Edit tour

Windows Analysis Report
RFQ_#24429725,pdf.exe

Overview

General Information

Sample name:	RFQ_#24429725,pdf.exe
Analysis ID:	1576556
MD5:	98c8ad44f3883561b9ec33744763f556
SHA1:	54d00d5fc3a5c1c287c371699b027b83afbd3be2
SHA256:	e508e38d56c2d0c62b80bf11aeb4af982e5ce44e925c4858c725db2ba02aca2d
Tags:	exeuser-julianmckein
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected AsyncRAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Found API chain indicative of sandbox detection

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected Generic Downloader

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

RFQ_#24429725,pdf.exe (PID: 6024 cmdline: "C:\Users\user\Desktop\RFQ_#24429725,pdf.exe" MD5: 98C8AD44F3883561B9EC33744763F556)

RegSvcs.exe (PID: 3108 cmdline: "C:\Users\user\Desktop\RFQ_#24429725,pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "oshaduck123.duckdns.org", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "ZWwiD1mukwdK", "Autorun": "false", "Group": "null"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x97b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: RFQ_#24429725,pdf.exe PID: 6024	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: RFQ_#24429725,pdf.exe PID: 6024	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 3108	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 3108	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2d74f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.RFQ_#24429725,pdf.exe.1870000.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.RFQ_#24429725,pdf.exe.1870000.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7b23:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d3b:$a4: vmware 0x7bb3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x565a:$a6: get_SslClient
0.2.RFQ_#24429725,pdf.exe.1870000.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7bb5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x9923:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x9b3b:$a4: vmware 0x99b3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x745a:$a6: get_SslClient
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99b5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 6 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3407624996.0000000003271000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "oshaduck123.duckdns.org", "Port": "6606,7707,8808", "Version": "0.5.8", "MutexName": "ZWwiD1mukwdK", "Autorun": "false", "Group": "null"}

Multi AV Scanner detection for submitted file

Source: RFQ_#24429725,pdf.exe	Virustotal: Detection: 37%			Perma Link
Source: RFQ_#24429725,pdf.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RFQ_#24429725,pdf.exe

Joe Sandbox ML: detected

Source: RFQ_#24429725,pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: RFQ_#24429725,pdf.exe, 00000000.00000003.2176855604.0000000004310000.00000004.00001000.00020000.00000000.sdmp, RFQ_#24429725,pdf.exe, 00000000.00000003.2176675088.0000000004170000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ_#24429725,pdf.exe, 00000000.00000003.2176855604.0000000004310000.00000004.00001000.00020000.00000000.sdmp, RFQ_#24429725,pdf.exe, 00000000.00000003.2176675088.0000000004170000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D2DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D2DBBE
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CFC2A2 FindFirstFileExW,	0_2_00CFC2A2
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D368EE FindFirstFileW,FindClose,	0_2_00D368EE
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D3698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D3698F
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D2D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D2D076
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D2D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D2D3A9
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D39642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D39642
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D3979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D3979D
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D39B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D39B2B
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D35C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D35C97

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: oshaduck123.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: oshaduck123.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D3CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00D3CE44

Source: global traffic

DNS traffic detected: DNS query: oshaduck123.duckdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_#24429725,pdf.exe PID: 6024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3108, type: MEMORYSTR

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D3EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D3EAFF

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D3ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D3ED6A

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

0_2_00D3EAFF

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D2AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00D2AA57

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D59576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D59576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 3108, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: RFQ_#24429725,pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RFQ_#24429725,pdf.exe, 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b2facbc0-9
Source: RFQ_#24429725,pdf.exe, 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c274f044-7
Source: RFQ_#24429725,pdf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fd936f47-1
Source: RFQ_#24429725,pdf.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_07589568-0

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ_#24429725,pdf.exe

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D2D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00D2D5EB

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D21201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D21201

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D2E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00D2E8F6

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D32046	0_2_00D32046
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CC8060	0_2_00CC8060
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D28298	0_2_00D28298
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CFE4FF	0_2_00CFE4FF
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CF676B	0_2_00CF676B
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D54873	0_2_00D54873
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CCCAF0	0_2_00CCCAF0
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CECAA0	0_2_00CECAA0
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CDCC39	0_2_00CDCC39
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CF6DD9	0_2_00CF6DD9
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CC91C0	0_2_00CC91C0
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CDB119	0_2_00CDB119
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CE1394	0_2_00CE1394
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CE781B	0_2_00CE781B
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CD997D	0_2_00CD997D
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CC7920	0_2_00CC7920
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CE7A4A	0_2_00CE7A4A
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CE7CA7	0_2_00CE7CA7
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CF9EEE	0_2_00CF9EEE
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D4BE44	0_2_00D4BE44
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_01B2BDE8	0_2_01B2BDE8

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: String function: 00CE0A30 appears 46 times
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: String function: 00CC9CB3 appears 31 times
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: String function: 00CDF9F2 appears 40 times

Source: RFQ_#24429725,pdf.exe, 00000000.00000003.2177193488.0000000004293000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_#24429725,pdf.exe
Source: RFQ_#24429725,pdf.exe, 00000000.00000003.2175112511.000000000443D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_#24429725,pdf.exe
Source: RFQ_#24429725,pdf.exe, 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs RFQ_#24429725,pdf.exe

Source: RFQ_#24429725,pdf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: RegSvcs.exe PID: 3108, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack, Settings.cs

Base64 encoded string: 'YNgyYAq4QNgLJletPDX2vX6o1U7y/+PLSpZXuoWI5bk4xjzpfvlccu+O2HtbrBxX9O/1YqF/osLIJY9WRvBECg==', '+Jlf4jFWw9sLiZKKLTzoID5b7tqnzO2zktlGuLxQxAioQIulWS60dE3uwzMNzeVO7BpT4KBMCBoