32(?,?), ref: 00CA4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00CA4B96
GetMonitorInfoW.USER32(00000000,?), ref: 00CA4BB0
CopyRect.USER32(?,?), ref: 00CA4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00CA4C32

Strings

0, xrefs: 00CA4975
(, xrefs: 00CA4BA3
tooltips_class32, xrefs: 00CA4A96

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: df8166bbf5d93b45671221fcfd64cc3ab753e971c344825806c585ccc9d1b42a
Instruction ID: 6648c76488eff87114725c2a53252e2ca70200819de43cb240f7ebd6220f9f41
Opcode Fuzzy Hash: df8166bbf5d93b45671221fcfd64cc3ab753e971c344825806c585ccc9d1b42a
Instruction Fuzzy Hash: 5DB19A70604351AFDB08DF64D848B6ABBE4FF8A318F00891CF5999B2A1D7B0ED05DB95

Function 00C8449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C844AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C844D2
_wcscpy.LIBCMT ref: 00C84500
_wcscmp.LIBCMT ref: 00C8450B
_wcscat.LIBCMT ref: 00C84521
_wcsstr.LIBCMT ref: 00C8452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C84548
_wcscat.LIBCMT ref: 00C84591
_wcscat.LIBCMT ref: 00C84598
_wcsncpy.LIBCMT ref: 00C845C3

Strings

DefaultLangCodepage, xrefs: 00C845AB
StringFileInfo\, xrefs: 00C8451B
%u.%u.%u.%u, xrefs: 00C84626
\VarFileInfo\Translation, xrefs: 00C84540
04090000, xrefs: 00C8457E

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: b0d44130d6bfedf4afaf5b98cb7dc2e7e4c022a298a130826c4e502b35a63b98
Instruction ID: c4e8b7c5fe10ddfc267756bbc94588bc5ef92cc7bf574bbcaee34a85be198645
Opcode Fuzzy Hash: b0d44130d6bfedf4afaf5b98cb7dc2e7e4c022a298a130826c4e502b35a63b98
Instruction Fuzzy Hash: 2C41F771A402017BDB14FBB58C47FBF776CEF42714F14046AFA05E6182EB349A02A7A9

Function 00C227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C228BC
GetSystemMetrics.USER32(00000007), ref: 00C228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C228EF
GetSystemMetrics.USER32(00000008), ref: 00C228F7
GetSystemMetrics.USER32(00000004), ref: 00C2291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C22939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C22949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C2297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C22990
GetClientRect.USER32(00000000,000000FF), ref: 00C229AE
GetStockObject.GDI32(00000011), ref: 00C229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C229D5

Part of subcall function 00C22344: GetCursorPos.USER32(?), ref: 00C22357
Part of subcall function 00C22344: ScreenToClient.USER32(00CE57B0,?), ref: 00C22374
Part of subcall function 00C22344: GetAsyncKeyState.USER32(00000001), ref: 00C22399
Part of subcall function 00C22344: GetAsyncKeyState.USER32(00000002), ref: 00C223A7

SetTimer.USER32(00000000,00000000,00000028,00C21256), ref: 00C229FC

Strings

AutoIt v3 GUI, xrefs: 00C22974

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: dd47bbe3b97e51d6bbe6e7f2a3158268f6a16773576e0a9d7e75dc95a3208675
Instruction ID: 2bf68da3e3d87ba84e6a8334d8d3437a3bf1276dbcf06551f8506d61b5396fef
Opcode Fuzzy Hash: dd47bbe3b97e51d6bbe6e7f2a3158268f6a16773576e0a9d7e75dc95a3208675
Instruction Fuzzy Hash: 94B18D75A0021AEFDB24DFA8DC85BAE7BB4FB08315F104229FA15AB2D0DB74D951CB50

Function 00CA3DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CA3E6F
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CA3F2F

Strings

DESELECT, xrefs: 00CA401D
SELECT, xrefs: 00CA3FC9
SELECTALL, xrefs: 00CA3F96
GETSUBITEMCOUNT, xrefs: 00CA3EBA
FINDITEM, xrefs: 00CA40A2
GETSELECTEDCOUNT, xrefs: 00CA3F12
VIEWCHANGE, xrefs: 00CA40EE
SELECTINVERT, xrefs: 00CA3FFF
SELECTCLEAR, xrefs: 00CA3FAE
GETITEMCOUNT, xrefs: 00CA3EA1
GETSELECTED, xrefs: 00CA405D
GETTEXT, xrefs: 00CA3ED8
ISSELECTED, xrefs: 00CA3F3A

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 18fe7e2a3ab0a36cdc3d11f95005087d9813b2c6e6a1c0cdce53832091b884fc
Instruction ID: 6aabde4db0633f6f54c04d5a71fd6e2d030120fb899a7e5772dc07780c826711
Opcode Fuzzy Hash: 18fe7e2a3ab0a36cdc3d11f95005087d9813b2c6e6a1c0cdce53832091b884fc
Instruction Fuzzy Hash: A3A181702143429FCB18EF10D861A6AB3A5FF86318F14886DF9665B7D2CB70ED05EB41

Function 00C7A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C7A47A
__swprintf.LIBCMT ref: 00C7A51B
_wcscmp.LIBCMT ref: 00C7A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C7A583
_wcscmp.LIBCMT ref: 00C7A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00C7A5F6
GetDlgCtrlID.USER32(?), ref: 00C7A648
GetWindowRect.USER32(?,?), ref: 00C7A67E
GetParent.USER32(?), ref: 00C7A69C
ScreenToClient.USER32(00000000), ref: 00C7A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00C7A71D
_wcscmp.LIBCMT ref: 00C7A731
GetWindowTextW.USER32(?,?,00000400), ref: 00C7A757
_wcscmp.LIBCMT ref: 00C7A76B

Part of subcall function 00C4362C: _iswctype.LIBCMT ref: 00C43634

Strings

%s%u, xrefs: 00C7A515

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: d9be8ad27e41974fb67cff63ca7dc4f15b0543e7f04293d21c8ae4d6cd922d1a
Instruction ID: 528d3956d9f6df822eb0d8fa3b94428c347f1e07ba558710db6219fa721f7b69
Opcode Fuzzy Hash: d9be8ad27e41974fb67cff63ca7dc4f15b0543e7f04293d21c8ae4d6cd922d1a
Instruction Fuzzy Hash: FBA1B271204606BFD719DF64C884BAEB7E8FF84315F048629F9ADD2150DB30EA56CB92

Function 00C7AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00C7AF18
_wcscmp.LIBCMT ref: 00C7AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00C7AF51
CharUpperBuffW.USER32(?,00000000), ref: 00C7AF6E
_wcscmp.LIBCMT ref: 00C7AF8C
_wcsstr.LIBCMT ref: 00C7AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C7AFD5
_wcscmp.LIBCMT ref: 00C7AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00C7B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C7B055
_wcscmp.LIBCMT ref: 00C7B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00C7B08D
GetWindowRect.USER32(00000004,?), ref: 00C7B0F6

Strings

ThumbnailClass, xrefs: 00C7AFE0, 00C7B060
@, xrefs: 00C7AEF9

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: b18c24172ffb661b1d4e7055063af654d41f905dfa207bd1ff9e2696169c744e
Instruction ID: f216b803f9a7318170dce5db3fe23b1c5a3ef1b231c1d5459e57bf8f6e3da65e
Opcode Fuzzy Hash: b18c24172ffb661b1d4e7055063af654d41f905dfa207bd1ff9e2696169c744e
Instruction Fuzzy Hash: 7581AF711082059BDB05DF60C885FAE7BE8FF84314F04C56AFDA98A095DB34DE46CBA1

Function 00C7ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C7AC33

Strings

REGEXP=, xrefs: 00C7AC48
[HANDLE:, xrefs: 00C7AC3F
[CLASS:, xrefs: 00C7AC83
LAST, xrefs: 00C7ABF8
CLASSNAME=, xrefs: 00C7AC70
[LAST, xrefs: 00C7ACE0
[ALL, xrefs: 00C7ACD9
HANDLE=, xrefs: 00C7AC2C
[REGEXPTITLE:, xrefs: 00C7AC5B
ALL, xrefs: 00C7ACC7
ACTIVE, xrefs: 00C7AC0E
[ACTIVE, xrefs: 00C7AC20

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 75502fcd2c2126f7d22e25a6609202717fe3af43079a5f21865b5e385685a3dd
Instruction ID: 1dfea11200b3dfe4222b8921f27e253a88564f49bd048b2e77d481a9762575fc
Opcode Fuzzy Hash: 75502fcd2c2126f7d22e25a6609202717fe3af43079a5f21865b5e385685a3dd
Instruction Fuzzy Hash: 9231E330948219BBDB10FA60EE43EAE7764AF10710F60422AF519715D1FF726F04E652

Function 00C94FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00C95013
LoadCursorW.USER32(00000000,00007F00), ref: 00C9501E
LoadCursorW.USER32(00000000,00007F03), ref: 00C95029
LoadCursorW.USER32(00000000,00007F8B), ref: 00C95034
LoadCursorW.USER32(00000000,00007F01), ref: 00C9503F
LoadCursorW.USER32(00000000,00007F81), ref: 00C9504A
LoadCursorW.USER32(00000000,00007F88), ref: 00C95055
LoadCursorW.USER32(00000000,00007F80), ref: 00C95060
LoadCursorW.USER32(00000000,00007F86), ref: 00C9506B
LoadCursorW.USER32(00000000,00007F83), ref: 00C95076
LoadCursorW.USER32(00000000,00007F85), ref: 00C95081
LoadCursorW.USER32(00000000,00007F82), ref: 00C9508C
LoadCursorW.USER32(00000000,00007F84), ref: 00C95097
LoadCursorW.USER32(00000000,00007F04), ref: 00C950A2
LoadCursorW.USER32(00000000,00007F02), ref: 00C950AD
LoadCursorW.USER32(00000000,00007F89), ref: 00C950B8
GetCursorInfo.USER32(?), ref: 00C950C8

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 924ecedbf4e44b67622e55abc6a02b976371a4f7fea53482f507c61ec609c109
Instruction ID: d7c41b0e03012a4637b7f023a66e7982ddb4cdd18c5bb3fc182224f7dcbcdc56
Opcode Fuzzy Hash: 924ecedbf4e44b67622e55abc6a02b976371a4f7fea53482f507c61ec609c109
Instruction Fuzzy Hash: 743103B1E483196ADF109FB68C8996FBFE8FF04750F50452AE51DE7280DA78A5008FA1

Function 00CAA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CAA259
DestroyWindow.USER32(?,?), ref: 00CAA2D3

Part of subcall function 00C27BCC: _memmove.LIBCMT ref: 00C27C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CAA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CAA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CAA382
DestroyWindow.USER32(00000000), ref: 00CAA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C20000,00000000), ref: 00CAA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CAA3F4
GetDesktopWindow.USER32 ref: 00CAA40D
GetWindowRect.USER32(00000000), ref: 00CAA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CAA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CAA444

Part of subcall function 00C225DB: GetWindowLongW.USER32(?,000000EB), ref: 00C225EC

Strings

tooltips_class32, xrefs: 00CAA346, 00CAA3D4
0, xrefs: 00CAA26F

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 078951722c819d775624d9ce114a254fd8c21755745343f8e9a74a12e41d94b2
Instruction ID: c553560e2dd9ddbd64c9071ddc339af1c9974769aac3f62a52917d7e0c1a6c3e
Opcode Fuzzy Hash: 078951722c819d775624d9ce114a254fd8c21755745343f8e9a74a12e41d94b2
Instruction Fuzzy Hash: B871BF71140346AFDB21DF68CC49F6A7BE5FB8A308F04452DF9958B2A1D770EA02DB52

Function 00CAC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DragQueryPoint.SHELL32(?,?), ref: 00CAC627

Part of subcall function 00CAAB37: ClientToScreen.USER32(?,?), ref: 00CAAB60
Part of subcall function 00CAAB37: GetWindowRect.USER32(?,?), ref: 00CAABD6
Part of subcall function 00CAAB37: PtInRect.USER32(?,?,00CAC014), ref: 00CAABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00CAC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CAC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CAC6BE
_wcscat.LIBCMT ref: 00CAC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CAC705
SendMessageW.USER32(?,000000B0,?,?), ref: 00CAC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CAC735
SendMessageW.USER32(?,000000B1,?,?), ref: 00CAC757
DragFinish.SHELL32(?), ref: 00CAC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CAC851

Strings

@GUI_DRAGID, xrefs: 00CAC7C9
@GUI_DRAGFILE, xrefs: 00CAC800
@GUI_DROPID, xrefs: 00CAC77E

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 29396247adfe5cbe6493b4c24e419d4d85cff7b7b04a0b7cf289566521f469b9
Instruction ID: 6919a8a9f57fc0ced0a78ebd92c115260aaf1b84664b30372b7111f5ca9ffa7c
Opcode Fuzzy Hash: 29396247adfe5cbe6493b4c24e419d4d85cff7b7b04a0b7cf289566521f469b9
Instruction Fuzzy Hash: 32615A71108305AFC701EFA4D885E9FBBE8EF89714F00092EF595971A1DB709A49DB92

Function 00CA4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CA4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA446F

Strings

SELECT, xrefs: 00CA4620
UNCHECK, xrefs: 00CA464B
COLLAPSE, xrefs: 00CA44B5
GETTOTALCOUNT, xrefs: 00CA4456
CHECK, xrefs: 00CA448F
EXISTS, xrefs: 00CA44D8
GETITEMCOUNT, xrefs: 00CA4551
ISCHECKED, xrefs: 00CA45F2
GETSELECTED, xrefs: 00CA457F
GETTEXT, xrefs: 00CA45C2
EXPAND, xrefs: 00CA4521

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: e926c66ef0118969c9ce2dee9b4ba96432c4970bb41944c124ba28f6ca238a6a
Instruction ID: 9321ea3c7fa37a99bca6a03df973a19983190e043e95ea8e4f52edbb77e18b91
Opcode Fuzzy Hash: e926c66ef0118969c9ce2dee9b4ba96432c4970bb41944c124ba28f6ca238a6a
Instruction Fuzzy Hash: 1D91A0742043129FCB08EF10C451A6EB7E1EF96354F14886CF8965B7A2CB70ED0AEB81

Function 00CAB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CAB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CA91C2), ref: 00CAB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CAB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CAB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CAB9C3
FreeLibrary.KERNEL32(?), ref: 00CAB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CAB9DF
DestroyIcon.USER32(?,?,?,?,?,00CA91C2), ref: 00CAB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CABA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CABA17

Part of subcall function 00C42EFD: __wcsicmp_l.LIBCMT ref: 00C42F86

Strings

.exe, xrefs: 00CAB84A
.dll, xrefs: 00CAB86D
.icl, xrefs: 00CAB82A

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 89c1ec9b8a86242037289a93ec276c88e19ac1475ec9284a4bcee59abf5aa66e
Instruction ID: af8dfcee1aaa3f487f07a7cb36d37f9a9b28c20c6b1eb265653ba6848e8ad756
Opcode Fuzzy Hash: 89c1ec9b8a86242037289a93ec276c88e19ac1475ec9284a4bcee59abf5aa66e
Instruction Fuzzy Hash: FE61EE7150021ABAEB24DF74CC42BBE77B8FB0A715F10411AFA25D61C2DB749E80D7A0

Function 00C8DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C8DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C8DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C8DCF8
__wsplitpath.LIBCMT ref: 00C8DD56
_wcscat.LIBCMT ref: 00C8DD6E
_wcscat.LIBCMT ref: 00C8DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C8DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DDFC
_wcscpy.LIBCMT ref: 00C8DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C8DE47

Strings

*.*, xrefs: 00C8DE02

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: f0ab34e4a017ed67e7f3397c2e40750710b277caecc93c7d83083dfbf62dff17
Instruction ID: 7d836588e9dc1b42c0924b58cc5c37a26b0323e502b2f78d3b009890d752d27a
Opcode Fuzzy Hash: f0ab34e4a017ed67e7f3397c2e40750710b277caecc93c7d83083dfbf62dff17
Instruction Fuzzy Hash: 53618F725043159FCB10EF60D844AAEB3E8FF89314F04492EF99AC7291DB31EA45CB96

Function 00C9731A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C9738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C9739B
CreateCompatibleDC.GDI32(?), ref: 00C973A7
SelectObject.GDI32(00000000,?), ref: 00C973B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,es-mx), ref: 00C97408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C97444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C97468
SelectObject.GDI32(00000006,?), ref: 00C97470
DeleteObject.GDI32(?), ref: 00C97479
DeleteDC.GDI32(00000006), ref: 00C97480
ReleaseDC.USER32(00000000,?), ref: 00C9748B

Strings

es-mx, xrefs: 00C973F3
(, xrefs: 00C97410

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: ($es-mx
API String ID: 2598888154-1799561661
Opcode ID: d72b052a108dbe17695476d1b3bb5350466b26ee0a11a43e554ce60c2f67addc
Instruction ID: cbda8ccab31296544e3abe135a785d9d21d466cf33fd5bc1c2e9ddef81aa20b3
Opcode Fuzzy Hash: d72b052a108dbe17695476d1b3bb5350466b26ee0a11a43e554ce60c2f67addc
Instruction Fuzzy Hash: 0B514775904209EFCB14CFA9CC88FAEBBB9FF49310F14852DF99A97221C731A9418B50

Function 00C89C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00C89C7F

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C89CA0
__swprintf.LIBCMT ref: 00C89CF9
__swprintf.LIBCMT ref: 00C89D12
_wprintf.LIBCMT ref: 00C89DB9
_wprintf.LIBCMT ref: 00C89DD7

Strings

^ ERROR , xrefs: 00C89D4E
Error: , xrefs: 00C89D81
Line %d (File "%s"):, xrefs: 00C89CF3, 00C89D0C
Incorrect parameters to object property !, xrefs: 00C89D5B
"%s" (%d) : ==> %s:, xrefs: 00C89DD2
"%s" (%d) : ==> %s:%s%s, xrefs: 00C89DB4

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: a9cabcf834f6aea08eac3105b7001e7560178f571f0f45026eaa646b31e70af1
Instruction ID: e9e2d7df21fe474eb94efd50295a7194327da7c515a6fcec5996ecf60dc3eacc
Opcode Fuzzy Hash: a9cabcf834f6aea08eac3105b7001e7560178f571f0f45026eaa646b31e70af1
Instruction Fuzzy Hash: EF517F3290061AABCF14FBE0DD86EEEB778EF14304F544166B509721A1EB312F59EB64

Function 00C8A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

CharLowerBuffW.USER32(?,?), ref: 00C8A3CB
GetDriveTypeW.KERNEL32 ref: 00C8A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C8A4C5

Part of subcall function 00C27BCC: _memmove.LIBCMT ref: 00C27C06

Strings

open, xrefs: 00C8A3F2
closed, xrefs: 00C8A3DF, 00C8A3E8
type cdaudio alias cd wait, xrefs: 00C8A443
set cd door , xrefs: 00C8A466
open , xrefs: 00C8A427
close, xrefs: 00C8A3D1
wait, xrefs: 00C8A482
close cd wait, xrefs: 00C8A4B0

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: f172ed936eae081dd4acb85461b0b98c6dc4971be16718e863152c7ca827068a
Instruction ID: 88dd1d52541a10fa9bfe082c3504ec001b8b2a8e4fd5473c3ae01056f883916b
Opcode Fuzzy Hash: f172ed936eae081dd4acb85461b0b98c6dc4971be16718e863152c7ca827068a
Instruction Fuzzy Hash: 88517E711043159FC700EF20D89196AB3E4FF89718F10896DF89A576A1DB31EE0ADB92

Function 00C7F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00C5E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00C7F8DF
LoadStringW.USER32(00000000,?,00C5E029,00000001), ref: 00C7F8E8

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

GetModuleHandleW.KERNEL32(00000000,00CE5310,?,00000FFF,?,?,00C5E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00C7F90A
LoadStringW.USER32(00000000,?,00C5E029,00000001), ref: 00C7F90D
__swprintf.LIBCMT ref: 00C7F95D
__swprintf.LIBCMT ref: 00C7F96E
_wprintf.LIBCMT ref: 00C7FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C7FA2E

Strings

Error: , xrefs: 00C7F9E5
%s (%d) : ==> %s: %s %s, xrefs: 00C7FA12
^ ERROR, xrefs: 00C7F9C3
Line %d:, xrefs: 00C7F968
Line %d (File "%s"):, xrefs: 00C7F957

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 43a21748e558c4813661cd3aa6cf1f3b16e6b93c060ce89dc39745949042fcb1
Instruction ID: 43d345deefd1294ef994c55c610db67532f4cfa6c39010c78963191805df048b
Opcode Fuzzy Hash: 43a21748e558c4813661cd3aa6cf1f3b16e6b93c060ce89dc39745949042fcb1
Instruction Fuzzy Hash: D2413F72804119ABCF04FFE0ED86EEE7778AF14310F100169B60976092EE316F4AEB61

Function 00CABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00CA9207,?,?), ref: 00CABA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00CA9207,?,?,00000000,?), ref: 00CABA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00CA9207,?,?,00000000,?), ref: 00CABA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00CA9207,?,?,00000000,?), ref: 00CABA85
GlobalLock.KERNEL32(00000000), ref: 00CABA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00CA9207,?,?,00000000,?), ref: 00CABA9D
GlobalUnlock.KERNEL32(00000000), ref: 00CABAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00CA9207,?,?,00000000,?), ref: 00CABAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00CA9207,?,?,00000000,?), ref: 00CABABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CB2CAC,?), ref: 00CABAD7
GlobalFree.KERNEL32(00000000), ref: 00CABAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00CABB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00CABB36
DeleteObject.GDI32(00000000), ref: 00CABB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CABB74

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 5104b414091ef119f1a3915cb952b367b0811b77bb3e21cbaacd5075dc7b96d7
Instruction ID: de87ae7181a6553443d449577ef7a59fa0916829fd81a0c5a5b3d27eacad6041
Opcode Fuzzy Hash: 5104b414091ef119f1a3915cb952b367b0811b77bb3e21cbaacd5075dc7b96d7
Instruction Fuzzy Hash: 61412B75600205EFDB119FA5DC48FAE7BB8FB8A719F104168F915D7261D7309E02DB60

Function 00C8D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00C8DA10
_wcscat.LIBCMT ref: 00C8DA28
_wcscat.LIBCMT ref: 00C8DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C8DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DA63
GetFileAttributesW.KERNEL32(?), ref: 00C8DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C8DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8DAA7

Strings

*.*, xrefs: 00C8DAE6

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 8f967cd47102381f9569e607ba430a2512b0eeb6b00a0f6037746996808c2d3f
Instruction ID: 99a348758c13faac8ad85c7c623eee15a469956c2224e3d9a050c6b1b0f53a01
Opcode Fuzzy Hash: 8f967cd47102381f9569e607ba430a2512b0eeb6b00a0f6037746996808c2d3f
Instruction Fuzzy Hash: FE8194715043419FCB24FF65C844AAEB7E4BF85318F18482EF89AC7291EA30EE45DB56

Function 00CAC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CAC1FC
GetFocus.USER32 ref: 00CAC20C
GetDlgCtrlID.USER32(00000000), ref: 00CAC217
_memset.LIBCMT ref: 00CAC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CAC36D
GetMenuItemCount.USER32(?), ref: 00CAC38D
GetMenuItemID.USER32(?,00000000), ref: 00CAC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CAC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CAC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CAC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00CAC489

Strings

0, xrefs: 00CAC33A

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 48823a055af61d8c3d3128ac562d1da466cf71af72e427057ce7f3e9eb02a68a
Instruction ID: 0e44bed44c0bcb8f9e21bb6b321868b4f7c9585d2e40a5a510321c41229b0300
Opcode Fuzzy Hash: 48823a055af61d8c3d3128ac562d1da466cf71af72e427057ce7f3e9eb02a68a
Instruction Fuzzy Hash: 96817E706083529FDB20CF54C8D4BBABBE4FB8A718F00492DF99597291D770D905DB92

Function 00C26A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00C40957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C26B0C,?,00008000), ref: 00C40973

Part of subcall function 00C24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C24743,?,?,00C237AE,?), ref: 00C24770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C26BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00C26CFA

Part of subcall function 00C2586D: _wcscpy.LIBCMT ref: 00C258A5

Part of subcall function 00C4363D: _iswctype.LIBCMT ref: 00C43645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00C5E421
Unterminated string, xrefs: 00C5E7E4
>>>AUTOIT SCRIPT<<<, xrefs: 00C5E496
AU3!, xrefs: 00C26B61
Error opening the file, xrefs: 00C5E43D, 00C5E4B8
EA06, xrefs: 00C5E452
Bad directive syntax error, xrefs: 00C5E79D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 6cc5e378f509956d6fe45896c109550de1ac6e75c76e6cbc4a99ba111aaac853
Instruction ID: afdadc4d7d247dc5d673476064e49452977cf71295d195c5683ecf6b511d4565
Opcode Fuzzy Hash: 6cc5e378f509956d6fe45896c109550de1ac6e75c76e6cbc4a99ba111aaac853
Instruction Fuzzy Hash: CB02F0341083509FC724EF24D881AAFBBE5FF99354F10492DF899936A1DB30DA89DB52

Function 00C82D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00C82DDD
GetMenuItemCount.USER32(00CE5890), ref: 00C82E66
DeleteMenu.USER32(00CE5890,00000005,00000000,000000F5,?,?), ref: 00C82EF6
DeleteMenu.USER32(00CE5890,00000004,00000000), ref: 00C82EFE
DeleteMenu.USER32(00CE5890,00000006,00000000), ref: 00C82F06
DeleteMenu.USER32(00CE5890,00000003,00000000), ref: 00C82F0E
GetMenuItemCount.USER32(00CE5890), ref: 00C82F16
SetMenuItemInfoW.USER32(00CE5890,00000004,00000000,00000030), ref: 00C82F4C
GetCursorPos.USER32(?), ref: 00C82F56
SetForegroundWindow.USER32(00000000), ref: 00C82F5F
TrackPopupMenuEx.USER32(00CE5890,00000000,?,00000000,00000000,00000000), ref: 00C82F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C82F7E

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 4dcd559e0c6168aeb185bb785680884b4b0d0a00159771190f492d7c2accb1e3
Instruction ID: 9bff089177a697b46686a3bd0516402aa393115f1c1c1e4a3b6f3e7c386b5682
Opcode Fuzzy Hash: 4dcd559e0c6168aeb185bb785680884b4b0d0a00159771190f492d7c2accb1e3
Instruction Fuzzy Hash: 0871D470600215BBEB21AF55DC8DFAABF64FF0572DF10022AF625AA1E1C7B15D10DB98

Function 00C777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27BCC: _memmove.LIBCMT ref: 00C27C06

_memset.LIBCMT ref: 00C7786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C778A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C778BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C778D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C77902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C7792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C77935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C7793A

Strings

\IPC$, xrefs: 00C77882
\CLSID, xrefs: 00C77822
SOFTWARE\Classes\, xrefs: 00C7780C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 957582cf558469bbc76c3c2bad19de61ea346310394f8e52aed4106277c91280
Instruction ID: c5e616c27cb4ed5431896bd49c9c92abf3227c5d17939a2d631ce9223eeb0a89
Opcode Fuzzy Hash: 957582cf558469bbc76c3c2bad19de61ea346310394f8e52aed4106277c91280
Instruction Fuzzy Hash: 84411872C1422DABCF11EFA4EC85EEEB778BF04354F044629F915A32A1EA305E05DB90

Function 00CA0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9FDAD,?,?), ref: 00CA0E31

Strings

HKEY_LOCAL_MACHINE, xrefs: 00CA0E9A
HKCU, xrefs: 00CA0F21
HKCR, xrefs: 00CA0ED9
HKEY_USERS, xrefs: 00CA0F32
HKCC, xrefs: 00CA0EFF
HKEY_CURRENT_USER, xrefs: 00CA0F10
HKEY_CLASSES_ROOT, xrefs: 00CA0EC4
HKEY_CURRENT_CONFIG, xrefs: 00CA0EEE
HKU, xrefs: 00CA0F43
HKLM, xrefs: 00CA0EAF

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: be51b3678b7668622de662406e6f73533c847e0519968f6ee78dd7001d9fa6c0
Instruction ID: 15ae6b9a98a8b7161ea0a0c33ac7c422d4dbc514835935e0901db725334b0757
Opcode Fuzzy Hash: be51b3678b7668622de662406e6f73533c847e0519968f6ee78dd7001d9fa6c0
Instruction Fuzzy Hash: 4C413A7514024A8FCF10EF50ECA5AEF3764FF12398F240455FD652B292DB319A5AEBA0

Function 00C7F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C5E2A0,00000010,?,Bad directive syntax error,00CAF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C7F7C2
LoadStringW.USER32(00000000,?,00C5E2A0,00000010), ref: 00C7F7C9

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

_wprintf.LIBCMT ref: 00C7F7FC
__swprintf.LIBCMT ref: 00C7F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C7F88D

Strings

Line %d:, xrefs: 00C7F818
Error: , xrefs: 00C7F85B
Line %d (File "%s"):, xrefs: 00C7F833
%s (%d) : ==> %s.: %s %s, xrefs: 00C7F7F7
., xrefs: 00C7F873

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 3fe7e52598533ece9f8fc3c7b3d3ea5e839d7f7bb9950ac859290f6938935113
Instruction ID: 12bfb5772d52791642e91ee1552b3f7acbf67b54136dc210322361742fcac595
Opcode Fuzzy Hash: 3fe7e52598533ece9f8fc3c7b3d3ea5e839d7f7bb9950ac859290f6938935113
Instruction Fuzzy Hash: 0821943294021EFBCF11EFA0DC8AFEE7739BF14300F04446AF515661A1DA719659EB51

Function 00C852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00C27BCC: _memmove.LIBCMT ref: 00C27C06

Part of subcall function 00C27924: _memmove.LIBCMT ref: 00C279AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C85330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C85346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C85357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C85369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C8537A

Strings

play PlayMe wait, xrefs: 00C85364
play PlayMe, xrefs: 00C85375
status PlayMe mode, xrefs: 00C8532B
open , xrefs: 00C852DF
alias PlayMe, xrefs: 00C85309
close PlayMe, xrefs: 00C85341, 00C8536E

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 44d13464087cc291fe8ed30e889ce6d5ae718b6191752ed6b7cb601d87a1e277
Instruction ID: 73000aa5290f26212a390b10f0af74c10b8fcd92edab84d932280a09489c6368
Opcode Fuzzy Hash: 44d13464087cc291fe8ed30e889ce6d5ae718b6191752ed6b7cb601d87a1e277
Instruction Fuzzy Hash: 63118231A502297AD720B675DC8ADFF7BBCEB92B54F00053AB511A21E1DEA04D49C6A0

Function 00C846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C846D2
gethostname.WSOCK32(?,00000100), ref: 00C846EC
gethostbyname.WSOCK32(?), ref: 00C846F9
_wcscpy.LIBCMT ref: 00C84721
_memmove.LIBCMT ref: 00C84734
inet_ntoa.WSOCK32(?), ref: 00C8473F
_strcat.LIBCMT ref: 00C8474D
_wcscpy.LIBCMT ref: 00C84764
WSACleanup.WSOCK32 ref: 00C84772
_wcscpy.LIBCMT ref: 00C84780

Strings

0.0.0.0, xrefs: 00C8471B

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 537e37ac559df2c80ba36cfb331e9a59335334a199064399c17fdb6e970754b5
Instruction ID: a76e0cbdff93c7f4dddfd6a09f560ca44417433f4238341a2286137494c79049
Opcode Fuzzy Hash: 537e37ac559df2c80ba36cfb331e9a59335334a199064399c17fdb6e970754b5
Instruction Fuzzy Hash: 6811C331900115ABCB24BB709C46FDE7BBCEF03719F0401BAF555960A1EF749A82D758

Function 00C84F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C84F7A

Part of subcall function 00C4049F: timeGetTime.WINMM(?,7694B400,00C30E7B), ref: 00C404A3

Sleep.KERNEL32(0000000A), ref: 00C84FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00C84FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C84FEC
SetActiveWindow.USER32 ref: 00C8500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C85019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C85038
Sleep.KERNEL32(000000FA), ref: 00C85043
IsWindow.USER32 ref: 00C8504F
EndDialog.USER32(00000000), ref: 00C85060

Strings

BUTTON, xrefs: 00C84FDE

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 141fb665923450ee58b11b06d3705dea7121ef979dc07940414d48c1af9474fc
Instruction ID: 3e93639e689a4bd381018ebe62794ee7de0229008bfe6f7c554ce6b5a283f717
Opcode Fuzzy Hash: 141fb665923450ee58b11b06d3705dea7121ef979dc07940414d48c1af9474fc
Instruction Fuzzy Hash: 53219F71601A45AFE7106FA0ECC8B3E3BA9EB1678DF04102CF202861B1DB718E019B65

Function 00C8D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

CoInitialize.OLE32(00000000), ref: 00C8D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C8D67D
SHGetDesktopFolder.SHELL32(?), ref: 00C8D691
CoCreateInstance.OLE32(00CB2D7C,00000000,00000001,00CD8C1C,?), ref: 00C8D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C8D74C
CoTaskMemFree.OLE32(?,?), ref: 00C8D7A4
_memset.LIBCMT ref: 00C8D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00C8D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C8D840
CoTaskMemFree.OLE32(00000000), ref: 00C8D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C8D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00C8D880

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 3deadd8de1279f5e9e5b671aa13f7475353fb409a56c1d3dbde2093142f69171
Instruction ID: 4eedd58465e090179d0b39e1d3c5b50149d5c62e5fb9f1c810dd1c255b249767
Opcode Fuzzy Hash: 3deadd8de1279f5e9e5b671aa13f7475353fb409a56c1d3dbde2093142f69171
Instruction Fuzzy Hash: EFB10E75A00119AFDB04DFA4D888EAEBBB9FF49304F148469F90AEB251DB30ED41DB54

Function 00C7C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C7C283
GetWindowRect.USER32(00000000,?), ref: 00C7C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C7C2F3
GetDlgItem.USER32(?,00000002), ref: 00C7C2FE
GetWindowRect.USER32(00000000,?), ref: 00C7C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C7C364
GetDlgItem.USER32(?,000003E9), ref: 00C7C372
GetWindowRect.USER32(00000000,?), ref: 00C7C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C7C3C6
GetDlgItem.USER32(?,000003EA), ref: 00C7C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C7C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00C7C3FE

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d94a46d63f65006ad44538ac00c45039b3097412c59298824a253ac1a6164004
Instruction ID: cee076e2c0cf95b9c2b9f028885c844f862679d6de4a364bce7ba80e5b7d7d50
Opcode Fuzzy Hash: d94a46d63f65006ad44538ac00c45039b3097412c59298824a253ac1a6164004
Instruction Fuzzy Hash: 7F515371B00205AFDB18CFA9DD89BAEBBB6FB88314F14812DF519D72A0D7709E018B10

Function 00C2201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C22036,?,00000000,?,?,?,?,00C216CB,00000000,?), ref: 00C21B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C220D3
KillTimer.USER32(-00000001,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C2216E
DestroyAcceleratorTable.USER32(00000000), ref: 00C5BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C5BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C5BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C216CB,00000000,?,?,00C21AE2,?,?), ref: 00C5BD0A
DeleteObject.GDI32(00000000), ref: 00C5BD1C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 957f7abc1cb43b83c827ffbe5f501f992779d8145e5c78a8b9629571ecd444e5
Instruction ID: dd06f79fa189aeb4d9f0f1bc9f1219e45e8149577aebd49413646b1e94b0c49f
Opcode Fuzzy Hash: 957f7abc1cb43b83c827ffbe5f501f992779d8145e5c78a8b9629571ecd444e5
Instruction Fuzzy Hash: E0619C35500A60EFCB359F15E988B2DBBF1FB4131AF10452DE9928B9B0C770AD95DB84

Function 00C221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00C225DB: GetWindowLongW.USER32(?,000000EB), ref: 00C225EC

GetSysColor.USER32(0000000F), ref: 00C221D3

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 9e502c5d3bba1702582378e5d2ef0e22529b53b00c5d94dd8defa2fef4d94871
Instruction ID: 953b5ad6089bc1e0b80c902c038ea9b67e0520ba649a95288c806d0376833e2f
Opcode Fuzzy Hash: 9e502c5d3bba1702582378e5d2ef0e22529b53b00c5d94dd8defa2fef4d94871
Instruction Fuzzy Hash: DD419E35000150EBDB255F68EC88BBD3B66EB06335F184369FE659B5E2C7328D82DB21

Function 00C8A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00CAF910), ref: 00C8A90B
GetDriveTypeW.KERNEL32(00000061,00CD89A0,00000061), ref: 00C8A9D5
_wcscpy.LIBCMT ref: 00C8A9FF

Strings

all, xrefs: 00C8A911
fixed, xrefs: 00C8A953
network, xrefs: 00C8A969
ramdisk, xrefs: 00C8A97F
unknown, xrefs: 00C8A996
cdrom, xrefs: 00C8A927
removable, xrefs: 00C8A93D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: e19767d08ae11fdb57762c5571f72d1ee7bb1c5ec28c37d1f8279445dab93e6f
Instruction ID: dd63672109c9d6a7b2c25584926630bb6ab3615cc06931507e074d2f894b66fd
Opcode Fuzzy Hash: e19767d08ae11fdb57762c5571f72d1ee7bb1c5ec28c37d1f8279445dab93e6f
Instruction Fuzzy Hash: 3351DD31108301ABD704FF14D892AAFB7A5FF84308F14482EF599572A2DB319E09EB97

Function 00C29837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00C29862
__swprintf.LIBCMT ref: 00C298AC
__i64tow.LIBCMT ref: 00C5F5E6

Strings

False, xrefs: 00C5F5AE
0x%p, xrefs: 00C5F5C8
%.15g, xrefs: 00C298A6
True, xrefs: 00C5F5A7

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: e650e645fef137a53f2235a9b3cd64b5fac393d994593dcc39318d9377c96754
Instruction ID: 1c7377dc37ecc1225d9507884991bd471fb6e0eaf4c8e0660564526c8077b0ab
Opcode Fuzzy Hash: e650e645fef137a53f2235a9b3cd64b5fac393d994593dcc39318d9377c96754
Instruction Fuzzy Hash: 11410435900205AFDB28DF35EC42A7A77E8FF45300F24447EE959D7281EA319A86DB10

Function 00CA7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA716A
CreateMenu.USER32 ref: 00CA7185
SetMenu.USER32(?,00000000), ref: 00CA7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA7221
IsMenu.USER32(?), ref: 00CA7237
CreatePopupMenu.USER32 ref: 00CA7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CA726E
DrawMenuBar.USER32 ref: 00CA7276

Strings

0, xrefs: 00CA7160
F, xrefs: 00CA7262

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 95fff88fe60c31125311b1670d7801b407c5db69078693847e5f100c551b1293
Instruction ID: c725647c22cd87dca80102c0b77f8ecbc792c975314ca6514ce48f2b0a45ca13
Opcode Fuzzy Hash: 95fff88fe60c31125311b1670d7801b407c5db69078693847e5f100c551b1293
Instruction Fuzzy Hash: DF413875A01206EFDB20DFA4D988F9A7BB5FF4A314F144228F95597361D731AA10CB90

Function 00CA74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CA755E
CreateCompatibleDC.GDI32(00000000), ref: 00CA7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CA7578
SelectObject.GDI32(00000000,00000000), ref: 00CA7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CA758B
DeleteDC.GDI32(00000000), ref: 00CA7594
GetWindowLongW.USER32(?,000000EC), ref: 00CA759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00CA75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00CA75BE

Strings

static, xrefs: 00CA74F6

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b450621d5a6f7dc9e6fc9bc070b3fa80e8157d1bb26fbe7870e01ad2d9c66ea8
Instruction ID: b13bc26a3344c041b12df9748714ec5b8ee72fa5620f5ccfe267c50c17d099ab
Opcode Fuzzy Hash: b450621d5a6f7dc9e6fc9bc070b3fa80e8157d1bb26fbe7870e01ad2d9c66ea8
Instruction Fuzzy Hash: 68316C32504215ABDF129FA4DC08FDF3B69FF0A328F110329FA65960A0C731D912DBA4

Function 00C46E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C46E3E

Part of subcall function 00C48B28: __getptd_noexit.LIBCMT ref: 00C48B28

__gmtime64_s.LIBCMT ref: 00C46ED7
__gmtime64_s.LIBCMT ref: 00C46F0D
__gmtime64_s.LIBCMT ref: 00C46F2A
__allrem.LIBCMT ref: 00C46F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C46F9C
__allrem.LIBCMT ref: 00C46FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C46FD1
__allrem.LIBCMT ref: 00C46FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C47006
__invoke_watson.LIBCMT ref: 00C47077

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 75aafef024e24530094beb3bb0c9b9a32ad7a1e3989c6582523527dad06a6cb6
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: C5711776A00717ABE714EE68DC81B6AB7F8BF05364F144229F824D7281F770DE449791

Function 00C82527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82542
GetMenuItemInfoW.USER32(00CE5890,000000FF,00000000,00000030), ref: 00C825A3
SetMenuItemInfoW.USER32(00CE5890,00000004,00000000,00000030), ref: 00C825D9
Sleep.KERNEL32(000001F4), ref: 00C825EB
GetMenuItemCount.USER32(?), ref: 00C8262F
GetMenuItemID.USER32(?,00000000), ref: 00C8264B
GetMenuItemID.USER32(?,-00000001), ref: 00C82675
GetMenuItemID.USER32(?,?), ref: 00C826BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C82700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C82714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C82735

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 005c39865bb3dba48b5bd27e609e66b927237f97bc8b1853a99dcc14db4a9bf6
Instruction ID: ab7216075e34b3b34324c149ee7c3bd6d8e3844dc8fd1df0fc7120550fe84a0d
Opcode Fuzzy Hash: 005c39865bb3dba48b5bd27e609e66b927237f97bc8b1853a99dcc14db4a9bf6
Instruction Fuzzy Hash: D6618D70900249AFDB21EFA4DC8CEBE7BB8EB0130CF140059F952A7251E731AE06DB24

Function 00CA6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CA6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CA6FA8
GetWindowLongW.USER32(?,000000F0), ref: 00CA6FCC
_memset.LIBCMT ref: 00CA6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CA6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CA7067

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 1a966788178e92662cf566bbfe545dad51eb9732f7d7852f8814ebfa01d4a939
Instruction ID: 1f88ac425d7cff44f50b5c6b991994a534e193cfff71d86feb5956f7f737bd4e
Opcode Fuzzy Hash: 1a966788178e92662cf566bbfe545dad51eb9732f7d7852f8814ebfa01d4a939
Instruction Fuzzy Hash: F4617B75900249AFDB11DFA4CC81FEE77F8EB09718F140169FA14AB2A1C771AE41DB90

Function 00C76B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C76BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00C76C18
VariantInit.OLEAUT32(?), ref: 00C76C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C76C4A
VariantCopy.OLEAUT32(?,?), ref: 00C76C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C76CB1
VariantClear.OLEAUT32(?), ref: 00C76CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C76CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C76CDC
VariantClear.OLEAUT32(?), ref: 00C76CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C76CF9

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 07cb6e6acf173c5485e32b00c4b25e09786d3b9c239d2fd095cf5bdfbb7a9fdb
Instruction ID: 0646dd127d6ca2cea24fcbe01963a56058ea6ed411067a84523914e12fff8267
Opcode Fuzzy Hash: 07cb6e6acf173c5485e32b00c4b25e09786d3b9c239d2fd095cf5bdfbb7a9fdb
Instruction Fuzzy Hash: C9415131A002199FCF01DFA4D844AEEBBB9FF09354F00C069E955E7261DB30AA46DF90

Function 00C983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

CoInitialize.OLE32 ref: 00C98403
CoUninitialize.OLE32 ref: 00C9840E
CoCreateInstance.OLE32(?,00000000,00000017,00CB2BEC,?), ref: 00C9846E
IIDFromString.OLE32(?,?), ref: 00C984E1
VariantInit.OLEAUT32(?), ref: 00C9857B
VariantClear.OLEAUT32(?), ref: 00C985DC

Strings

NULL Pointer assignment, xrefs: 00C984B3
Failed to create object, xrefs: 00C98479, 00C9852F
Invalid parameter, xrefs: 00C984FA

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 7cc2ce2ede3dc8d167adc4890791f2699837d75459f46678b50be57fc2e88ff0
Instruction ID: a52b485f0076060f6db5e0adb0e12f2a24314685ecacab4312d0b6263100ae3f
Opcode Fuzzy Hash: 7cc2ce2ede3dc8d167adc4890791f2699837d75459f46678b50be57fc2e88ff0
Instruction Fuzzy Hash: 3D619A706083129FDB10DF64C848B6EB7E8AF4A714F044819F9869B291CB70EE48CB92

Function 00C95732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C95793
inet_addr.WSOCK32(?,?,?), ref: 00C957D8
gethostbyname.WSOCK32(?), ref: 00C957E4
IcmpCreateFile.IPHLPAPI ref: 00C957F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C95862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C95878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C958ED
WSACleanup.WSOCK32 ref: 00C958F3

Strings

Ping, xrefs: 00C95816

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b88e21a458b2249a59b380c33a6eb465ec890999ecc37cae13e1f7ab032e5812
Instruction ID: 091daf5826a42277db5517828cfda9e31a073eaded3f8c02499df7e4f3575e27
Opcode Fuzzy Hash: b88e21a458b2249a59b380c33a6eb465ec890999ecc37cae13e1f7ab032e5812
Instruction Fuzzy Hash: 1C518D31644700DFDB21AF65DC49B2AB7E4EF49720F048929F9A6DB2E1DB30E901DB45

Function 00C8B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C8B546
GetLastError.KERNEL32 ref: 00C8B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00C8B5BD

Strings

READY, xrefs: 00C8B596
UNKNOWN, xrefs: 00C8B575
INVALID, xrefs: 00C8B58F
READONLY, xrefs: 00C8B588
NOTREADY, xrefs: 00C8B57C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ef24c6e785a09e682d18e10a77de865eeab4a2593a61c52e50b181aa4ab139f6
Instruction ID: fba964f7107466cc7470a1c01a9de22490586f38c05b9f8af7797c75c3a04842
Opcode Fuzzy Hash: ef24c6e785a09e682d18e10a77de865eeab4a2593a61c52e50b181aa4ab139f6
Instruction Fuzzy Hash: 3431A135A00209EFCB10FBA8D885FAE77B4FF09308F10412AE61597291DB709E46DB85

Function 00C78F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

Part of subcall function 00C7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C79014
GetDlgCtrlID.USER32 ref: 00C7901F
GetParent.USER32 ref: 00C7903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C7903E
GetDlgCtrlID.USER32(?), ref: 00C79047
GetParent.USER32(?), ref: 00C79063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C79066

Strings

ComboBox, xrefs: 00C78F9C
ListBox, xrefs: 00C78FD1

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 6cd4faeb77240b79b6a89c62151330a6bd3f21ad1a99bf4602186240be1b4d06
Instruction ID: 921bcf1e4c9c0b2aa61cbe33053b8fbf1f9ce3704e6681604894f27aa9bba3a0
Opcode Fuzzy Hash: 6cd4faeb77240b79b6a89c62151330a6bd3f21ad1a99bf4602186240be1b4d06
Instruction Fuzzy Hash: 2921C470A00108BBDF04ABB0CC89FFEBB74EF4A310F104119B925972A1DB755915EB20

Function 00C7907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

Part of subcall function 00C7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C790FD
GetDlgCtrlID.USER32 ref: 00C79108
GetParent.USER32 ref: 00C79124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C79127
GetDlgCtrlID.USER32(?), ref: 00C79130
GetParent.USER32(?), ref: 00C7914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C7914F

Strings

ComboBox, xrefs: 00C79087
ListBox, xrefs: 00C790BC

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 232b20ed59fb774c0d08e85c7814e069503835a58abf24559c432c4469a404a5
Instruction ID: e50f932865297930abdc8c6486df4caf91e81a740722cea8fccd17c3ee0d6736
Opcode Fuzzy Hash: 232b20ed59fb774c0d08e85c7814e069503835a58abf24559c432c4469a404a5
Instruction Fuzzy Hash: CD212974A00108BFDF10ABA0CC89FFEBB78EF49300F00411AF925972A1DB754916EB20

Function 00C79163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C7916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00C79184
_wcscmp.LIBCMT ref: 00C79196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C79211

Strings

list, xrefs: 00C791F3
details, xrefs: 00C791BF
largeicons, xrefs: 00C791A5
smallicons, xrefs: 00C791D9
SHELLDLL_DefView, xrefs: 00C79190

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: fef9b02b8721b69a24e50d4d398c082bad9174328d5535a0968f5ca9f833cebc
Instruction ID: 4f792516ae8911ed000e87f29668d5b4eef714152424f1b90a3459c552057794
Opcode Fuzzy Hash: fef9b02b8721b69a24e50d4d398c082bad9174328d5535a0968f5ca9f833cebc
Instruction Fuzzy Hash: C511403728C307BAFA213624DC1BFAB37ACEB15720B204137FA14E55E2FE7199616594

Function 00C988AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C988D7
CoInitialize.OLE32(00000000), ref: 00C98904
CoUninitialize.OLE32 ref: 00C9890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00C98A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C98B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00CB2C0C), ref: 00C98B6F
CoGetObject.OLE32(?,00000000,00CB2C0C,?), ref: 00C98B92
SetErrorMode.KERNEL32(00000000), ref: 00C98BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C98C25
VariantClear.OLEAUT32(?), ref: 00C98C35

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: e2c58c39570481c2408d24b0eff40aeb9e2c8f19798f7e3842a40ff9456e8209
Instruction ID: 0a622b66e405795350bc9609b7171b3f050a8e22e9a24c99d5fb72ef73a940d4
Opcode Fuzzy Hash: e2c58c39570481c2408d24b0eff40aeb9e2c8f19798f7e3842a40ff9456e8209
Instruction Fuzzy Hash: B2C138B12083059FDB00DF64C88892BB7E9FF8A748F04491DF59A9B251DB71ED0ACB52

Function 00C87990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00C87A6C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 002103fbd42ba3235832109ca9f269b18d9532fe7fab0bb521741237f67697b5
Instruction ID: 327dc73c759a5ee9e38fb0141833da5d1071647660fa792792ac31bde175ac8b
Opcode Fuzzy Hash: 002103fbd42ba3235832109ca9f269b18d9532fe7fab0bb521741237f67697b5
Instruction Fuzzy Hash: 56B1AE7190421A9FDB00EFA5C884BBEBBB5FF09329F344129E611E7251E734E941DB94

Function 00C2FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C2FAA6
OleUninitialize.OLE32(?,00000000), ref: 00C2FB45
UnregisterHotKey.USER32(?), ref: 00C2FC9C
DestroyWindow.USER32(?), ref: 00C645D6
FreeLibrary.KERNEL32(?), ref: 00C6463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C64668

Strings

close all, xrefs: 00C2FAA1

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: dda011777d7b47bbf1f1839b60313d9324473add1ed70e9225e61e68d2200ac7
Instruction ID: 856310100677a27012d234a3b387348be179efd267d36d5b499c1249448e9f27
Opcode Fuzzy Hash: dda011777d7b47bbf1f1839b60313d9324473add1ed70e9225e61e68d2200ac7
Instruction Fuzzy Hash: B1A15730701226CFCB29EF14D995A69F7A4AF15704F5442BDE80AAB661CB30ED17DF90

Function 00C7A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00C7A439), ref: 00C7A377

Strings

REGEXPCLASS, xrefs: 00C7A13C
TEXT, xrefs: 00C7A2AE
CLASS, xrefs: 00C7A0F6
CLASSNN, xrefs: 00C7A119
INSTANCE, xrefs: 00C7A285
NAME, xrefs: 00C7A1A9

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 8ced0bcee46ba6418ad67f2de4cf46af946bd8c0f39028594d64cd623ef1f5fc
Instruction ID: 8ee7635ab1423f6fb75be2120f55b87c9368b12efe7587a43b15ae07c1d056bd
Opcode Fuzzy Hash: 8ced0bcee46ba6418ad67f2de4cf46af946bd8c0f39028594d64cd623ef1f5fc
Instruction Fuzzy Hash: D891A331604606ABCB08EFA0C492BEDFB74BF84310F54C119E95DA7251DF31AA99EBD1

Function 00C22E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C22EAE

Part of subcall function 00C21DB3: GetClientRect.USER32(?,?), ref: 00C21DDC
Part of subcall function 00C21DB3: GetWindowRect.USER32(?,?), ref: 00C21E1D
Part of subcall function 00C21DB3: ScreenToClient.USER32(?,?), ref: 00C21E45

GetDC.USER32 ref: 00C5CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C5CD45
SelectObject.GDI32(00000000,00000000), ref: 00C5CD53
SelectObject.GDI32(00000000,00000000), ref: 00C5CD68
ReleaseDC.USER32(?,00000000), ref: 00C5CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C5CDFB

Strings

U, xrefs: 00C5CCD0

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2973e3ad4910ac9e1fa456e81f9fd32c9386d5c99192d0df153014b4bb14e965
Instruction ID: 7f6b638f8a1a1edd995d720e30dda6b6a06ef10a998104487557a8e145b7c68e
Opcode Fuzzy Hash: 2973e3ad4910ac9e1fa456e81f9fd32c9386d5c99192d0df153014b4bb14e965
Instruction Fuzzy Hash: DF71D035400305EFCF218F64CCC4AAA7BB5FF49326F14427AED659A2A6C7309D85EB60

Function 00C91A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C91A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C91A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C91ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C91AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C91AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C91B10
InternetCloseHandle.WININET(00000000), ref: 00C91B57

Part of subcall function 00C92483: GetLastError.KERNEL32(?,?,00C91817,00000000,00000000,00000001), ref: 00C92498
Part of subcall function 00C92483: SetEvent.KERNEL32(?,?,00C91817,00000000,00000000,00000001), ref: 00C924AD

Strings

, xrefs: 00C91B01

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 11591e938391d1b618b87a1bc59cecccbc0be6bd505282b9d59c38197e465392
Instruction ID: 4606dae2fe4e0e8afd3256f9df0c7eb5798912c56a8b48b2ed5c2f2929db0b25
Opcode Fuzzy Hash: 11591e938391d1b618b87a1bc59cecccbc0be6bd505282b9d59c38197e465392
Instruction Fuzzy Hash: A9417FB1501219BFEF118F91CC8AFBE7BADEF09354F04412AFD159A181EB709E459BA0

Function 00C98C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00CAF910), ref: 00C98D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00CAF910), ref: 00C98D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C98ED6
SysFreeString.OLEAUT32(?), ref: 00C98F00

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 86013d64758c8720bf5edca45181eaa058c5d9895c6a0525b9b3633ed37b2bcb
Instruction ID: cdbf56318310d922990733ddda2c41c4f2dc1a2e42e54d7194be6f25a36f7076
Opcode Fuzzy Hash: 86013d64758c8720bf5edca45181eaa058c5d9895c6a0525b9b3633ed37b2bcb
Instruction Fuzzy Hash: 8EF15D75A00209EFDF14DF98C888EAEB7B9FF4A314F108458F915AB251DB31AE46DB50

Function 00C9F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C9FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C9FA7C
CloseHandle.KERNEL32(?), ref: 00C9FAAB
CloseHandle.KERNEL32(?), ref: 00C9FB22

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 253c29494ad5a5598ff02f002e411a542523f0155a57fcc19d2167b969b2ebee
Instruction ID: c409e73fd5e952f01d1a7f8e9b02920626957cc4930dcd036a52247a9ea705da
Opcode Fuzzy Hash: 253c29494ad5a5598ff02f002e411a542523f0155a57fcc19d2167b969b2ebee
Instruction Fuzzy Hash: FBE1AF316043009FCB14EF24D885B6ABBE1FF85314F18896DF8999B2A2CB31DD46DB52

Function 00C84CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C8466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C83697,?), ref: 00C8468B

Part of subcall function 00C8466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C83697,?), ref: 00C846A4

Part of subcall function 00C84A31: GetFileAttributesW.KERNEL32(?,00C8370B), ref: 00C84A32

lstrcmpiW.KERNEL32(?,?), ref: 00C84D40
_wcscmp.LIBCMT ref: 00C84D5A
MoveFileW.KERNEL32(?,?), ref: 00C84D75

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: fd5d6de4eee9bf43b74656903af0467fe001cc79ba506e293a6c0a6c3552b2c6
Instruction ID: ea7d7d69917d418fc8f74f5072c801186f0fbbf2b0e20472cbccf51550da215e
Opcode Fuzzy Hash: fd5d6de4eee9bf43b74656903af0467fe001cc79ba506e293a6c0a6c3552b2c6
Instruction Fuzzy Hash: 7D5164B24083859BC724EBA0D881ADFB3ECAF85314F40092FF695D3151EF74A689D75A

Function 00CA8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CA86FF

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 232b05530b9dc4d8cdd0c6bea5a7639ba6e4ddea4656c82f7f085b8257d1aa76
Instruction ID: 9ddde384cf5126e29d468481f68b22888c0d15cecbad2197eac49d6d23d7cbcf
Opcode Fuzzy Hash: 232b05530b9dc4d8cdd0c6bea5a7639ba6e4ddea4656c82f7f085b8257d1aa76
Instruction Fuzzy Hash: 2551B430500256FFEB249B25DC89FAD7BA5EB0732CF600125F960E61E1CF75AA88DB50

Function 00C22B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C5C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C5C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C5C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C5C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C5C370
DestroyIcon.USER32(00000000), ref: 00C5C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C5C39C
DestroyIcon.USER32(?), ref: 00C5C3AB

Part of subcall function 00CAA4AF: DeleteObject.GDI32(00000000), ref: 00CAA4E8

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: eb5b2ee451d469a2ac4960287627623a2eb24e8936de06846465dc11994aefc1
Instruction ID: 538957955cb8ea5797ddd16a930354136c839a962510a334a325fe4dbe3c14d6
Opcode Fuzzy Hash: eb5b2ee451d469a2ac4960287627623a2eb24e8936de06846465dc11994aefc1
Instruction Fuzzy Hash: 4D516774A00309AFDB20DF65DC85FAE7BB5EB18315F104528F912976A0DB70AE91EB90

Function 00C7966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7A84C
Part of subcall function 00C7A82C: GetCurrentThreadId.KERNEL32 ref: 00C7A853
Part of subcall function 00C7A82C: AttachThreadInput.USER32(00000000,?,00C79683,?,00000001), ref: 00C7A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C7968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C796AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C796AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C796B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C796D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C796D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C796E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C796F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C796FB

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 58c18a8095d0ba702f182693ad12da5064b3c44b32305a0fcbc75d8bc69090a9
Instruction ID: 5049ee6d8cb978e307149e6fb3bff6aee850c06c45b6af1faecfe673bb2b7c69
Opcode Fuzzy Hash: 58c18a8095d0ba702f182693ad12da5064b3c44b32305a0fcbc75d8bc69090a9
Instruction Fuzzy Hash: F111E1B1910618BEF7106FA0DC89F6E3B2DEB4D754F104429F348AB0E0C9F25C12DAA4

Function 00C78921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C7853C,00000B00,?,?), ref: 00C7892A
HeapAlloc.KERNEL32(00000000,?,00C7853C,00000B00,?,?), ref: 00C78931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C7853C,00000B00,?,?), ref: 00C78946
GetCurrentProcess.KERNEL32(?,00000000,?,00C7853C,00000B00,?,?), ref: 00C7894E
DuplicateHandle.KERNEL32(00000000,?,00C7853C,00000B00,?,?), ref: 00C78951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C7853C,00000B00,?,?), ref: 00C78961
GetCurrentProcess.KERNEL32(00C7853C,00000000,?,00C7853C,00000B00,?,?), ref: 00C78969
DuplicateHandle.KERNEL32(00000000,?,00C7853C,00000B00,?,?), ref: 00C7896C
CreateThread.KERNEL32(00000000,00000000,00C78992,00000000,00000000,00000000), ref: 00C78986

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: bb1a5e1a4586c3ac3562a4fa4ffcdf6bdbf220e3d8c596d669cf9a2348fc991b
Instruction ID: cf25ac42bc2a364ca0bc394ff148c740ebc4ed2fae574b796463610f55e74e31
Opcode Fuzzy Hash: bb1a5e1a4586c3ac3562a4fa4ffcdf6bdbf220e3d8c596d669cf9a2348fc991b
Instruction Fuzzy Hash: B101A8B5240308FFE660ABA5DC4DFAF3BACEB89715F418425FB05DB1A1DA7098018A20

Function 00C99B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00C99BA4, 00C99EC8
Not an Object type, xrefs: 00C99B7B

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 46f84cd4827586d9585a7c388bf2d45bd314ba712b826bc581d40d80ac036223
Instruction ID: 6b9ad656cdd09642ae5138f7926760ab04932b790b12ecb4ba1e53b44749e25a
Opcode Fuzzy Hash: 46f84cd4827586d9585a7c388bf2d45bd314ba712b826bc581d40d80ac036223
Instruction Fuzzy Hash: DFC18271A0021A9FDF10DFA9D888BAEB7F5FF48314F14846DE915A7281E770AE45CB90

Function 00C99113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C99167
VariantInit.OLEAUT32(?), ref: 00C99238
VariantInit.OLEAUT32(?), ref: 00C99339
VariantClear.OLEAUT32(?), ref: 00C99343
VariantClear.OLEAUT32(?), ref: 00C993A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00C991C8, 00C992F6, 00C993AE
Incorrect Object type in FOR..IN loop, xrefs: 00C9931C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 49a20280b60029d8d2af45bd64215c2ade22cba0a58c44f58c1893fe1b56672a
Instruction ID: 16d4f31c031e98e4437490590052b5865925a7dd5ee425965b6888c8647f8392
Opcode Fuzzy Hash: 49a20280b60029d8d2af45bd64215c2ade22cba0a58c44f58c1893fe1b56672a
Instruction Fuzzy Hash: 13919D71A00219ABDF24DFA9C848FAEBBB8FF45714F10815EF515AB290D7709A45CFA0

Function 00C9975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00C7710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C77044,80070057,?,?,?,00C77455), ref: 00C77127
Part of subcall function 00C7710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C77044,80070057,?,?), ref: 00C77142
Part of subcall function 00C7710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C77044,80070057,?,?), ref: 00C77150
Part of subcall function 00C7710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C77044,80070057,?), ref: 00C77160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C99806
_memset.LIBCMT ref: 00C99813
_memset.LIBCMT ref: 00C99956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C99982
CoTaskMemFree.OLE32(?), ref: 00C9998D

Strings

NULL Pointer assignment, xrefs: 00C999DB

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 7f75082d2744f2e11483d4b60599f1e9685cfa7a614cb769ea07fe82bc42f5b9
Instruction ID: a844c7b9ab490cf07e539ce9dd08c7b813c9ae8e997a8ba964662ced2a7f746c
Opcode Fuzzy Hash: 7f75082d2744f2e11483d4b60599f1e9685cfa7a614cb769ea07fe82bc42f5b9
Instruction Fuzzy Hash: 23911571D00229EBDF10DFA5DC85ADEBBB9EF09310F20415AF419A7291EB719A44DFA0

Function 00CA6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CA6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00CA6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CA6E52
_wcscat.LIBCMT ref: 00CA6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CA6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CA6EF2

Strings

SysListView32, xrefs: 00CA6DF6

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 9a097047b4958ba0992c449b3fee96efce4b6e2db1e8dbb4bd954327a7089877
Instruction ID: 8e808d536753bd310154f40bc68d7946f660eac2f479670e0ff295e90a0d5b17
Opcode Fuzzy Hash: 9a097047b4958ba0992c449b3fee96efce4b6e2db1e8dbb4bd954327a7089877
Instruction Fuzzy Hash: D341A174A00349AFDB219FA4CC85BEE77B8EF09358F14042AF554E7291D6719E848B60

Function 00C9E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00C83C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00C83C7A
Part of subcall function 00C83C55: Process32FirstW.KERNEL32(00000000,?), ref: 00C83C88
Part of subcall function 00C83C55: CloseHandle.KERNEL32(00000000), ref: 00C83D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9E9A4
GetLastError.KERNEL32 ref: 00C9E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C9EA63
GetLastError.KERNEL32(00000000), ref: 00C9EA6E
CloseHandle.KERNEL32(00000000), ref: 00C9EAA3

Strings

SeDebugPrivilege, xrefs: 00C9E9C2

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 483e752d5c68914801818d12daf83abc25cead492ec2e543828d374625c2c5be
Instruction ID: a0e021a8b4ec4674b1ad5dec07607c1a40c9c43273eba0630f372ba75844cbba
Opcode Fuzzy Hash: 483e752d5c68914801818d12daf83abc25cead492ec2e543828d374625c2c5be
Instruction Fuzzy Hash: 8C41BA712002009FDB14EF64DCA9F6EBBA5AF51314F08845CF9469B2E2CBB4E905EB95

Function 00C82F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C83033

Strings

blank, xrefs: 00C82FB5
info, xrefs: 00C82FD4
stop, xrefs: 00C83004
question, xrefs: 00C82FEC
warning, xrefs: 00C8301C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 06c56209b7e53daef1653d0677247d2fa0fb97c3a39dacbac9215afbb16536aa
Instruction ID: 1c2ffa307321a0f0ae2aa4bc3d0deb09939544ef3b778eaf23ea0b8ff6f8e0fd
Opcode Fuzzy Hash: 06c56209b7e53daef1653d0677247d2fa0fb97c3a39dacbac9215afbb16536aa
Instruction Fuzzy Hash: 21112B313483C6BEE724BA55DC83D6F779C9F15728B10002AFA10AA281EB709F4467A8

Function 00C842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C84312
LoadStringW.USER32(00000000), ref: 00C84319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C8432F
LoadStringW.USER32(00000000), ref: 00C84336
_wprintf.LIBCMT ref: 00C8435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C8437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C84357

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: a3400b4494b03bedf47c9a274178432378d06fedb14892f31427f8191fd32803
Instruction ID: eb26e8987205a3b242a7ffc16c9cb15f1c2686486a3d74083f5b2cafa58df542
Opcode Fuzzy Hash: a3400b4494b03bedf47c9a274178432378d06fedb14892f31427f8191fd32803
Instruction Fuzzy Hash: 4F014FF2940208BFE751A7E0DD89FEA776CEB09304F0005A5B745E3051EA749E864B74

Function 00CAD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

GetSystemMetrics.USER32(0000000F), ref: 00CAD47C
GetSystemMetrics.USER32(0000000F), ref: 00CAD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CAD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CAD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CAD716
ShowWindow.USER32(00000003,00000000), ref: 00CAD735
InvalidateRect.USER32(?,00000000,00000001), ref: 00CAD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CAD77D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: d1551562aa8ff8d8e776fac13b926ecefd69a1a7fe4dcb42c28536a3469389e3
Instruction ID: dee3c5e71e8b489bcfa558a024e2683842f954990a5275626039a2d270061d23
Opcode Fuzzy Hash: d1551562aa8ff8d8e776fac13b926ecefd69a1a7fe4dcb42c28536a3469389e3
Instruction Fuzzy Hash: 08B1AC71500216EBDF18CF68C9C97AD7BB1BF05709F088069FC5A9F699D734AA90CB90

Function 00C22A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C5C1C7,00000004,00000000,00000000,00000000), ref: 00C22ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C5C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00C22B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C5C1C7,00000004,00000000,00000000,00000000), ref: 00C5C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C5C1C7,00000004,00000000,00000000,00000000), ref: 00C5C286

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5462d45d20fbad4e586d194af520765c5388a93c4e094b1d0cbc1f6212e2bcc3
Instruction ID: a7ff37596b40e64b2a4ed1043ae7c8e2e67961a4d57d7af0531ad1e3c741217a
Opcode Fuzzy Hash: 5462d45d20fbad4e586d194af520765c5388a93c4e094b1d0cbc1f6212e2bcc3
Instruction Fuzzy Hash: CC411835604790FFC7358B69ACC8B6F7BD2AB46304F14882DE46787D61CA719986E710

Function 00C870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C870DD

Part of subcall function 00C40DB6: std::exception::exception.LIBCMT ref: 00C40DEC
Part of subcall function 00C40DB6: __CxxThrowException@8.LIBCMT ref: 00C40E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C87114
EnterCriticalSection.KERNEL32(?), ref: 00C87130
_memmove.LIBCMT ref: 00C8717E
_memmove.LIBCMT ref: 00C8719B
LeaveCriticalSection.KERNEL32(?), ref: 00C871AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C871BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C871DE

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 6d1005ebc524a8a8b2b94865770d9b38e7f1933b1c6353c772d2d31c0cf408b8
Instruction ID: d38934133a694ee9de96cc1cb4f28466bbd0f4f9848ff110b2e593d4d923f797
Opcode Fuzzy Hash: 6d1005ebc524a8a8b2b94865770d9b38e7f1933b1c6353c772d2d31c0cf408b8
Instruction Fuzzy Hash: C0316E35900205EBCB10EFA4DC89BAEBB78FF45714F2441A9E904AB256EB30DE15DB64

Function 00CA61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CA61EB
GetDC.USER32(00000000), ref: 00CA61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA61FE
ReleaseDC.USER32(00000000,00000000), ref: 00CA620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CA6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CA6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CA902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00CA6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CA62B1

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 62bd9cd22ca4516e9eeda8e17e26f15dbe9db0815d67a7668ba1890468953dfa
Instruction ID: 5220257d0bf4a9bdc6e7522c35f4adf02db3205aeb6e0027a670251230cfae7a
Opcode Fuzzy Hash: 62bd9cd22ca4516e9eeda8e17e26f15dbe9db0815d67a7668ba1890468953dfa
Instruction Fuzzy Hash: C1314F72101214BFEB118F50CC8AFEB3BA9EF4A769F084169FE08DA191C6759D42CB74

Function 00C7BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C7BBC4
_memcmp.LIBCMT ref: 00C7BBE6
_memcmp.LIBCMT ref: 00C7BBFE
_memcmp.LIBCMT ref: 00C7BC11
_memcmp.LIBCMT ref: 00C7BC2B
_memcmp.LIBCMT ref: 00C7BC3E
_memcmp.LIBCMT ref: 00C7BC56
_memcmp.LIBCMT ref: 00C7BC71

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8733de58cda35c17bcbcd4d143d9c39ffc117dc98bc94bcb977e8dd653e4559f
Instruction ID: 4f564732b0120814a322a418593ba56a982e74a98b39e8836fe0a83399b81307
Opcode Fuzzy Hash: 8733de58cda35c17bcbcd4d143d9c39ffc117dc98bc94bcb977e8dd653e4559f
Instruction Fuzzy Hash: 3C21DFA160120A7BE6057A22DD43FFFBB5DAE10388F08C020FD0D96647EB64DF15D2A1

Function 00C8EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

Part of subcall function 00C3FC86: _wcscpy.LIBCMT ref: 00C3FCA9

_wcstok.LIBCMT ref: 00C8EC94
_wcscpy.LIBCMT ref: 00C8ED23
_memset.LIBCMT ref: 00C8ED56

Strings

X, xrefs: 00C8ED93

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: c0b864d384b921a8895bbae828e1de792aacfad9c7be234d6c55e7fd6392be91
Instruction ID: a7a4d71646fe3b6f61e58d859f5d6a4fc51763993c8031f310d2f68d182a6993
Opcode Fuzzy Hash: c0b864d384b921a8895bbae828e1de792aacfad9c7be234d6c55e7fd6392be91
Instruction Fuzzy Hash: E9C18B716087119FC724FF24D881A6AB7E0FF85314F00492DF9A99B6A2DB30ED45DB86

Function 00C96B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C96C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C96C21
WSAGetLastError.WSOCK32(00000000), ref: 00C96C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00C96CEA
inet_ntoa.WSOCK32(?), ref: 00C96CA7

Part of subcall function 00C7A7E9: _strlen.LIBCMT ref: 00C7A7F3
Part of subcall function 00C7A7E9: _memmove.LIBCMT ref: 00C7A815

_strlen.LIBCMT ref: 00C96D44
_memmove.LIBCMT ref: 00C96DAD

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: c1efb1f6cf62e6777100fb1e7b733c857b322fe91a5f431a97054ac1f9077bd0
Instruction ID: ed4fb99ca002ed0de889dd490466f3ed0014729a7f12ff3a667a843bb70d7b16
Opcode Fuzzy Hash: c1efb1f6cf62e6777100fb1e7b733c857b322fe91a5f431a97054ac1f9077bd0
Instruction Fuzzy Hash: EF81CF72204310ABCB10EB24DC86F6FB7A8EF85714F50491CF5659B2D2DA70ED05DB91

Function 00C21424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd72817ca2a09be031b062026cf2326ffa37e2a4db3fca0d9094306cc9c86bd
Instruction ID: 5b9136a2743b160039e81503f1617a33b3aaef377f36d63606d680b3b5b4d869
Opcode Fuzzy Hash: 4cd72817ca2a09be031b062026cf2326ffa37e2a4db3fca0d9094306cc9c86bd
Instruction Fuzzy Hash: 13719C34900119EFCB04DF99DC48ABEBBB9FF89314F188159F915AB251C734AA51CFA4

Function 00CAB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(017E4A48), ref: 00CAB3EB
IsWindowEnabled.USER32(017E4A48), ref: 00CAB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00CAB4DB
SendMessageW.USER32(017E4A48,000000B0,?,?), ref: 00CAB512
IsDlgButtonChecked.USER32(?,?), ref: 00CAB54F
GetWindowLongW.USER32(017E4A48,000000EC), ref: 00CAB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CAB589

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: bf5917fe3e2d043f0750c8df25a0be216aab4ed1bb3e99b3c3833d0a1fd25923
Instruction ID: 5d5c036945d9acac3f3ba4ac6b36688bca5f0f25f4375f778afda1ccb3d45dcf
Opcode Fuzzy Hash: bf5917fe3e2d043f0750c8df25a0be216aab4ed1bb3e99b3c3833d0a1fd25923
Instruction Fuzzy Hash: 8B718C34A05206AFDF209F65C894FAA7BB9EF0B308F144059F965972A3C731AE51DB50

Function 00C9F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9F448
_memset.LIBCMT ref: 00C9F511
ShellExecuteExW.SHELL32(?), ref: 00C9F556

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

Part of subcall function 00C3FC86: _wcscpy.LIBCMT ref: 00C3FCA9

GetProcessId.KERNEL32(00000000), ref: 00C9F5CD
CloseHandle.KERNEL32(00000000), ref: 00C9F5FC

Strings

@, xrefs: 00C9F525

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: b1123bc7c16c59bd7de2cc97031f2de48c6edf96bd9750617f22875d6fe42f5a
Instruction ID: 654ecaec5b5aaf719fffd22f766b82e1dfb0dc89c20a2aeba0dc5ad1ac0396cf
Opcode Fuzzy Hash: b1123bc7c16c59bd7de2cc97031f2de48c6edf96bd9750617f22875d6fe42f5a
Instruction Fuzzy Hash: E661AC75A00629DFCF14DFA4D4859AEBBB4FF49310F14806DE855AB791CB30AE42DB80

Function 00C80F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C80F8C
GetKeyboardState.USER32(?), ref: 00C80FA1
SetKeyboardState.USER32(?), ref: 00C81002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C81030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C8104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C81095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C810B8

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7dcec026582d1b23d4b269c10f4c299a7bf99b370b5b1778b86a6ea954031ad0
Instruction ID: 221de28f04ec4f4747c263c346c5ebfe2b811b5dd773453143ec29c95827fec5
Opcode Fuzzy Hash: 7dcec026582d1b23d4b269c10f4c299a7bf99b370b5b1778b86a6ea954031ad0
Instruction Fuzzy Hash: AA51F5605047D53DFB3662748C05BBABEED5B06308F0C8589E6E4868C3C399AECAD755

Function 00C80D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C80DA5
GetKeyboardState.USER32(?), ref: 00C80DBA
SetKeyboardState.USER32(?), ref: 00C80E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C80E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C80E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C80EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C80EC9

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8bbf87fb1398d9fb8effe808c64683764a3de23f4afdba3bb2e33391a0ad1dd6
Instruction ID: 5d62e6027e3001ea35d8beab64c9fd574ea151c9a311f9341ffbc58e6ac56ca8
Opcode Fuzzy Hash: 8bbf87fb1398d9fb8effe808c64683764a3de23f4afdba3bb2e33391a0ad1dd6
Instruction Fuzzy Hash: 0051F5A05046D53DFB7263648C45B7B7FE96B06308F18888DE1E4864C2C395AE8DE758

Function 00C855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C8560A
_wcsncpy.LIBCMT ref: 00C8563F
_wcsncpy.LIBCMT ref: 00C85671
_wcsncpy.LIBCMT ref: 00C856A4
_wcsncpy.LIBCMT ref: 00C856E6
_wcsncpy.LIBCMT ref: 00C85720
_wcsncpy.LIBCMT ref: 00C8574F

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: d59ad22614029f9235d4bbfbbe040bd4b81cefbfb1b02094e8663c44b311f9a4
Instruction ID: bebb09b656397430d22aa1fd1a33091bfb93039a496b4a5b97ffb264722cb512
Opcode Fuzzy Hash: d59ad22614029f9235d4bbfbbe040bd4b81cefbfb1b02094e8663c44b311f9a4
Instruction Fuzzy Hash: 6F41D175C1024476CB12FBF48C86ACFB7B8AF05310F508866F519E3221FA34A755D7AA

Function 00C83671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C8466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C83697,?), ref: 00C8468B

Part of subcall function 00C8466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C83697,?), ref: 00C846A4

lstrcmpiW.KERNEL32(?,?), ref: 00C836B7
_wcscmp.LIBCMT ref: 00C836D3
MoveFileW.KERNEL32(?,?), ref: 00C836EB
_wcscat.LIBCMT ref: 00C83733
SHFileOperationW.SHELL32(?), ref: 00C8379F

Strings

\*.*, xrefs: 00C8372D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: a202516ae760542a1bdbe1901f522af6131329d90122b99756604dd098866f17
Instruction ID: 88519a24d00201c520306346c2ae89996482411f7a1b03f81e7038a3948a10f2
Opcode Fuzzy Hash: a202516ae760542a1bdbe1901f522af6131329d90122b99756604dd098866f17
Instruction Fuzzy Hash: BD41CF71508384AAC715FF64C841ADF77E8EF89744F00192EB49AC3251EA34D789D71A

Function 00CA7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA7351
IsMenu.USER32(?), ref: 00CA7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CA73B1
DrawMenuBar.USER32 ref: 00CA73C4

Strings

0, xrefs: 00CA729E

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 3cd3f915b1f73a424d8ef8781bbc59cf44eeb5632cab4b9950bb34551f74c00c
Instruction ID: f40f9cf0255df5f7fcda38e853fea8a3a607b9ca0f716a49cf9bd824b54162a2
Opcode Fuzzy Hash: 3cd3f915b1f73a424d8ef8781bbc59cf44eeb5632cab4b9950bb34551f74c00c
Instruction Fuzzy Hash: 76414875A41209EFDF20DF90D884A9ABBF8FF06318F158629FD159B260D730AE14DB50

Function 00CA0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00CA0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA0FFE
FreeLibrary.KERNEL32(00000000), ref: 00CA10B5

Part of subcall function 00CA0FA5: RegCloseKey.ADVAPI32(?), ref: 00CA101B
Part of subcall function 00CA0FA5: FreeLibrary.KERNEL32(?), ref: 00CA106D
Part of subcall function 00CA0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00CA1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CA1058

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 1be263e360aa63ca2f8c7337e0216fa236f5b879e08bc6b2038752603b2643c1
Instruction ID: a4915f6dec188fa06d80c89a1fd4bab3672f2382c18fe895e2c3b94487bb4d66
Opcode Fuzzy Hash: 1be263e360aa63ca2f8c7337e0216fa236f5b879e08bc6b2038752603b2643c1
Instruction Fuzzy Hash: 19311C71900109BFDB159FD0DC89AFFB7BCEF09344F14016AE912A3141EA749F859BA0

Function 00CA62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CA62EC
GetWindowLongW.USER32(017E4A48,000000F0), ref: 00CA631F
GetWindowLongW.USER32(017E4A48,000000F0), ref: 00CA6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CA6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CA63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00CA63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CA63DB

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: beba774cd2cafe9052273d856ef3eb1505bd37a538a9aad889fc999a9af2bd41
Instruction ID: 5229e381547b80625b499bd9a54c8f16db7b6f2932b499bf1423ecb6680cb718
Opcode Fuzzy Hash: beba774cd2cafe9052273d856ef3eb1505bd37a538a9aad889fc999a9af2bd41
Instruction Fuzzy Hash: 13313234641282EFDB21CF58DC84F5937E1FB4A718F1901A8F6618F2B2CB71A9429B50

Function 00C7DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C7DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C7DB54
SysAllocString.OLEAUT32(00000000), ref: 00C7DB57
SysAllocString.OLEAUT32(?), ref: 00C7DB75
SysFreeString.OLEAUT32(?), ref: 00C7DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00C7DBA3
SysAllocString.OLEAUT32(?), ref: 00C7DBB1

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 17fd902699e0d5f5c721de93089d8ab302b50c0731863128493dc9c82a086d8f
Instruction ID: f27f8786015179708f57cef53b10fe9cf3fb960d1fb61271d477247c07fc010e
Opcode Fuzzy Hash: 17fd902699e0d5f5c721de93089d8ab302b50c0731863128493dc9c82a086d8f
Instruction Fuzzy Hash: 25218136600219AFDF10DFB9DC88DBF77ACEF09364B118529FA19DB250D6709D418BA4

Function 00C96173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C97DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C961C6
WSAGetLastError.WSOCK32(00000000), ref: 00C961D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C9620E
connect.WSOCK32(00000000,?,00000010), ref: 00C96217
WSAGetLastError.WSOCK32 ref: 00C96221
closesocket.WSOCK32(00000000), ref: 00C9624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C96263

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 258cd4ad48e2d45961ee1716a6e5c1f0a01a51daf33164353f285992c92cf3c9
Instruction ID: a2c0b8a355ae5f5e4a8aa599680ffa8890e02ae60f69374dbb98744a40623b5f
Opcode Fuzzy Hash: 258cd4ad48e2d45961ee1716a6e5c1f0a01a51daf33164353f285992c92cf3c9
Instruction Fuzzy Hash: 5631CF31600218AFDF10AF64CC89BBE7BA8EB46764F048029F915A72D1DB74AD059BA1

Function 00C7F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C7F671
__wcsnicmp.LIBCMT ref: 00C7F692
__wcsnicmp.LIBCMT ref: 00C7F6AC

Strings

#requireadmin, xrefs: 00C7F68C
#notrayicon, xrefs: 00C7F669
#OnAutoItStartRegister, xrefs: 00C7F6A6

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: fa3906e60b25c39d0d65ed3af32108c06f5db628475c29fbd36fda11474df125
Instruction ID: e6ec4c8fa676b1c978fe33c4f3750c53edd30d66add076f2f90f34a67a0ee35c
Opcode Fuzzy Hash: fa3906e60b25c39d0d65ed3af32108c06f5db628475c29fbd36fda11474df125
Instruction Fuzzy Hash: D521687224421166D634AA36AC83FB773E8EF95340F10C43DF99A87091EB609E43E3A5

Function 00C7DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C7DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C7DC2F
SysAllocString.OLEAUT32(00000000), ref: 00C7DC32
SysAllocString.OLEAUT32 ref: 00C7DC53
SysFreeString.OLEAUT32 ref: 00C7DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00C7DC76
SysAllocString.OLEAUT32(?), ref: 00C7DC84

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 15f7cd64b47a6c6b86eb42ac726054c7d6329efb61c239823972adee71b87b30
Instruction ID: cfbfd8c94f33c2da3d5ccc5ad2a0bceb4862b5022f21e459be88140f0e384c92
Opcode Fuzzy Hash: 15f7cd64b47a6c6b86eb42ac726054c7d6329efb61c239823972adee71b87b30
Instruction Fuzzy Hash: 71213235604205AF9B119BF9DC88EAB77ACEF09364B10C129F919CB261D674DD81CB64

Function 00CA75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C21D73
Part of subcall function 00C21D35: GetStockObject.GDI32(00000011), ref: 00C21D87
Part of subcall function 00C21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C21D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CA7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CA763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CA764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CA7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CA7665

Strings

Msctls_Progress32, xrefs: 00CA7603

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 43ed75caab21905920001d82e383f4265684573e8c7e400daed9124bfb26a6a4
Instruction ID: f08e41b72f88e746a6b6b0e662383db1be1d1f2cc0ba73a0c94e28d17f282623
Opcode Fuzzy Hash: 43ed75caab21905920001d82e383f4265684573e8c7e400daed9124bfb26a6a4
Instruction Fuzzy Hash: 2E11B6B111011ABFEF118F64CC85EEB7F6DFF09798F014115BA04A6050C6729C21DBA4

Function 00C49AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00C49AE6

Part of subcall function 00C43187: EncodePointer.KERNEL32(00000000), ref: 00C4318A
Part of subcall function 00C43187: __initp_misc_winsig.LIBCMT ref: 00C431A5
Part of subcall function 00C43187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C49EA0
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C49EB4
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C49EC7
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C49EDA
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C49EED
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00C49F00
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00C49F13
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00C49F26
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00C49F39
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00C49F4C
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00C49F5F
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00C49F72
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00C49F85
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00C49F98
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00C49FAB
Part of subcall function 00C43187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00C49FBE

__mtinitlocks.LIBCMT ref: 00C49AEB
__mtterm.LIBCMT ref: 00C49AF4

Part of subcall function 00C49B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00C49AF9,00C47CD0,00CDA0B8,00000014), ref: 00C49C56
Part of subcall function 00C49B5C: _free.LIBCMT ref: 00C49C5D
Part of subcall function 00C49B5C: DeleteCriticalSection.KERNEL32(00CDEC00,?,?,00C49AF9,00C47CD0,00CDA0B8,00000014), ref: 00C49C7F

__calloc_crt.LIBCMT ref: 00C49B19
__initptd.LIBCMT ref: 00C49B3B
GetCurrentThreadId.KERNEL32 ref: 00C49B42

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: f373efe511c2f0308a7a34769fb9fe2589ee311c013475ba06abb2318c650326
Instruction ID: 53e32987da7704231c0e8f92c3cf10494db0032dbc208d4e430e322a30ceb7d0
Opcode Fuzzy Hash: f373efe511c2f0308a7a34769fb9fe2589ee311c013475ba06abb2318c650326
Instruction Fuzzy Hash: F4F06D3250A7315AE634B774BC07B8F27D0FF02738F200A2AF460860D2EE30854161A0

Function 00C4406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C43F85), ref: 00C44085
GetProcAddress.KERNEL32(00000000), ref: 00C4408C
EncodePointer.KERNEL32(00000000), ref: 00C44097
DecodePointer.KERNEL32(00C43F85), ref: 00C440B2

Strings

combase.dll, xrefs: 00C44080
RoUninitialize, xrefs: 00C44074

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: d26e9539c2c9bed80d40ec18e63ffb229457c081da5cb500c8161e0284023db8
Instruction ID: bf8fc324efada400896726f06fd346a730b1784273721e7b3cddd69e6e9d7796
Opcode Fuzzy Hash: d26e9539c2c9bed80d40ec18e63ffb229457c081da5cb500c8161e0284023db8
Instruction Fuzzy Hash: 53E09270681280AFEB20AFA2EC4DB4D3AA4B715746F10452DF511EB0E0CBB65601DA14

Function 00C864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C8660B
_memmove.LIBCMT ref: 00C86546

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

_memmove.LIBCMT ref: 00C865B9
_memmove.LIBCMT ref: 00C866A0
_memmove.LIBCMT ref: 00C866B9
_memmove.LIBCMT ref: 00C866D5

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3fd6988472e4aa1aa35ce34ebe0d23a15edce03bbaf9a95066af34e064a33923
Instruction ID: 81be3a1b5095bfc95e75750f50211998eec9e9d3ab21fcdedb523358c1646b7a
Opcode Fuzzy Hash: 3fd6988472e4aa1aa35ce34ebe0d23a15edce03bbaf9a95066af34e064a33923
Instruction Fuzzy Hash: C4618C309006AA9BCF11FF60DC82EFE37A5EF05308F044559F9596B292EB34AD15EB54

Function 00CA01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

Part of subcall function 00CA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9FDAD,?,?), ref: 00CA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00CA0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CA0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CA038C
RegCloseKey.ADVAPI32(00000000), ref: 00CA0399

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 291a2319e58f3f3b12f623c4dc26ac97069f683f4c47b04ccebe4e1ec219c413
Instruction ID: ee55d181cc824f0f8b8a93df516062a2cf663c85c53433fdb9c3e1d77e2a3664
Opcode Fuzzy Hash: 291a2319e58f3f3b12f623c4dc26ac97069f683f4c47b04ccebe4e1ec219c413
Instruction Fuzzy Hash: 8A514731208201AFCB14EF64D885E6FBBE8FF86358F14491DF595872A2DB31E905EB52

Function 00CA5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CA57FB
GetMenuItemCount.USER32(00000000), ref: 00CA5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CA585A
GetMenuItemID.USER32(?,?), ref: 00CA58C9
GetSubMenu.USER32(?,?), ref: 00CA58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00CA5928

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: a83cd201d7a3421bc38d3b81d41073865e3054c29ad9afb0553a524b29110a0a
Instruction ID: f7dff6c84a3a9db99acaf7ca44e8d1fa6b2de69555b9219768bed65f75c3a993
Opcode Fuzzy Hash: a83cd201d7a3421bc38d3b81d41073865e3054c29ad9afb0553a524b29110a0a
Instruction Fuzzy Hash: BF515E35E00616EFCF11EFA4C845AAEB7B4FF49714F148059E851BB391CB74AE419B90

Function 00C7EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C7EF06
VariantClear.OLEAUT32(00000013), ref: 00C7EF78
VariantClear.OLEAUT32(00000000), ref: 00C7EFD3
_memmove.LIBCMT ref: 00C7EFFD
VariantClear.OLEAUT32(?), ref: 00C7F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C7F078

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: ad77b3ad24a65a0c78cb686aa828e029dc788d830a3a29807c858a7017743e9a
Instruction ID: d03baa434654201a8bb5fb367c8c1873d8cf25ecfb830fd82322f64a132f169f
Opcode Fuzzy Hash: ad77b3ad24a65a0c78cb686aa828e029dc788d830a3a29807c858a7017743e9a
Instruction Fuzzy Hash: 805169B5A00209EFCB14CF58C884AAAB7B8FF4D314B15856DE959DB301E734E912CFA0

Function 00C8220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C822A3
IsMenu.USER32(00000000), ref: 00C822C3
CreatePopupMenu.USER32 ref: 00C822F7
GetMenuItemCount.USER32(000000FF), ref: 00C82355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C82386

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: e83a81441bf5050e7c72d05782179fbd8774de7dec8a2db293801b18dd9a2f16
Instruction ID: de1ed74948569029aa4ba4407b9c19037e4e3ac009e380df3b8bece56445a904
Opcode Fuzzy Hash: e83a81441bf5050e7c72d05782179fbd8774de7dec8a2db293801b18dd9a2f16
Instruction Fuzzy Hash: E051AE70A00209EFDF21EF68D89CBADBBF9AF4631CF104129E861972A0D7749A45CB55

Function 00C21765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00C2179A
GetWindowRect.USER32(?,?), ref: 00C217FE
ScreenToClient.USER32(?,?), ref: 00C2181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C2182C
EndPaint.USER32(?,?), ref: 00C21876

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: d6860764c321bdcd16c6a7d57bcb18bcce19502ec53e630ad10344f104c8b2e0
Instruction ID: c37afd65b102d05122fac77e84d6645aac753c9354a39977d06b248d01b547ad
Opcode Fuzzy Hash: d6860764c321bdcd16c6a7d57bcb18bcce19502ec53e630ad10344f104c8b2e0
Instruction Fuzzy Hash: BE41AE31500750AFD720DF25DCC4BAA7BE8EB56728F180628F9A48B2E1C7709D45DB61

Function 00CAB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00CE57B0,00000000,017E4A48,?,?,00CE57B0,?,00CAB5A8,?,?), ref: 00CAB712
EnableWindow.USER32(00000000,00000000), ref: 00CAB736
ShowWindow.USER32(00CE57B0,00000000,017E4A48,?,?,00CE57B0,?,00CAB5A8,?,?), ref: 00CAB796
ShowWindow.USER32(00000000,00000004,?,00CAB5A8,?,?), ref: 00CAB7A8
EnableWindow.USER32(00000000,00000001), ref: 00CAB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00CAB7EF

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6010e1d21f41455d51c23b090015f984710f81c9830791a8538ee83f77565796
Instruction ID: 35043ac8aad84323ff6812cd7989ea5cfa86cb0dcd1fdc3cdbcc563d147b0c9d
Opcode Fuzzy Hash: 6010e1d21f41455d51c23b090015f984710f81c9830791a8538ee83f77565796
Instruction Fuzzy Hash: D1415E34600242AFDB26CF24C499B947BE1FF46318F1841A9F958CF6A3C771AD56DB60

Function 00C9709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00C94E41,?,?,00000000,00000001), ref: 00C970AC

Part of subcall function 00C939A0: GetWindowRect.USER32(?,?), ref: 00C939B3

GetDesktopWindow.USER32 ref: 00C970D6
GetWindowRect.USER32(00000000), ref: 00C970DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C9710F

Part of subcall function 00C85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C852BC

GetCursorPos.USER32(?), ref: 00C9713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C97199

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: b5256d890237aa328bdda2879b622712ce6992f1f523609a9a7b53e536e29c9d
Instruction ID: 9397c0b12dfffa0653ce1218a3e52b8af0877bdc053aea5851cc4077ea8d7396
Opcode Fuzzy Hash: b5256d890237aa328bdda2879b622712ce6992f1f523609a9a7b53e536e29c9d
Instruction Fuzzy Hash: 4731D272509305ABDB20EF54C849B9FB7E9FF89318F000A19F59997191CB70EA09CB92

Function 00C78879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C780C0
Part of subcall function 00C780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C780CA
Part of subcall function 00C780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C780D9
Part of subcall function 00C780A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C780E0
Part of subcall function 00C780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C780F6

GetLengthSid.ADVAPI32(?,00000000,00C7842F), ref: 00C788CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C788D6
HeapAlloc.KERNEL32(00000000), ref: 00C788DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C788F6
GetProcessHeap.KERNEL32(00000000,00000000,00C7842F), ref: 00C7890A
HeapFree.KERNEL32(00000000), ref: 00C78911

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 0735ce452352a0e19287d2794a1e71896c2dc6785d00aa4c68d2c821c9d8f1ec
Instruction ID: 7bd869f84a968a9f175d5481dd7cc06e10883d5074a00f1d18d4f2b55dc0de84
Opcode Fuzzy Hash: 0735ce452352a0e19287d2794a1e71896c2dc6785d00aa4c68d2c821c9d8f1ec
Instruction Fuzzy Hash: CA11BE31641209FFDB109FA4DC0ABBE7BA8FB45315F10802DEA9997210CB329E09DB61

Function 00C785B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C785E2
OpenProcessToken.ADVAPI32(00000000), ref: 00C785E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C785F8
CloseHandle.KERNEL32(00000004), ref: 00C78603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C78632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C78646

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: dac398a80cc7a945c174b7b541d08da68fa79bb4f8a6b1725a56a0d75902516d
Instruction ID: 75439dad54d06f91f23cab929a7018d88b478b229d59cce7b6094704b6ac51d8
Opcode Fuzzy Hash: dac398a80cc7a945c174b7b541d08da68fa79bb4f8a6b1725a56a0d75902516d
Instruction Fuzzy Hash: 56115C72541209ABDF028FA4DD49BEE7BA9EF09348F048069FE04A2160C7718E65DB60

Function 00C7B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C7B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C7B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C7B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00C7B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C7B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00C7B7FE

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e4e77f31086c3609e52baeea559556ee89c1bb70a3b6e691915f48015e9278a8
Instruction ID: 2e60139f47a75605440e9a8837ef97f1ead4e58964c36d2882516caee213159c
Opcode Fuzzy Hash: e4e77f31086c3609e52baeea559556ee89c1bb70a3b6e691915f48015e9278a8
Instruction Fuzzy Hash: C6018475E00209BBEB109BE69C49B5EBFB8EB49311F008079FA08E7291D6709D01CFA0

Function 00C40162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C40193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C4019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C401A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C401B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C401B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C401C1

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 0341254dafc94dcd0b4762e4e8067099380b9b635fd29e67c0439eefecfe6185
Instruction ID: abcf78e044182aa1ecc89bd9239d5ebae7e4419cd6e00599b08367c1d061dbc3
Opcode Fuzzy Hash: 0341254dafc94dcd0b4762e4e8067099380b9b635fd29e67c0439eefecfe6185
Instruction Fuzzy Hash: A10148B09017597DE3008F5A8C85B56FEA8FF19354F00411BA15847941C7B5A864CBE5

Function 00C853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C853F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C8540F
GetWindowThreadProcessId.USER32(?,?), ref: 00C8541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C8542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C85437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C8543E

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5fbe4a5e1e5030fbca2454489cbbcfbdd4fdce28a7af5dc0d072e204ec56091d
Instruction ID: 3082a2bbe84b32a895c3cc01c0d35460cfb37624cb7e62908b94f80675bfaf4a
Opcode Fuzzy Hash: 5fbe4a5e1e5030fbca2454489cbbcfbdd4fdce28a7af5dc0d072e204ec56091d
Instruction Fuzzy Hash: A7F01D32241558BBE7215BE2DC0DFEF7A7CEBC7B19F00016DFA04D206196B11A0286B5

Function 00C87230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00C87243
EnterCriticalSection.KERNEL32(?,?,00C30EE4,?,?), ref: 00C87254
TerminateThread.KERNEL32(00000000,000001F6,?,00C30EE4,?,?), ref: 00C87261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C30EE4,?,?), ref: 00C8726E

Part of subcall function 00C86C35: CloseHandle.KERNEL32(00000000,?,00C8727B,?,00C30EE4,?,?), ref: 00C86C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00C87281
LeaveCriticalSection.KERNEL32(?,?,00C30EE4,?,?), ref: 00C87288

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 459d2e59fb4320b113df801112024f75965c8200f9a2a5f9558ed8aa14f2425b
Instruction ID: bc36ec4ac7d2a09a344d17233095f37b09f0155ed74f0bdf30d582e922199cf4
Opcode Fuzzy Hash: 459d2e59fb4320b113df801112024f75965c8200f9a2a5f9558ed8aa14f2425b
Instruction Fuzzy Hash: F9F05E36540612EBD7622BA4ED4CBEE7729FF4670AB100739F603920A1DB765902CB50

Function 00C78992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C7899D
UnloadUserProfile.USERENV(?,?), ref: 00C789A9
CloseHandle.KERNEL32(?), ref: 00C789B2
CloseHandle.KERNEL32(?), ref: 00C789BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00C789C3
HeapFree.KERNEL32(00000000), ref: 00C789CA

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 4fbb95a978838b5934d55f5e64fc3feaffc271673fb9b217a3a78e4a0b0dbcad
Instruction ID: c7a855911c7335a1bea6ab52b99c8fd1013f27f0cd2891cab893adb44d5ba479
Opcode Fuzzy Hash: 4fbb95a978838b5934d55f5e64fc3feaffc271673fb9b217a3a78e4a0b0dbcad
Instruction Fuzzy Hash: 81E05276104505FFDB021FE5EC0CB5EBB69FB8A76AB508639F219C2470CB329462DB50

Function 00C985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C98613
CharUpperBuffW.USER32(?,?), ref: 00C98722
VariantClear.OLEAUT32(?), ref: 00C9889A

Part of subcall function 00C87562: VariantInit.OLEAUT32(00000000), ref: 00C875A2
Part of subcall function 00C87562: VariantCopy.OLEAUT32(00000000,?), ref: 00C875AB
Part of subcall function 00C87562: VariantClear.OLEAUT32(00000000), ref: 00C875B7

Strings

Incorrect Parameter format, xrefs: 00C9864B, 00C9880D
AUTOIT.ERROR, xrefs: 00C98728

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 67a0b87472a8a8ea44da1e306fe5319f48060440ace24680082677facfa0dd30
Instruction ID: b9f5ef6bba066a22eea28144c9eaebb75840bfb71f02c55e94e0ce15a6b7152f
Opcode Fuzzy Hash: 67a0b87472a8a8ea44da1e306fe5319f48060440ace24680082677facfa0dd30
Instruction Fuzzy Hash: 7B917F71608301DFCB10DF25C48495ABBF4EF8A714F14896DF99A8B3A1DB31E949CB52

Function 00C82A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3FC86: _wcscpy.LIBCMT ref: 00C3FCA9

_memset.LIBCMT ref: 00C82B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C82BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C82C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C82C97

Strings

0, xrefs: 00C82B73

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 78e13250f737ceb873a4db190ecabc45a99422da55b9b78b3fb1be5dfc6fb419
Instruction ID: 92208f48bf284a56c0e6885d5a2568aa413067a18a0b1754bca15781f278d516
Opcode Fuzzy Hash: 78e13250f737ceb873a4db190ecabc45a99422da55b9b78b3fb1be5dfc6fb419
Instruction Fuzzy Hash: E851BF715093009BE724AE28D849A7FB7E8EF45358F140A2DF8A6D71D0DB70CE04975A

Function 00C7D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C7D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C7D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C7D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C7D69D

Strings

DllGetClassObject, xrefs: 00C7D610

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: bd36a38fb218b6991ad9f03a4c06719801d14160ce93c243d019a16f52e309a7
Instruction ID: 905f422a933ff21ed708d396ddbebfbc2a421e44942b8a1d565cce0a6d36ec68
Opcode Fuzzy Hash: bd36a38fb218b6991ad9f03a4c06719801d14160ce93c243d019a16f52e309a7
Instruction Fuzzy Hash: 06416AB1600204EFDB15DF65C888B9ABBB9EF84314F1585ADB90E9F205D7B1DA44CBA0

Function 00C82753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C827C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C827DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00C82822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CE5890,00000000), ref: 00C8286B

Strings

0, xrefs: 00C827B5

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: e0288ffbb439d5b7faf482be30e371931929476955665b395419b735ca1bafbc
Instruction ID: 57aedf2f097ce75a861218165ad600cd44b934b99ac5dc0e92660eba28ac4b51
Opcode Fuzzy Hash: e0288ffbb439d5b7faf482be30e371931929476955665b395419b735ca1bafbc
Instruction Fuzzy Hash: F041A071604301AFDB20EF24C888F1ABBE8EF85318F044A2EF865972D1D730A905DB56

Function 00C9D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C9D7C5

Part of subcall function 00C2784B: _memmove.LIBCMT ref: 00C27899

Strings

cdecl, xrefs: 00C9D81C
stdcall, xrefs: 00C9D847
winapi, xrefs: 00C9D836
none, xrefs: 00C9D8A0

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: a67397fc48ffda58f72a577e13ad92de1439176806e0b9ab72fea193d4b9b307
Instruction ID: a400fb3ce6b9f5f1aef1a644d3869563caaa829e81bc8b62dd5705d5ac13ca1a
Opcode Fuzzy Hash: a67397fc48ffda58f72a577e13ad92de1439176806e0b9ab72fea193d4b9b307
Instruction Fuzzy Hash: 45318171904615AFCF00EF54C8959BEB3B5FF05320B10862AF876A77D2DB71A905DB80

Function 00C78E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

Part of subcall function 00C7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C78F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C78F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C78F57

Part of subcall function 00C27BCC: _memmove.LIBCMT ref: 00C27C06

Strings

ComboBox, xrefs: 00C78E9E
ListBox, xrefs: 00C78ED3

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 51c10b8ad3db6162e1bbff5249fcb6af4e1cb995cf1ed728d300b6ca20d65622
Instruction ID: 2898e588d0c1e683a272422315bb8a542a662b838a31dff96c2a47022f87eb78
Opcode Fuzzy Hash: 51c10b8ad3db6162e1bbff5249fcb6af4e1cb995cf1ed728d300b6ca20d65622
Instruction Fuzzy Hash: 3721F271A40108BFDB14ABF09C89DFFB779DF06320B148229F529A72E0DF35490AA650

Function 00C9182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C9184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C91872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C918A2
InternetCloseHandle.WININET(00000000), ref: 00C918E9

Part of subcall function 00C92483: GetLastError.KERNEL32(?,?,00C91817,00000000,00000000,00000001), ref: 00C92498
Part of subcall function 00C92483: SetEvent.KERNEL32(?,?,00C91817,00000000,00000000,00000001), ref: 00C924AD

Strings

, xrefs: 00C91893

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1cdae7cd0d82da57832fc602086c535ae8af935dd2a9a8c171516fe89b5224c7
Instruction ID: 33086608ec8f3eeb0ed0506de46c77f08e6d353f96b23ef89e0eb9ff68ce8b5d
Opcode Fuzzy Hash: 1cdae7cd0d82da57832fc602086c535ae8af935dd2a9a8c171516fe89b5224c7
Instruction Fuzzy Hash: A221B0B5500209BFEB119BA1DC8AFBF77EDEB49744F14412AF805D7180DA308E0567A4

Function 00CA63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C21D73
Part of subcall function 00C21D35: GetStockObject.GDI32(00000011), ref: 00C21D87
Part of subcall function 00C21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C21D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CA6461
LoadLibraryW.KERNEL32(?), ref: 00CA6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CA647D
DestroyWindow.USER32(?), ref: 00CA6485

Strings

SysAnimate32, xrefs: 00CA643C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 66b3063ff2d320579c5008b5eaab3643d56097aecfecafa83f494394ffa4ed68
Instruction ID: 493d850a01412d1421e8951a46c03ef723101557cda0c894027432084c77e0c2
Opcode Fuzzy Hash: 66b3063ff2d320579c5008b5eaab3643d56097aecfecafa83f494394ffa4ed68
Instruction Fuzzy Hash: 65215B71200206BBEF108FA4DC84FBA77A9EB5A76CF184629FA60971A0D771DC51A760

Function 00C86D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C86DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C86DEF
GetStdHandle.KERNEL32(0000000C), ref: 00C86E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C86E3B

Strings

nul, xrefs: 00C86E36

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: fced57fa298440d6038eea69769014decad130435e85585d6fbdeaccf612917b
Instruction ID: db74fb357ada3b1313e6762338eb3b561b72ab0843ad8c4083771de3e2c885f9
Opcode Fuzzy Hash: fced57fa298440d6038eea69769014decad130435e85585d6fbdeaccf612917b
Instruction Fuzzy Hash: FA219274600209ABDB20AF69DC04B9E77F4EF45728F20462AFDB1D72D0D7709951DB58

Function 00C86E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C86E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C86EBB
GetStdHandle.KERNEL32(000000F6), ref: 00C86ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C86F06

Strings

nul, xrefs: 00C86F01

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: cd217d8fe1aac988f50e406929a53085d6fef0a23f2ab7e4e959ab4382046173
Instruction ID: 743876dde5e9dcf6f8520b9e1d2d7bd11c301d764c5d3a9b53677125bec4f18e
Opcode Fuzzy Hash: cd217d8fe1aac988f50e406929a53085d6fef0a23f2ab7e4e959ab4382046173
Instruction Fuzzy Hash: 71216D796003059BDB20AF69DC04BAA77A8EF45728F200A19F9B1D72D0DB70A951CB68

Function 00C8AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C8AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C8ACA8
__swprintf.LIBCMT ref: 00C8ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00CAF910), ref: 00C8ACFF

Strings

%lu, xrefs: 00C8ACBB

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: a910367088ac0b3590922c0e8128ec1a6451ebc9ec77f0d276dbe2d1e3bc24e3
Instruction ID: 748d07b892d97b24c9acfd84d18e1bbfeb31914104e8170ce80d7b62d1ca0cf5
Opcode Fuzzy Hash: a910367088ac0b3590922c0e8128ec1a6451ebc9ec77f0d276dbe2d1e3bc24e3
Instruction Fuzzy Hash: D4217131A00109AFCB10EFA5D945EAE7BB8FF49718B0040A9F909DB251DA71EA41DB61

Function 00C81AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C81B19

Strings

REMOVE, xrefs: 00C81B1F
EXISTS, xrefs: 00C81B41
KEYS, xrefs: 00C81B30
APPEND, xrefs: 00C81B52

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: caa1416db1fc32e502cde7acf08b935cbbaf00b07a9f67f30fd3e7000058191b
Instruction ID: 957cf530c58b2d1553d9d1f88ef6c37a21b02ca6196ee95286891a8464d19a35
Opcode Fuzzy Hash: caa1416db1fc32e502cde7acf08b935cbbaf00b07a9f67f30fd3e7000058191b
Instruction Fuzzy Hash: 1C1161B09401189FCF00EF94E8519FEB7B4FF26308F1444A9D924A7791EB325D0AEB54

Function 00C9EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C9EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C9EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C9ED6A
CloseHandle.KERNEL32(?), ref: 00C9EDEB

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 8b4ee8d7c9153a825b864fcbf69deadbfb7e6a55ff4748dea9eec5165b607ce2
Instruction ID: ee0a67584c6a134d09000d43cfeaeec834f34b25a9bdc9b17125c515015692ec
Opcode Fuzzy Hash: 8b4ee8d7c9153a825b864fcbf69deadbfb7e6a55ff4748dea9eec5165b607ce2
Instruction Fuzzy Hash: 3A818E71600311AFDB20EF28D886F2AB7E5EF58710F04881DF9999B6D2DAB0AD44CB55

Function 00CA0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

Part of subcall function 00CA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9FDAD,?,?), ref: 00CA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CA00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CA013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CA0183
RegCloseKey.ADVAPI32(?,?), ref: 00CA01AF
RegCloseKey.ADVAPI32(00000000), ref: 00CA01BC

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 8fb027f92c79eda5b34ff4aad3573a18c91cfd529b2bea01913dc8cb7e586dcb
Instruction ID: d67d55b0aec3ae45b9d3b6c970ccddc10edd38ecef4c6d2b95894607fdb0bc7a
Opcode Fuzzy Hash: 8fb027f92c79eda5b34ff4aad3573a18c91cfd529b2bea01913dc8cb7e586dcb
Instruction Fuzzy Hash: 6E519C71208205AFC704EF68D881FAEB7E8FF85308F50892DF595872A2DB31E905DB52

Function 00C9D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C9D927
GetProcAddress.KERNEL32(00000000,?), ref: 00C9D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C9D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00C9DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C9DA21

Part of subcall function 00C25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C87896,?,?,00000000), ref: 00C25A2C
Part of subcall function 00C25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C87896,?,?,00000000,?,?), ref: 00C25A50

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 96272db0194f5cfcc0b7c574c00672d9ec0c5c22d07b60e71d141faa69e198da
Instruction ID: ed966373fdf0aae6290612776a8d95edd7fb5edb0d1a095fdc6a38fcf0957e05
Opcode Fuzzy Hash: 96272db0194f5cfcc0b7c574c00672d9ec0c5c22d07b60e71d141faa69e198da
Instruction Fuzzy Hash: 41512935A00219DFCB00EFA8D4889ADB7F4FF19324B058069E956AB312DB31EE46DF50

Function 00C8E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C8E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C8E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C8E687

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C8E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C8E6B4

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 59ce26714f058b06f0099c773f180b45f9fe565d44927c274e5bea45f417efc4
Instruction ID: 20902f22e1738ef507922e9edf199f62034be80c72b908f8b5e941dea2c3d5df
Opcode Fuzzy Hash: 59ce26714f058b06f0099c773f180b45f9fe565d44927c274e5bea45f417efc4
Instruction Fuzzy Hash: AC512C35A00219DFCB01EF64D981AAEBBF5EF09314F1480A9E859AB361DB31ED11DF54

Function 00CAA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4c24e20a8845fd873c2e7471d8847a43002d8c8109e5361c29a8eba2aada23
Instruction ID: 0923b01a215b434671c231e89759f4c11a7c6a8ff3833b9bff89980d28394677
Opcode Fuzzy Hash: 7f4c24e20a8845fd873c2e7471d8847a43002d8c8109e5361c29a8eba2aada23
Instruction Fuzzy Hash: 5A41C335904106FFD724DF68CC88FADBBA4EB0B318F140165FA26A72E1C730AE41EA51

Function 00C22344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C22357
ScreenToClient.USER32(00CE57B0,?), ref: 00C22374
GetAsyncKeyState.USER32(00000001), ref: 00C22399
GetAsyncKeyState.USER32(00000002), ref: 00C223A7

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 352096ca30d86e5c116322e939ebd52cedac4f4811e7aadf528577454d4aa2e9
Instruction ID: d52b1d27bf39e8988a9ce21b6ad97865f4db551a798889d0c0c18f18f692d479
Opcode Fuzzy Hash: 352096ca30d86e5c116322e939ebd52cedac4f4811e7aadf528577454d4aa2e9
Instruction Fuzzy Hash: CE416F39604215FFDB15DF69C884AEDBBB8FB05365F204319F839922A0C7349E94EB91

Function 00C763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C763E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00C76433
TranslateMessage.USER32(?), ref: 00C7645C
DispatchMessageW.USER32(?), ref: 00C76466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C76475

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 5c3c93fdcb5ce9b42813952265f5a00261f242747cb174115406749e0d864054
Instruction ID: 2d0688bef78b5afda3b372ccfbd5953dc20913e778536ec9534954eee447ce8d
Opcode Fuzzy Hash: 5c3c93fdcb5ce9b42813952265f5a00261f242747cb174115406749e0d864054
Instruction Fuzzy Hash: E731E671900A86AFDB24CFB1DC84BBA7BECAB01308F148169E539D71A0E7359985DB60

Function 00C78A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C78A30
PostMessageW.USER32(?,00000201,00000001), ref: 00C78ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C78AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00C78AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C78AF8

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 42ac6710acce8da6e3ef48138f9f91396c14e9103b50a3e565c80a9ce51b60eb
Instruction ID: 3b0e3d422a100dde5b87400b7651b09dc5d63382b2d09b780dd820a274c2227f
Opcode Fuzzy Hash: 42ac6710acce8da6e3ef48138f9f91396c14e9103b50a3e565c80a9ce51b60eb
Instruction Fuzzy Hash: 2131B171500219EBDF14CFA8D94DB9E3BB5EB05325F10822AFA29E71D0C7B09A15DB90

Function 00C7B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C7B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C7B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C7B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C7B27F
_wcsstr.LIBCMT ref: 00C7B289

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: d3f824bb5bf55c50cf797da1af6f0d60dd5e68629fa561920c3c8cd393e5389c
Instruction ID: 8af6d305623001d964c6a58ceec8a1fafe12215a086a13573724a0592032e8af
Opcode Fuzzy Hash: d3f824bb5bf55c50cf797da1af6f0d60dd5e68629fa561920c3c8cd393e5389c
Instruction Fuzzy Hash: 4921F5316052047BEB255B769C09F7F7BA8EF49750F10812DF809DA162EF719D41A2A0

Function 00CAB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

GetWindowLongW.USER32(?,000000F0), ref: 00CAB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00CAB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CAB1CF
GetSystemMetrics.USER32(00000004), ref: 00CAB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C90E90,00000000), ref: 00CAB216

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 2cec4745ef6fefe85ab0858804411c6ec37aad5e6271943d83740b5d017e3ca4
Instruction ID: 8e41a08b64c6db60ac4373fffe9ef18235494d6286a519b37fc421b9c9a31515
Opcode Fuzzy Hash: 2cec4745ef6fefe85ab0858804411c6ec37aad5e6271943d83740b5d017e3ca4
Instruction Fuzzy Hash: 90218071910662AFCB209F799C54B6E37A4EB06329F104729BA32D71E1E7309D619B90

Function 00C79307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C79320

Part of subcall function 00C27BCC: _memmove.LIBCMT ref: 00C27C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C79352
__itow.LIBCMT ref: 00C7936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C79392
__itow.LIBCMT ref: 00C793A3

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 768ffed248be618b7f383b237e749c1ef9fb12996f5c024536361e1fbf001033
Instruction ID: c5ad59a6b387023622ec9b72b73ccb9c13276e40b11db479547acfa387af4c2d
Opcode Fuzzy Hash: 768ffed248be618b7f383b237e749c1ef9fb12996f5c024536361e1fbf001033
Instruction Fuzzy Hash: 3221D731700218ABDB109EA59C8AEEE7BA9EB89710F048029FD09D71E1D6B0CE419791

Function 00C95A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C95A6E
GetForegroundWindow.USER32 ref: 00C95A85
GetDC.USER32(00000000), ref: 00C95AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00C95ACD
ReleaseDC.USER32(00000000,00000003), ref: 00C95B08

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 930aa8d11c022e8034fa3771b9df3a36e3de59c2b118fa965ee5e3fe31865ac3
Instruction ID: b8e61d278d852feb8323955c2a87ccc1b3d8d2627d62e1da0787312eba0a718a
Opcode Fuzzy Hash: 930aa8d11c022e8034fa3771b9df3a36e3de59c2b118fa965ee5e3fe31865ac3
Instruction Fuzzy Hash: 4F217F35A00104AFDB14EFA5D888BAAB7E5EF49310F148079F949D7651CA30AD41DB54

Function 00C212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C2134D
SelectObject.GDI32(?,00000000), ref: 00C2135C
BeginPath.GDI32(?), ref: 00C21373
SelectObject.GDI32(?,00000000), ref: 00C2139C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c26b51a1b4831d1ee6044ee7288326cdb6412cb9b9b3806050c6088e85774d64
Instruction ID: e7ff5e95626418f9be2c7db8d6809fdb707b2fbcc708e6aab50f5f6d00f6b6ef
Opcode Fuzzy Hash: c26b51a1b4831d1ee6044ee7288326cdb6412cb9b9b3806050c6088e85774d64
Instruction Fuzzy Hash: DE214C70840758EFDB20CF65EC8476D7BA9FB10329F18422AF8209A5F0D7B19991DF90

Function 00C7BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C7BCB3
_memcmp.LIBCMT ref: 00C7BCD1
_memcmp.LIBCMT ref: 00C7BCE4
_memcmp.LIBCMT ref: 00C7BCFC
_memcmp.LIBCMT ref: 00C7BD14

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d6d3d52e76b2dfa34bdb178cf5e67757ad159d8a89811c28261d5f5428b70a80
Instruction ID: e00d2b71b8d953969c9a685771ec6d47f9a4b435aff000c161ed063a0633da14
Opcode Fuzzy Hash: d6d3d52e76b2dfa34bdb178cf5e67757ad159d8a89811c28261d5f5428b70a80
Instruction Fuzzy Hash: 6101B1B26001097BE2156A169D42FFBB75CEE20398F08C021FD1996247EB60EF1092A0

Function 00C84A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C84ABA
__beginthreadex.LIBCMT ref: 00C84AD8
MessageBoxW.USER32(?,?,?,?), ref: 00C84AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C84B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C84B0A

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: c4c63d15435ee44a56070ba4101e2c2de6e92252bc9ab1e4d647695bc6115650
Instruction ID: 3091ba739357ce3bfdacf2e46e42a0550a66a1ce58950e53a9c1e74887070a07
Opcode Fuzzy Hash: c4c63d15435ee44a56070ba4101e2c2de6e92252bc9ab1e4d647695bc6115650
Instruction Fuzzy Hash: 46110876D05659BBCB059FE89C48BEF7FACEB45328F144269F924D7250D671C90087A0

Function 00C78202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C7821E
GetLastError.KERNEL32(?,00C77CE2,?,?,?), ref: 00C78228
GetProcessHeap.KERNEL32(00000008,?,?,00C77CE2,?,?,?), ref: 00C78237
HeapAlloc.KERNEL32(00000000,?,00C77CE2,?,?,?), ref: 00C7823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C78255

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b6dbaaebfb779da06c4d4dbaa45002df96e5ea794b83260c6cd573fb3d837510
Instruction ID: 91be85f66862b74043494330f5e675fdc1029d11475e802ce8138ff03b0c5a44
Opcode Fuzzy Hash: b6dbaaebfb779da06c4d4dbaa45002df96e5ea794b83260c6cd573fb3d837510
Instruction Fuzzy Hash: B6016971381204BFDB204FA6DC4CE6F7BACEF8A75AB50446DFA59C3261DA318D05CA60

Function 00C7710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C77044,80070057,?,?,?,00C77455), ref: 00C77127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C77044,80070057,?,?), ref: 00C77142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C77044,80070057,?,?), ref: 00C77150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C77044,80070057,?), ref: 00C77160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C77044,80070057,?,?), ref: 00C7716C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 14f1eaebf4defd82ee78e519120065bc4ec7526f010b6f0ccf281f30368e2413
Instruction ID: 337cf6dc4e8e4e3e082b686e03d6379a2b135271078aa64adbf9217946dd7692
Opcode Fuzzy Hash: 14f1eaebf4defd82ee78e519120065bc4ec7526f010b6f0ccf281f30368e2413
Instruction Fuzzy Hash: 8C017C76601208ABDB114FA4DC48BAE7BADEB46795F148278FD0CD3220DB75DE419BA0

Function 00C85244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C85260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C8526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C85276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C85280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C852BC

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 672b0b86fdd70d7750c081406e40767783acc6400bfa27ab01a1132e750c9b2d
Instruction ID: 2023d2e06b7ba7220d3cdce50be1858d6bf3627c919fa0153b48d1f378a16978
Opcode Fuzzy Hash: 672b0b86fdd70d7750c081406e40767783acc6400bfa27ab01a1132e750c9b2d
Instruction Fuzzy Hash: 5F015B31D01A19DBCF00EFE4D848BEDBB78BB09315F410159E941F2150CF7059568BA9

Function 00C7810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C78121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C7812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78157

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f00b78b506d0d391da10f1efdbefd6f5e5c99693bfb8e818979f451ad6ddd0a2
Instruction ID: a5f294f19f849d393b52879026f273a9aa21f746cec78b5af8603997db7a2c37
Opcode Fuzzy Hash: f00b78b506d0d391da10f1efdbefd6f5e5c99693bfb8e818979f451ad6ddd0a2
Instruction Fuzzy Hash: 92F03C71341304AFEB110FA5EC8CFAF3BACEF4A659B404029FA8987160CF719946DA60

Function 00C7C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C7C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C7C20E
MessageBeep.USER32(00000000), ref: 00C7C226
KillTimer.USER32(?,0000040A), ref: 00C7C242
EndDialog.USER32(?,00000001), ref: 00C7C25C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 3f4d7d756d5c2f467acb3fc352ed63277f6fcfdcd01689e552efe21f06f0b869
Instruction ID: e8511a7444e0e315dc39fd9488d3b229994e4adb1dda9a29e807a5b63306b2e0
Opcode Fuzzy Hash: 3f4d7d756d5c2f467acb3fc352ed63277f6fcfdcd01689e552efe21f06f0b869
Instruction Fuzzy Hash: 7B01DB30404705ABEB205F90ED8EF9A7778FF01706F00826DF596A24F2DBF469459B90

Function 00C213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C213BF
StrokeAndFillPath.GDI32(?,?,00C5B888,00000000,?), ref: 00C213DB
SelectObject.GDI32(?,00000000), ref: 00C213EE
DeleteObject.GDI32 ref: 00C21401
StrokePath.GDI32(?), ref: 00C2141C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: cd9abeb051d6a7a2ff083317343b0f3e59d9616625cf4b6f0bf93064ac74de8a
Instruction ID: fb2f8412dd081b320558e4669da2fa8f71c476d666445cff28d055ca6e4e33aa
Opcode Fuzzy Hash: cd9abeb051d6a7a2ff083317343b0f3e59d9616625cf4b6f0bf93064ac74de8a
Instruction Fuzzy Hash: EDF0EC30044B48EBDB255F6AEC8C75C3FA5AB1132AF0C8228E9698D4F1C7714996DF50

Function 00C32CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00C40DB6: std::exception::exception.LIBCMT ref: 00C40DEC
Part of subcall function 00C40DB6: __CxxThrowException@8.LIBCMT ref: 00C40E01

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

Part of subcall function 00C27A51: _memmove.LIBCMT ref: 00C27AAB

__swprintf.LIBCMT ref: 00C32ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C32D66

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: f342fe04c418de4bb765c7c0c71856a76c21b8ad053cc08ccc1c171f55f58548
Instruction ID: 1f0bce69b7fd3d5560683b18df358dcd114c9975745f6c40522801216bcd03b5
Opcode Fuzzy Hash: f342fe04c418de4bb765c7c0c71856a76c21b8ad053cc08ccc1c171f55f58548
Instruction Fuzzy Hash: 52915B71518311DFCB24EF24D896C6FB7A8EF85710F00491DF5969B2A1EA30EE44EB52

Function 00C8B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C24743,?,?,00C237AE,?), ref: 00C24770

CoInitialize.OLE32(00000000), ref: 00C8B9BB
CoCreateInstance.OLE32(00CB2D6C,00000000,00000001,00CB2BDC,?), ref: 00C8B9D4
CoUninitialize.OLE32 ref: 00C8B9F1

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

Strings

.lnk, xrefs: 00C8B99D, 00C8B9AB

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 10cbee81277cf491387c5807bd10acc5d413bea0db54782737b3a877683547d8
Instruction ID: ca902e4b121c28e7857163566dfee8540e4bfeef8fc94b688545a88834f58a08
Opcode Fuzzy Hash: 10cbee81277cf491387c5807bd10acc5d413bea0db54782737b3a877683547d8
Instruction Fuzzy Hash: 29A168756043119FCB14EF14C884D6ABBE5FF89318F048998F8A99B3A1CB31ED46CB95

Function 00C4501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C450AD

Part of subcall function 00C500F0: __87except.LIBCMT ref: 00C5012B

Strings

pow, xrefs: 00C45085, 00C450A2

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: fb22f425f159ec32ef65b35d869f2aea5c89822fafa156dfcdf9f3eb54f15b5b
Instruction ID: ff56d68c0aa8555bcd3e9887d08d5b660208a26b7b7ed3ec4b30c8b7456c49c6
Opcode Fuzzy Hash: fb22f425f159ec32ef65b35d869f2aea5c89822fafa156dfcdf9f3eb54f15b5b
Instruction Fuzzy Hash: 03512B69908A0197DB116714CD4536E3F94BB40712F308A59ECE5C62ABDE348ACC9A8A

Function 00C36192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C36248
_memmove.LIBCMT ref: 00C362E4
_memset.LIBCMT ref: 00C36308

Strings

ERCP, xrefs: 00C361B3

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: cefbb925898c5e6187c8840c9bd0101824f71f79b38da40f879909335a402cb9
Instruction ID: 6ffc0150a60814991938838d0ea6befaea8db30854f5c314eb185f76d0d1c256
Opcode Fuzzy Hash: cefbb925898c5e6187c8840c9bd0101824f71f79b38da40f879909335a402cb9
Instruction Fuzzy Hash: B4518E71910705EBDB24CF65C981BABB7F4FF04314F20856EE95ADB291E771AA44CB40

Function 00C797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C79296,?,?,00000034,00000800,?,00000034), ref: 00C814E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C7983F

Part of subcall function 00C81487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C814B1

Part of subcall function 00C813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00C81409
Part of subcall function 00C813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C7925A,00000034,?,?,00001004,00000000,00000000), ref: 00C81419
Part of subcall function 00C813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C7925A,00000034,?,?,00001004,00000000,00000000), ref: 00C8142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C798AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C798F9

Strings

@, xrefs: 00C79911

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: fc0f83b96480d2061e46732da0533d90b2c59a2f3267fbbe16965537bc2698a5
Instruction ID: a319e0dfd453d6db1e1046d52c97dea10f370408f30a13a2dab835500e5b97e7
Opcode Fuzzy Hash: fc0f83b96480d2061e46732da0533d90b2c59a2f3267fbbe16965537bc2698a5
Instruction Fuzzy Hash: 3B415E7690021CBFDB10EFA4CC85ADEBBB8EB49300F144099FA59B7191DA706F45DBA1

Function 00CA7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CAF910,00000000,?,?,?,?), ref: 00CA79DF
GetWindowLongW.USER32 ref: 00CA79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA7A0C

Strings

SysTreeView32, xrefs: 00CA79B1

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e597d077f5b3041092819354fc5357fc07f033958a54cb58a145dc467af007de
Instruction ID: f419617606d6d067b568a6853f60405eda66c27f0172dd13de2bb75d5b9bdb6e
Opcode Fuzzy Hash: e597d077f5b3041092819354fc5357fc07f033958a54cb58a145dc467af007de
Instruction Fuzzy Hash: E531B031604606ABDB118E78DC41BEB77A9FB0A328F248725F875932E0D731EE519B50

Function 00CA73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CA7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CA7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA7499

Strings

SysMonthCal32, xrefs: 00CA742C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fa4a8a4cf96d8ec72531f1ec1f7b0fef89352104daac66031e20efac2be5e237
Instruction ID: 6675141c328c3cac0e1db181c82463dc85fa640d2c2a5ad64c159ecdeeefc4c5
Opcode Fuzzy Hash: fa4a8a4cf96d8ec72531f1ec1f7b0fef89352104daac66031e20efac2be5e237
Instruction Fuzzy Hash: 0F217F32500219ABDF218FA4CC46FEA3B79FB4D728F110214FE556B190DAB5AC519BA0

Function 00CA7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CA7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CA7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CA7C5F

Strings

msctls_updown32, xrefs: 00CA7BC4

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: be6cd802715df8eb7c3854df917f8e3a4ad0b3eb1aa9a0e58c6e8dd7774db1a8
Instruction ID: 8b7d009c2f93d8f39f5b7d2cddb431fee80e5d59bbfd7de48ebb0d884ca8495e
Opcode Fuzzy Hash: be6cd802715df8eb7c3854df917f8e3a4ad0b3eb1aa9a0e58c6e8dd7774db1a8
Instruction Fuzzy Hash: 84218EB5604209AFDB10DF24DCC1EAA37EDFF5A368B140159FA119B3A1CB71ED119AA0

Function 00CA6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CA6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CA6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CA6D70

Strings

Listbox, xrefs: 00CA6D08

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 03833b7038d9ea338e8970ec12839fa1d6b8253299ae5cf625ded4cfa4019afa
Instruction ID: 7f3f6907a6fa507846397167d7e7ad9ef954233180881946b6c58051e5a42067
Opcode Fuzzy Hash: 03833b7038d9ea338e8970ec12839fa1d6b8253299ae5cf625ded4cfa4019afa
Instruction Fuzzy Hash: DA21D432610119BFDF118F54CC45FBF3BBAEF8A768F058128FA559B1A0C6719C519BA0

Function 00CA770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CA7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CA7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CA7794

Strings

msctls_trackbar32, xrefs: 00CA7749

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3ef8818fe440ead73a1af7565bd5c056ca859e54cc14dff035edd48bc1b2ff70
Instruction ID: 2be916ec63675e02196d3ece71c94ccd85317cd2ac0c5924b7b23251eff70369
Opcode Fuzzy Hash: 3ef8818fe440ead73a1af7565bd5c056ca859e54cc14dff035edd48bc1b2ff70
Instruction Fuzzy Hash: 49112732200209BBEF215F61CC05FDB3769FF89B58F010228FA51D6090C271E811DB10

Function 00C24C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C24BD0,?,00C24DEF,?,00CE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C24C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C24C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C24C1D
kernel32.dll, xrefs: 00C24C0C

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: fe8843ccd11d1a25c91bde023815b105fbce53b3ece45d8f540e9882dec18ea5
Instruction ID: b2f1f41d1b635affbbaea4a7496fa6778193292bf2c755efdad66255a8e41f6d
Opcode Fuzzy Hash: fe8843ccd11d1a25c91bde023815b105fbce53b3ece45d8f540e9882dec18ea5
Instruction Fuzzy Hash: 04D0C730500723CFC720AFB4EC0830BBAE5EF0A346B008C3ED492C2660E6B0C882CB20

Function 00C24C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C24B83,?), ref: 00C24C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C24C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00C24C50
kernel32.dll, xrefs: 00C24C3F

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 3520c98b34e8bb134650ae26171c89df89ce0ba4eb40bd2722bd03fef53a99c0
Instruction ID: 3f9230ae13435f256c60097441d3cf1875d81c76daece1b667626e38c24962ec
Opcode Fuzzy Hash: 3520c98b34e8bb134650ae26171c89df89ce0ba4eb40bd2722bd03fef53a99c0
Instruction Fuzzy Hash: B7D01731510723CFD7249FB5E94874E7AE4AF06355B11883ED6A6E6660E670D881CA60

Function 00CA0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00CA1039), ref: 00CA0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CA0E07

Strings

advapi32.dll, xrefs: 00CA0DF0
RegDeleteKeyExW, xrefs: 00CA0E01

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 20200f4592942d055c0211047b9175f5bad5090d2636fe9f9d8a2a3c115bb738
Instruction ID: 06710fe56e4281ddbf34b8055f54f782a852c8c99a222e31373fcdf5d1e206c4
Opcode Fuzzy Hash: 20200f4592942d055c0211047b9175f5bad5090d2636fe9f9d8a2a3c115bb738
Instruction Fuzzy Hash: C3D0C730440323CFC3209FB0D84838AB2E4AF1238AF208C3ED6D2C2250E6B0E890CB00

Function 00C990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C98CF4,?,00CAF910), ref: 00C990EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C99100

Strings

GetModuleHandleExW, xrefs: 00C990FA
kernel32.dll, xrefs: 00C990E9

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 6e4ea38fb3f1cc36b2ebcaeaed70f37f3e32b30c9e389b50cc170b17ef80f41d
Instruction ID: 897cd7e721f6cee59afe65b508da198aed0683e0e60994585c8bf8e9fcafcbc0
Opcode Fuzzy Hash: 6e4ea38fb3f1cc36b2ebcaeaed70f37f3e32b30c9e389b50cc170b17ef80f41d
Instruction Fuzzy Hash: C0D01735510713CFDB209FB5D85C74E76E4AF06356B168C3ED596D6690EA70C881CBA0

Function 00C61714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C61718
__swprintf.LIBCMT ref: 00C61749

Strings

%.3d, xrefs: 00C61723
WIN_XPe, xrefs: 00C61788

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: f4997219567e4b90427feb51527c3d4371b41b053fdb2da2cf880b4ae910f161
Instruction ID: 3ad6ab1f65bbc85070928d939d1c8b3d76e02ebb9e468af4cf090500ec78da3c
Opcode Fuzzy Hash: f4997219567e4b90427feb51527c3d4371b41b053fdb2da2cf880b4ae910f161
Instruction Fuzzy Hash: 97D01771804119EACB209A9298C89FD737CBB09302F1C0562B906E2040E2369B94EA21

Function 00C7717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3534aaa0e0223afe2a532fded7decd7fd4b3e56efc1b6021aa51a7bd0eece4
Instruction ID: 71739cc4c5373c81df6d23526b9d1695bf318f819face84a8709defbf4a754f6
Opcode Fuzzy Hash: 4a3534aaa0e0223afe2a532fded7decd7fd4b3e56efc1b6021aa51a7bd0eece4
Instruction Fuzzy Hash: DAC14275A0421AEFCB14CFA4C884EAEBBB5FF48714B158698E819DB251D730DE81DF90

Function 00C9E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C9E0BE
CharLowerBuffW.USER32(?,?), ref: 00C9E101

Part of subcall function 00C9D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C9D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C9E301
_memmove.LIBCMT ref: 00C9E314

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 243c9e50f39a77820022e6326df6339c3b7557309bd3aac43bf4d2d1b70541b8
Instruction ID: e7c6cd974d3b765035524c24be9985149ecfd2fd1fc7c0962485efd0315a247b
Opcode Fuzzy Hash: 243c9e50f39a77820022e6326df6339c3b7557309bd3aac43bf4d2d1b70541b8
Instruction Fuzzy Hash: FCC16A71608311DFCB04DF28C484A6ABBE4FF99714F14896DF8999B351D731EA46CB82

Function 00C98093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C980C3
CoUninitialize.OLE32 ref: 00C980CE

Part of subcall function 00C7D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C7D5D4

VariantInit.OLEAUT32(?), ref: 00C980D9
VariantClear.OLEAUT32(?), ref: 00C983AA

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: fb2be00d53c5e57fe4ecd72b4c15d9e82fa249f42b6e5b5c1457b5511e687e2e
Instruction ID: 5d2cc78a826e8509e98f211060fbaa9eb9eae3a7cda4166580783025aa204e8c
Opcode Fuzzy Hash: fb2be00d53c5e57fe4ecd72b4c15d9e82fa249f42b6e5b5c1457b5511e687e2e
Instruction Fuzzy Hash: 75A167356047119FCB00DF64C885B2AB7E4FF8A724F184448F99A9B7A1CB30ED49DB86

Function 00C77530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CB2C7C,?), ref: 00C776EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CB2C7C,?), ref: 00C77702
CLSIDFromProgID.OLE32(?,?,00000000,00CAFB80,000000FF,?,00000000,00000800,00000000,?,00CB2C7C,?), ref: 00C77727
_memcmp.LIBCMT ref: 00C77748

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 92fc7d358dd4679cff44ac42427d724e9504e84e4810e0b19dcb429d9d2a8fed
Instruction ID: d762ada041f4db48a64c86ff4b5b5bf366ccf702f1702d68e5cd52b52186cd2d
Opcode Fuzzy Hash: 92fc7d358dd4679cff44ac42427d724e9504e84e4810e0b19dcb429d9d2a8fed
Instruction Fuzzy Hash: DF811B75A00109EFCB04DFA4C988EEEB7B9FF89315F208558F515AB250DB71AE46CB60

Function 00C7687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C7688E
SysAllocString.OLEAUT32(00000000), ref: 00C76937
VariantCopy.OLEAUT32 ref: 00C76966
VariantClear.OLEAUT32(?), ref: 00C7698D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: ac999748bb53379a8fd8b894233e11bc55b77a98db92a5bab6239feca49ed42f
Instruction ID: ed9b3c71fc5eb1085656ebfbe6aed1c8222fa2b7a64426daec3bf19653848792
Opcode Fuzzy Hash: ac999748bb53379a8fd8b894233e11bc55b77a98db92a5bab6239feca49ed42f
Instruction Fuzzy Hash: AE51D374700B029ADB24AF66D891B2EB3E5AF45320F20D81FE59EDB291DB70D880A701

Function 00CA97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(017EE840,?), ref: 00CA9863
ScreenToClient.USER32(00000002,00000002), ref: 00CA9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00CA9903

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 54de7fadb70f2a72a9f24c26fb9cbe70739bfd19cd19f58078700d8f9b9f6f42
Instruction ID: 611ae9e26b4d8bb6313f518bf1bc822e3ece3be3a4c976d46a7689abd21b5452
Opcode Fuzzy Hash: 54de7fadb70f2a72a9f24c26fb9cbe70739bfd19cd19f58078700d8f9b9f6f42
Instruction Fuzzy Hash: 15515434900209EFCF10CF64D885AAE7BB5FF56368F14815DF9659B2A0D730AE41DB90

Function 00C79A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C79AD2
__itow.LIBCMT ref: 00C79B03

Part of subcall function 00C79D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C79DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C79B6C
__itow.LIBCMT ref: 00C79BC3

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: e6a950ef0d7f8ca3c671076f6974ae6cc71162b1096ecb0414a41189c75185d1
Instruction ID: fbdb41a321521f295c3e57f04ff9630d586a8e1ad9ba33613ef877f935dfac94
Opcode Fuzzy Hash: e6a950ef0d7f8ca3c671076f6974ae6cc71162b1096ecb0414a41189c75185d1
Instruction Fuzzy Hash: D541B470A00218ABDF21EF64D885FEE7BB9EF45720F004069F919A3291DB709A44DBA1

Function 00C969AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C969D1
WSAGetLastError.WSOCK32(00000000), ref: 00C969E1

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C96A45
WSAGetLastError.WSOCK32(00000000), ref: 00C96A51

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 6bca9ae0a78945781ee95960508a0a559db4bf37302c89b8073d50a1cdef4d2e
Instruction ID: b9fd45f421bfef6818f03c2e09b4d8e2028db622e43567c37780ac1154de02cf
Opcode Fuzzy Hash: 6bca9ae0a78945781ee95960508a0a559db4bf37302c89b8073d50a1cdef4d2e
Instruction Fuzzy Hash: 4E41AE75740210AFEB60AF64DC86F2E77A4EB05B14F44C018FA59AB6C2DBB09D01AB91

Function 00C9641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00CAF910), ref: 00C964A7
_strlen.LIBCMT ref: 00C964D9

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 33bb4b1e9a5dfa9d8a038d0447377a876c6d18bf69ba49e2f8dd2585dfdff12a
Instruction ID: 4636d4281eda87f0faa6010e005b3589b734970fd1edec4c59c1020b58ccf5b0
Opcode Fuzzy Hash: 33bb4b1e9a5dfa9d8a038d0447377a876c6d18bf69ba49e2f8dd2585dfdff12a
Instruction Fuzzy Hash: AA41D531A00114AFCF14EBA8EC89FAEB7A8EF45310F118159F819972D2DB30EE41E750

Function 00C8B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C8B89E
GetLastError.KERNEL32(?,00000000), ref: 00C8B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C8B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C8B915

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7f3a92e02f68dfc436ecf749195935887dbd96d3bcace167fab38c688fad13f1
Instruction ID: 3d0352681d3024cc9be41d8c635a53b3b2e213e5c1254fdef04f47e8ea8d91b6
Opcode Fuzzy Hash: 7f3a92e02f68dfc436ecf749195935887dbd96d3bcace167fab38c688fad13f1
Instruction Fuzzy Hash: C1412939600620DFCB10EF55D484A5DBBE1EF4A314F098098EC4A9B7A2CB30FD02DB95

Function 00CAAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CAAB60
GetWindowRect.USER32(?,?), ref: 00CAABD6
PtInRect.USER32(?,?,00CAC014), ref: 00CAABE6
MessageBeep.USER32(00000000), ref: 00CAAC57

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 460dfd440483778b478b201f3ae130b3b5c280f0b7ce5f1d282d2947096e85b0
Instruction ID: b6fed1cfdf481a12702f579723ed4f20d6a09ba1f5231b4f00aa067d3ff8aa7b
Opcode Fuzzy Hash: 460dfd440483778b478b201f3ae130b3b5c280f0b7ce5f1d282d2947096e85b0
Instruction Fuzzy Hash: 9F416F3060021ADFDB21DF58D884BAD7BF5FB4A32CF1480A9E4159F261D732E945DB92

Function 00C80AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C80B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00C80B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C80BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C80BFB

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: be68286aa48c8a0c8a95af6098c212363b813dc5cad3c9af50db2bd4b56f2dad
Instruction ID: bd19be0df2461077b35483f02587d6bd7486a91e43d1f9037baba266efe994e3
Opcode Fuzzy Hash: be68286aa48c8a0c8a95af6098c212363b813dc5cad3c9af50db2bd4b56f2dad
Instruction Fuzzy Hash: 2F315A30D40608AFFF70ABA58C05BFEBBA9AB4531DF28425AF4A0521D1C3749A49975A

Function 00C80C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00C80C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C80C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C80CE1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00C80D33

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a8f346beae4cc13a7a87e38d14ca8739691aec7eca168b25414c24fe09711cb1
Instruction ID: 78278ed102b7eb59bed4c487ff23224974cb7e2838ad022b87ed5773fa4ccc11
Opcode Fuzzy Hash: a8f346beae4cc13a7a87e38d14ca8739691aec7eca168b25414c24fe09711cb1
Instruction Fuzzy Hash: F6316C309002186EFF70AFA5CC057FEBBA6AB45318F24831FE4A4521D1C3359E49D75A

Function 00C561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C561FB
__isleadbyte_l.LIBCMT ref: 00C56229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C56257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C5628D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 0b1c635cab260219f1b23607fd0375b7b0c2ec4b8dc00acd234b35684fc8e239
Instruction ID: af8f3ffa2072759381cf1ccd379ad8eb313db33c5be83bc3594526576cfbac60
Opcode Fuzzy Hash: 0b1c635cab260219f1b23607fd0375b7b0c2ec4b8dc00acd234b35684fc8e239
Instruction Fuzzy Hash: 9731BC34604246AFDB218E65CC48BBE7BA9FF42312F554128EC64871A1DB30DA94DB94

Function 00CA4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CA4F02

Part of subcall function 00C83641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C8365B
Part of subcall function 00C83641: GetCurrentThreadId.KERNEL32 ref: 00C83662
Part of subcall function 00C83641: AttachThreadInput.USER32(00000000,?,00C85005), ref: 00C83669

GetCaretPos.USER32(?), ref: 00CA4F13
ClientToScreen.USER32(00000000,?), ref: 00CA4F4E
GetForegroundWindow.USER32 ref: 00CA4F54

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 78c6a569d4c6de07ca0f1916c853c70d623c04fecc6813d9e189567d9ecec0e8
Instruction ID: 9578f9b82b1fa378378f316eaa9a9ca2172c42b8786461d7b1ff14fcd556314e
Opcode Fuzzy Hash: 78c6a569d4c6de07ca0f1916c853c70d623c04fecc6813d9e189567d9ecec0e8
Instruction Fuzzy Hash: CC313E71D00218AFCB04EFA5D885AEFB7F9EF89304F10446AE415E7241EA719E059BA0

Function 00C83C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C83C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00C83C88
Process32NextW.KERNEL32(00000000,?), ref: 00C83CA8
CloseHandle.KERNEL32(00000000), ref: 00C83D52

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b54b42c747e406e5e6190a6317328f0d3060d1c6b9441fb840e6cf6091e7ba38
Instruction ID: 970d9b263007eb44054cce12be03284c03cf5cca458cec9ebb6e53bd9701ea12
Opcode Fuzzy Hash: b54b42c747e406e5e6190a6317328f0d3060d1c6b9441fb840e6cf6091e7ba38
Instruction Fuzzy Hash: 2831C0311083459FD304EF50D881BAFBBE8EF85358F40092DF591871A1EB719A4ACB92

Function 00CAC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

GetCursorPos.USER32(?), ref: 00CAC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C5B9AB,?,?,?,?,?), ref: 00CAC4E7
GetCursorPos.USER32(?), ref: 00CAC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C5B9AB,?,?,?), ref: 00CAC56E

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2f371a6ffa74e5c147f150bbea52013c81b81ddfa2f2548ff0b9f8396f3ff5f1
Instruction ID: d8edccfc1a7086ea934d0f0dca3e0c5946871c53a01a8caab347a22cb124147d
Opcode Fuzzy Hash: 2f371a6ffa74e5c147f150bbea52013c81b81ddfa2f2548ff0b9f8396f3ff5f1
Instruction Fuzzy Hash: DA319339900458EFCB25CF98C898FEE7BB5EF0A314F044069F9158B261C731AE51EBA4

Function 00C78656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C78121
Part of subcall function 00C7810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C7812B
Part of subcall function 00C7810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7813A
Part of subcall function 00C7810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78141
Part of subcall function 00C7810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C78157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C786A3
_memcmp.LIBCMT ref: 00C786C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C786FC
HeapFree.KERNEL32(00000000), ref: 00C78703

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 293c957770f7d132aeefaa1ce5c308195a5050131fc8fb4cdb23b4570b2dfe36
Instruction ID: ac0e6ddf7ed4992b02c2a51031087f9be9880d81a4eae9f73caa0032e94653e6
Opcode Fuzzy Hash: 293c957770f7d132aeefaa1ce5c308195a5050131fc8fb4cdb23b4570b2dfe36
Instruction Fuzzy Hash: 97217C71E80108EFDB10DFA4C949BEEB7B8EF45304F158059E558A7240DB30AF09DB60

Function 00C4098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00C409AE

Part of subcall function 00C25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C87896,?,?,00000000), ref: 00C25A2C
Part of subcall function 00C25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C87896,?,?,00000000,?,?), ref: 00C25A50

_fprintf.LIBCMT ref: 00C409E5
OutputDebugStringW.KERNEL32(?), ref: 00C75DBB

Part of subcall function 00C44AAA: _flsall.LIBCMT ref: 00C44AC3

__setmode.LIBCMT ref: 00C40A1A

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 91e2f5e13629004d9ee69b120706ae31a0cf8943d067c3533ffa0cfbd920f829
Instruction ID: fb8dadca82e97bcd2e831dfdc8941031e315d83a999c966bfe67b974558ec959
Opcode Fuzzy Hash: 91e2f5e13629004d9ee69b120706ae31a0cf8943d067c3533ffa0cfbd920f829
Instruction Fuzzy Hash: A6113631904204AFDB08B7B4AC47AFE77A8EF52320F744119F214A71C2EE705D46B7A4

Function 00C91767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C917A3

Part of subcall function 00C9182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C9184C
Part of subcall function 00C9182D: InternetCloseHandle.WININET(00000000), ref: 00C918E9

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: d449f0ec165e697f0e93f4dca93d2653f42cedb386fbfab1416ea1cb8122c4d5
Instruction ID: cd3001a75a305ca319f4bc5098dc9b3824a10e23a2bebd0acca8d1d27c27e55a
Opcode Fuzzy Hash: d449f0ec165e697f0e93f4dca93d2653f42cedb386fbfab1416ea1cb8122c4d5
Instruction Fuzzy Hash: 79210431200606BFEF129FA0CC0AFBABBA9FF48710F14402EFD51D6290D7319911ABA4

Function 00C83A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CAFAC0), ref: 00C83A64
GetLastError.KERNEL32 ref: 00C83A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C83A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CAFAC0), ref: 00C83ADF

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 74251c6c1025031d26e95a52be260781884199a3ae021159d5aef0f5821ee15a
Instruction ID: 86680ae486bfe31586368e70961cae6be9a67594f91278f4c452ba5489db5778
Opcode Fuzzy Hash: 74251c6c1025031d26e95a52be260781884199a3ae021159d5aef0f5821ee15a
Instruction Fuzzy Hash: 0221D3741082018F8314FF68D8819AB77E4AE1676CF105A2DF4A9C72A1DB31DE46DB56

Function 00C7DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C7DCD3,?,?,?,00C7EAC6,00000000,000000EF,00000119,?,?), ref: 00C7F0CB
Part of subcall function 00C7F0BC: lstrcpyW.KERNEL32(00000000,?,?,00C7DCD3,?,?,?,00C7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C7F0F1
Part of subcall function 00C7F0BC: lstrcmpiW.KERNEL32(00000000,?,00C7DCD3,?,?,?,00C7EAC6,00000000,000000EF,00000119,?,?), ref: 00C7F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C7DCEC
lstrcpyW.KERNEL32(00000000,?,?,00C7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C7DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C7DD46

Strings

cdecl, xrefs: 00C7DD3D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: a2b7458a4fc35f45186c382662f8b97acf20f391fcfcc28671f8fad699217013
Instruction ID: e87bb2ac322a1cc1d09505cdf9c00e8b461ed54e460830757a6d36f7b1c33cda
Opcode Fuzzy Hash: a2b7458a4fc35f45186c382662f8b97acf20f391fcfcc28671f8fad699217013
Instruction Fuzzy Hash: CA11BE3A200305EBCB259F74CC45A7E77B9FF46350F40812AF91ACB2A0EB719951D7A0

Function 00C550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C55101

Part of subcall function 00C4571C: __FF_MSGBANNER.LIBCMT ref: 00C45733
Part of subcall function 00C4571C: __NMSG_WRITE.LIBCMT ref: 00C4573A
Part of subcall function 00C4571C: RtlAllocateHeap.NTDLL(017D0000,00000000,00000001,00000000,?,?,?,00C40DD3,?), ref: 00C4575F

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: cb7a2d270d588dd640d0e39068fbf3e367999b1bcebd3f58e482227fe1985f8a
Instruction ID: 596731619ca7095bd8b67dd384bbc89bed7c0ca92c3f73c512f69d8f92ab9056
Opcode Fuzzy Hash: cb7a2d270d588dd640d0e39068fbf3e367999b1bcebd3f58e482227fe1985f8a
Instruction Fuzzy Hash: 6611E376901E11AFCF312FB0AC5975F3F98AF013A3B100529FD549A161DE308A89AA98

Function 00C96369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C87896,?,?,00000000), ref: 00C25A2C
Part of subcall function 00C25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C87896,?,?,00000000,?,?), ref: 00C25A50

gethostbyname.WSOCK32(?,?,?), ref: 00C96399
WSAGetLastError.WSOCK32(00000000), ref: 00C963A4
_memmove.LIBCMT ref: 00C963D1
inet_ntoa.WSOCK32(?), ref: 00C963DC

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e51d224ec155a2776b83f7bdeadc7b4550a0794b78ac0eb1321326c914b7626c
Instruction ID: c21ea8b2ea08456f3fcf57f23bbe0ef7e9d7deb12af1bb4aa74953216a4a7b65
Opcode Fuzzy Hash: e51d224ec155a2776b83f7bdeadc7b4550a0794b78ac0eb1321326c914b7626c
Instruction Fuzzy Hash: F1115E32500109EFCF00FBA4ED46DAEB7B8EF05314B144165F505A71A1DB31AE15EB61

Function 00C78B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C78B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C78B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C78B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C78BA4

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0e79d3da5afb41a07201350371dc36b6c3ac7ee767e651a619e9dd4bfddc58c1
Instruction ID: 06177be6d815d7d272f328c6100e650d9fc74cfe41d566e483bc202061927619
Opcode Fuzzy Hash: 0e79d3da5afb41a07201350371dc36b6c3ac7ee767e651a619e9dd4bfddc58c1
Instruction Fuzzy Hash: A5115E79940218FFDB10DF95CC84F9DBB74FB48710F204095EA04B7250DA716E15DB94

Function 00C21290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00C22612: GetWindowLongW.USER32(?,000000EB), ref: 00C22623

DefDlgProcW.USER32(?,00000020,?), ref: 00C212D8
GetClientRect.USER32(?,?), ref: 00C5B5FB
GetCursorPos.USER32(?), ref: 00C5B605
ScreenToClient.USER32(?,?), ref: 00C5B610

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7041b8a8edf530844b087ba86b5762c6d3a51f96dc1aa03784afae2f1c952889
Instruction ID: f445fcf7c972ead69d80fc5f851fb70f96c77dc2d0ef6b8fd8e93d1eaca8becd
Opcode Fuzzy Hash: 7041b8a8edf530844b087ba86b5762c6d3a51f96dc1aa03784afae2f1c952889
Instruction Fuzzy Hash: 4E116A35900129EFCB10DFA8E889AEE77B8EB16304F400455F901E7641C730BA529BA5

Function 00C81142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C7FCED,?,00C80D40,?,00008000), ref: 00C8115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C7FCED,?,00C80D40,?,00008000), ref: 00C81184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C7FCED,?,00C80D40,?,00008000), ref: 00C8118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00C7FCED,?,00C80D40,?,00008000), ref: 00C811C1

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b4d2b168e9213bb0626cddac0e9ca9b6dc3e895c8be9284d6e0bf7d85aadce16
Instruction ID: b511cb65d25625eea6f001c335e0347af7624769e47433aed258472dde6cb1b1
Opcode Fuzzy Hash: b4d2b168e9213bb0626cddac0e9ca9b6dc3e895c8be9284d6e0bf7d85aadce16
Instruction Fuzzy Hash: E6111831D00529D7CF00AFA5D848BEEBBB8FB0A715F054059EE85B2240CB709692CB99

Function 00C7D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C7D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C7D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C7D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C7D897

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 30f3723174ec0f8e235cf51c279653d2ce4d082ea8bc141bbd4219dce57660d1
Instruction ID: 21db99cc4807f1f3803c430af60ae27dfa02320033c264c32738414dfdf69309
Opcode Fuzzy Hash: 30f3723174ec0f8e235cf51c279653d2ce4d082ea8bc141bbd4219dce57660d1
Instruction Fuzzy Hash: C2115E75605304DBE3208F91EC08F96BBBCEF04B04F10856DA65AD7490D7B0E549DBE2

Function 00C56FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00C56FDB

Part of subcall function 00C576C2: __fltout2.LIBCMT ref: 00C576EB

__cftog_l.LIBCMT ref: 00C57001
__cftoe_l.LIBCMT ref: 00C57033

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 67779d0cd9e2c1cc507bf6f2ff132cbcecb638c48a1bd0650f13466e664a85c8
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: DB01803A44414ABBCF125F84EC45CED3FA2BB58352F488615FE2859070D236CAF9AB85

Function 00CAB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CAB2E4
ScreenToClient.USER32(?,?), ref: 00CAB2FC
ScreenToClient.USER32(?,?), ref: 00CAB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAB33B

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f975d182e6bb41f766340ae09c2ed55b482c001a2586be4905e157aaba85dafb
Instruction ID: a8c6d2f93585072920aad30044926f12a1e05889cb759a33fd10ca3156821cac
Opcode Fuzzy Hash: f975d182e6bb41f766340ae09c2ed55b482c001a2586be4905e157aaba85dafb
Instruction Fuzzy Hash: 99114675D00209EFDB41CF99C484AEEFBB5FB09315F104166E914E3220D735AA559F50

Function 00CAB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CAB644
_memset.LIBCMT ref: 00CAB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CE6F20,00CE6F64), ref: 00CAB682
CloseHandle.KERNEL32 ref: 00CAB694

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 91a585f84da8791703729c39cdeee570839a5c68580e695b3d50d5f36de8a239
Instruction ID: a85159d000778113c02806c043ddbb513c7840cac9390cdb3986e431fdb2a9f2
Opcode Fuzzy Hash: 91a585f84da8791703729c39cdeee570839a5c68580e695b3d50d5f36de8a239
Instruction Fuzzy Hash: B8F05EF25503807AEB1027E1BC46FBF3A9CEB193D5F004020BA08EA1A2D7714C01C7A8

Function 00C86BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00C86BE6

Part of subcall function 00C876C4: _memset.LIBCMT ref: 00C876F9

_memmove.LIBCMT ref: 00C86C09
_memset.LIBCMT ref: 00C86C16
LeaveCriticalSection.KERNEL32(?), ref: 00C86C26

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 8d8339890f525c46c33ee4e6e0d5678db2861054f66bde53b1542305b2b199de
Instruction ID: 1f35e5b16df1cfc9345e6e5882d651d7c019a9b01ee90b98ace09d07f60b731f
Opcode Fuzzy Hash: 8d8339890f525c46c33ee4e6e0d5678db2861054f66bde53b1542305b2b199de
Instruction Fuzzy Hash: 7CF05E3A200100ABCF416F95DC85B8ABB29EF46324F148065FE085F227D731E811DBB4

Function 00C22218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C22231
SetTextColor.GDI32(?,000000FF), ref: 00C2223B
SetBkMode.GDI32(?,00000001), ref: 00C22250
GetStockObject.GDI32(00000005), ref: 00C22258
GetWindowDC.USER32(?,00000000), ref: 00C5BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C5BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00C5BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00C5BEC2
GetPixel.GDI32(00000000,?,?), ref: 00C5BEE2
ReleaseDC.USER32(?,00000000), ref: 00C5BEED

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 7faaf94302563f37c9dfc8fb18d88380b49101cb518b381502652a339e7d5dd5
Instruction ID: f613e94e7d87bc47f009ad99858eff2265d19d9aa9ff42c41b22096b157ebac6
Opcode Fuzzy Hash: 7faaf94302563f37c9dfc8fb18d88380b49101cb518b381502652a339e7d5dd5
Instruction Fuzzy Hash: F9E03932504244EADB215FA4FC0D7DC3F20EB0633AF14836AFB79480E187B24A85DB22

Function 00C78712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C7871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C782E6), ref: 00C78722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C782E6), ref: 00C7872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C782E6), ref: 00C78736

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 72e5223b00115bad9ead2e7498a19408ab19f365757397d43f03b0e4d9fae849
Instruction ID: c6016f860415af6c84045a9b460ec5c29ebcd00f8e17cb82ea172e9f17354bd1
Opcode Fuzzy Hash: 72e5223b00115bad9ead2e7498a19408ab19f365757397d43f03b0e4d9fae849
Instruction Fuzzy Hash: BEE086366512119BD7605FF05D0CB9F3BACEF52795F14882CB24ACB050DA748446C750

Function 00C7B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00C7B4BE

Strings

Container, xrefs: 00C7B43B
AutoIt3GUI, xrefs: 00C7B436

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 797b3e9003ebf2ce9f0202ec0a8c1982ef8642a137e637add9e4237dc7c4b53c
Instruction ID: 7b5884e3394ca8a947d91d3785ddf7daaf9469f9f8314e271ad87ec7dae68133
Opcode Fuzzy Hash: 797b3e9003ebf2ce9f0202ec0a8c1982ef8642a137e637add9e4237dc7c4b53c
Instruction Fuzzy Hash: A8912670600601AFDB54DF68C884B6ABBE9FF49714F20856EF94ACB2A1DB70ED41CB50

Function 00C8AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3FC86: _wcscpy.LIBCMT ref: 00C3FCA9

Part of subcall function 00C29837: __itow.LIBCMT ref: 00C29862
Part of subcall function 00C29837: __swprintf.LIBCMT ref: 00C298AC

__wcsnicmp.LIBCMT ref: 00C8B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C8B0F6

Strings

LPT, xrefs: 00C8B027

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 0c49ff86caf7058c2f8dc645056220518347cbec775e018a702da8600b534aa9
Instruction ID: 13c81b209060e57bbe9fc665bbe905145ee8eff910b894c3c6b66b5cc189de96
Opcode Fuzzy Hash: 0c49ff86caf7058c2f8dc645056220518347cbec775e018a702da8600b534aa9
Instruction Fuzzy Hash: 9C61B175E00219EFCB14EF94D895EAEB7B4EF09314F144069F916AB3A1DB30AE40DB58

Function 00C32957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C32968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C32981

Strings

@, xrefs: 00C32975

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4ef48fc0b4ad8eec65760f7c55bc6a51ce6266995f3ececa7b94b2c63273b6ad
Instruction ID: 19ada157496492e9f8b4b0bb5476f04edbd9cfcee9657d5f7c0a3e5bc002491a
Opcode Fuzzy Hash: 4ef48fc0b4ad8eec65760f7c55bc6a51ce6266995f3ececa7b94b2c63273b6ad
Instruction Fuzzy Hash: CF5146724187549BD320EF10E886BAFBBE8FF85354F42885DF2D8810A1DB308529DB66

Function 00C89734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C24F0B: __fread_nolock.LIBCMT ref: 00C24F29

_wcscmp.LIBCMT ref: 00C89824
_wcscmp.LIBCMT ref: 00C89837

Strings

FILE, xrefs: 00C89770

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: c566434cfdc632917844218287e63b84b47fc0313ca4dee79dae2c3b81468d04
Instruction ID: abf6fa62f95db66036aebf6b80ba2091dd5c4fb9733ba1b53f8a6683552a7eaa
Opcode Fuzzy Hash: c566434cfdc632917844218287e63b84b47fc0313ca4dee79dae2c3b81468d04
Instruction Fuzzy Hash: DF41C671A0021ABBDF24AEE0DC45FEFBBBDEF85714F000469F904B7181DA71AA049B65

Function 00C9258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C9259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C925D4

Strings

|, xrefs: 00C925A5

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: b1c94b1edcef2a009c08f21cb2bd2a267cc4b9bcc9e70e17c186bd08b6caae68
Instruction ID: 9de92cdccc975f25abb927b753096e8a17f72e58a8d13b8762750a8f77c42438
Opcode Fuzzy Hash: b1c94b1edcef2a009c08f21cb2bd2a267cc4b9bcc9e70e17c186bd08b6caae68
Instruction Fuzzy Hash: 16311A71800119EBCF11EFA1DC89EEEBFB8FF08310F100159F955A6162EB715A56EB60

Function 00CA7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00CA7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA7B76

Strings

', xrefs: 00CA7ACA

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c6c40117df6573bb5a89d15aeffb58f6815e344d5959d560ea543a3ee55f1f48
Instruction ID: 381cec7e5ba8f0c34739e2b8830ba323499035087b630612f97a166023caf413
Opcode Fuzzy Hash: c6c40117df6573bb5a89d15aeffb58f6815e344d5959d560ea543a3ee55f1f48
Instruction Fuzzy Hash: 9F413B74A0420AAFDB14CF65D980BDEBBB5FF09304F10116AE914EB381D770AA51DFA0

Function 00CA6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CA6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CA6B53

Strings

static, xrefs: 00CA6AB3

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1e203535e49117cbdef263e7749d11d6eaef5ee4862a2eaa3f7b6e9ec6dd1479
Instruction ID: bfda5fd3302eb7448d934ba5800d527a0bb4d472996adf7685a75cbdd75ae71f
Opcode Fuzzy Hash: 1e203535e49117cbdef263e7749d11d6eaef5ee4862a2eaa3f7b6e9ec6dd1479
Instruction Fuzzy Hash: A4318F71100605AEDB109F64DC80BFB73A9FF49768F148619F9A9D7190DB31AC91E760

Function 00C828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C8294C

Strings

0, xrefs: 00C8290A

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 1a8f3766cd833d5ce235819bd3433c9beef30e75edd125e0080b188d6cfb5d76
Instruction ID: 62a4e69e1d4b5adc1b4450d8c17f3dee3795c8bfc5ef058a3558a5ddcb1f8728
Opcode Fuzzy Hash: 1a8f3766cd833d5ce235819bd3433c9beef30e75edd125e0080b188d6cfb5d76
Instruction Fuzzy Hash: 6E310631A00305AFEF24EF58CC89BAEBBF4FF05358F140029ED95A61A0D7709A40DB15

Function 00C939E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00C93A66

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

Strings

, $, xrefs: 00C93AA6
AUTOITCALLVARIABLE%d, xrefs: 00C93A58

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: b649e95094dc7c7f94eecfff625750455cfb38d921821e0d48d74c524837e4a7
Instruction ID: 66ea8406079f3f5225d3354d1db01b188d63e16315175566392d12b223807789
Opcode Fuzzy Hash: b649e95094dc7c7f94eecfff625750455cfb38d921821e0d48d74c524837e4a7
Instruction Fuzzy Hash: 41218231600229AFCF10EFA4DC86EAE77B5AF44700F504465F555A7281DF34EA49EB61

Function 00CA66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CA6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA676C

Strings

Combobox, xrefs: 00CA672E

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5d6e1e5ac75819070d7659257383ee12a8bc14d3b3251052ed25cb3f255c5d1f
Instruction ID: 3898c87365855cc3ec92b0c6a1f6193ae435a54c85b659764b24677ed715994c
Opcode Fuzzy Hash: 5d6e1e5ac75819070d7659257383ee12a8bc14d3b3251052ed25cb3f255c5d1f
Instruction Fuzzy Hash: EA11B27521020AAFEF119F64CC84EBB376AEB4A36CF150129F928D7290D6319D9197A0

Function 00CA6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C21D73
Part of subcall function 00C21D35: GetStockObject.GDI32(00000011), ref: 00C21D87
Part of subcall function 00C21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C21D91

GetWindowRect.USER32(00000000,?), ref: 00CA6C71
GetSysColor.USER32(00000012), ref: 00CA6C8B

Strings

static, xrefs: 00CA6C4E

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: fec078577852ecf53716e72f48d524d90bef6c37c2730c166bac5f151693f6be
Instruction ID: 3927523dfc3980a5d04ef71069607f23ae426620d22cd432d4b8e659d5644e63
Opcode Fuzzy Hash: fec078577852ecf53716e72f48d524d90bef6c37c2730c166bac5f151693f6be
Instruction Fuzzy Hash: C4215672A1021AAFDF05DFB8CC45AEA7BA9FB09318F044628FD95D3250D635E861DB60

Function 00CA6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CA69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CA69B1

Strings

edit, xrefs: 00CA6986

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 7191771d2507fa13ffc7b3af15b2c68355b3fe3fa86e8f6586689c79ac58cd4c
Instruction ID: 5f3352d60394e15b0dcbc60b617f275ec21c576792de5ff2e286535ffff609e9
Opcode Fuzzy Hash: 7191771d2507fa13ffc7b3af15b2c68355b3fe3fa86e8f6586689c79ac58cd4c
Instruction Fuzzy Hash: F3116A7151020AABEB108E74DC44AEB37A9EB0637CF544728F9B5971E0C731DC51AB60

Function 00C829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C82A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C82A41

Strings

0, xrefs: 00C82A18

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: bb764113864b6fdb7f5dfb1d676a6c6386f58d82c1f81351bdce02a0eef3a016
Instruction ID: 31c3e690c15c08137693fefc695e99e239c07d367ac40b2ad891fbca034f2774
Opcode Fuzzy Hash: bb764113864b6fdb7f5dfb1d676a6c6386f58d82c1f81351bdce02a0eef3a016
Instruction Fuzzy Hash: 8A11D376901154ABCB38EA98D948BEEB3A8AF45308F044025E865E7290D730AE06E799

Function 00C921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C9222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C92255

Strings

<local>, xrefs: 00C9221D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a302dbd3394b59692ae66a1aae49853f5dbec868ffc0ce3371dce4a4d86d9240
Instruction ID: 574eb8b99c6fe0a2e16a44a3681266c53ee4e4fe5a4686f09817539d32f8dd2b
Opcode Fuzzy Hash: a302dbd3394b59692ae66a1aae49853f5dbec868ffc0ce3371dce4a4d86d9240
Instruction Fuzzy Hash: E611E370541625BADF288F528C8CFFBFBA8FF06761F10822AF59486000D2705A91D6F0

Function 00C97D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00C97DB3,?,00000000,?,?), ref: 00C9800D

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C97DB6
htons.WSOCK32(00000000,?,00000000), ref: 00C97DF3

Strings

255.255.255.255, xrefs: 00C97DCE

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 5dbd49c8f7868a32c992414581cc7a7081db166fb06298bf99149862187a0e0c
Instruction ID: d9a93d7f2c5729d52c000243aeb31405112520c11e3ffddcd0f3684c95b2f2d1
Opcode Fuzzy Hash: 5dbd49c8f7868a32c992414581cc7a7081db166fb06298bf99149862187a0e0c
Instruction Fuzzy Hash: 5611E575604205ABCF20AFA4DC8AFBEB324FF01320F10865AE925972D1DB31AD119790

Function 00C78E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

Part of subcall function 00C7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C78E73

Strings

ComboBox, xrefs: 00C78E12
ListBox, xrefs: 00C78E3D

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 1b427d0535c1c0ebd8c6e3ce20c721740a53dc66af07dded8d66d1c8c5ebddd8
Instruction ID: b0bfd641b4fb23a75311d5a313d178b09ec836450a97d07be99df6eba23b2398
Opcode Fuzzy Hash: 1b427d0535c1c0ebd8c6e3ce20c721740a53dc66af07dded8d66d1c8c5ebddd8
Instruction Fuzzy Hash: ED01F175641228AB8B14EBA0CC49DFE7768AF02320B044A19F939673E1EF31580CE650

Function 00C78CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

Part of subcall function 00C7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C78D6B

Strings

ComboBox, xrefs: 00C78D0A
ListBox, xrefs: 00C78D35

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: e73f00fbdbf9f238d11e4867ef8f82b610758d54ec44f21072425d34b3672a66
Instruction ID: 23321824002d48bfdc1a9234a858f7cb9d54ac715944930539256b3b69f2f051
Opcode Fuzzy Hash: e73f00fbdbf9f238d11e4867ef8f82b610758d54ec44f21072425d34b3672a66
Instruction Fuzzy Hash: 3301D471A81119ABCF24EBA0C956EFF77A89F25350F104129B909672D1DE215E0CE671

Function 00C78D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C27DE1: _memmove.LIBCMT ref: 00C27E22

Part of subcall function 00C7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C7AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C78DEE

Strings

ComboBox, xrefs: 00C78D8F
ListBox, xrefs: 00C78DBA

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 74259358bcdb8116d973b2562bc0bc193b6b44b506f222ec5a889aff5eaa0bf9
Instruction ID: ed87cd0d03a44a4a5c724560ecb06e0fccb2b90682790e20cda1545f2cd13532
Opcode Fuzzy Hash: 74259358bcdb8116d973b2562bc0bc193b6b44b506f222ec5a889aff5eaa0bf9
Instruction Fuzzy Hash: 9801F771A81119A7CB25E6A4C946EFF77AC8F21310F104115B919732D1DE214E0DF671

Function 00C84F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C84F46
_wcscmp.LIBCMT ref: 00C84F58

Strings

#32770, xrefs: 00C84F52

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 238a4508532c185059757cb8cde4006c9297408f52a4e14f2537a058ddd635e0
Instruction ID: baf66529ad38aa0cd86475a360b58b72af8834a3bcf4995aab51e4436ff89e97
Opcode Fuzzy Hash: 238a4508532c185059757cb8cde4006c9297408f52a4e14f2537a058ddd635e0
Instruction Fuzzy Hash: 70E0D8336006292BE720AB99AC49FABF7ACEB95B71F00016BFD14D7151E9709B4587E0

Function 00C5B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C5B314: _memset.LIBCMT ref: 00C5B321

Part of subcall function 00C40940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C5B2F0,?,?,?,00C2100A), ref: 00C40945

IsDebuggerPresent.KERNEL32(?,?,?,00C2100A), ref: 00C5B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C2100A), ref: 00C5B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C5B2FE

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 73be8adbf46cde640ca488a8e1c8ebccc9efd7b53e7346d0f5af53c8c088b7c9
Instruction ID: b7e794b967135023ed5d3dbb8e6ad37eaa82e6727a8b09485465b221a8e61961
Opcode Fuzzy Hash: 73be8adbf46cde640ca488a8e1c8ebccc9efd7b53e7346d0f5af53c8c088b7c9
Instruction Fuzzy Hash: 83E012B42007518FDB20DF68E5047467BE4BF0471AF108A7DE896D7662EBF4D889CBA1

Function 00C77C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C77C82

Part of subcall function 00C43358: _doexit.LIBCMT ref: 00C43362

Strings

Error allocating memory., xrefs: 00C77C7B
AutoIt, xrefs: 00C77C76

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: a8d0a0bad4e590ed8fe87fe769696489f9e0327a176df5c92a86f06e000580b9
Instruction ID: fcf008c98110cdd7be308bc50184505b3128d2977c14cbf5c3509355aa08f0e1
Opcode Fuzzy Hash: a8d0a0bad4e590ed8fe87fe769696489f9e0327a176df5c92a86f06e000580b9
Instruction Fuzzy Hash: E3D05B323C436837D11532A96D07FDE79485F05B56F144436FF08595D349E1459151F5

Function 00C61935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00C61775

Part of subcall function 00C9BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00C6195E,?), ref: 00C9BFFE
Part of subcall function 00C9BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C9C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C6196D

Strings

WIN_XPe, xrefs: 00C61788

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: edbaac1646eac920ac3fa466209d7a38a848bcda2df545903da41a6a554d2a10
Instruction ID: c50cd39b76ba66c745e5ce93217f9bf982cb0528a468aa34d924a0ae63fecf3b
Opcode Fuzzy Hash: edbaac1646eac920ac3fa466209d7a38a848bcda2df545903da41a6a554d2a10
Instruction Fuzzy Hash: 1EF0C971801109DFDB25DB91D9C8BECBBF8AB18306F580095E512A70A0D7719F85DF60

Function 00CA5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA59AE
PostMessageW.USER32(00000000), ref: 00CA59B5

Part of subcall function 00C85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C852BC

Strings

Shell_TrayWnd, xrefs: 00CA59A7

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a9ee26cfb14f9a70da15f42a37e4f6bc8d33995c2387b1f9745de6c1bf66ce87
Instruction ID: 72522064b75b14475a0a890ec6d711f789218411af13f3b1fcf8a8523d5c1cf0
Opcode Fuzzy Hash: a9ee26cfb14f9a70da15f42a37e4f6bc8d33995c2387b1f9745de6c1bf66ce87
Instruction Fuzzy Hash: FAD0C9317843117AE664BBB0AC4BF9B6664AB05B54F00083AB345AB1D0D9F0A801C658

Function 00CA5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CA5981

Part of subcall function 00C85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C852BC

Strings

Shell_TrayWnd, xrefs: 00CA5967

Memory Dump Source

Source File: 00000000.00000002.2306475269.0000000000C21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.2306450753.0000000000C20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306549125.0000000000CD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306594000.0000000000CDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2306613100.0000000000CE7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_conferma.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: df6a8fc9572f443dccb4df2267ab451db5df61bd51fa75f83c4e0909846416f7
Instruction ID: e586a9518227ebc96a85d39b51a7706ce4ee7a325ce1548581d615c08c6dffc5
Opcode Fuzzy Hash: df6a8fc9572f443dccb4df2267ab451db5df61bd51fa75f83c4e0909846416f7
Instruction Fuzzy Hash: 04D0C935784311B6E664BBB0AC4BF9B6A64AB01B54F00083AB349AB1D0D9F09801C654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report conferma..exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_bfd87b7ea0584859ac8cca28a4eb33afabceb_91a5ebd2_42d4d99a-0729-44f7-96fd-9a69e014a27d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF262.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF61C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF66B.tmp.xml

C:\Users\user\AppData\Local\Temp\autD43B.tmp

C:\Users\user\AppData\Local\Temp\drawlingly

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
conferma..exe

Function 00C23B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00C249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00C24E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00C89155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00C2301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00C23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00C2708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00C23A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00C23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00C23766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 018771E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00C239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01876FA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Function 00C2407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00C4541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre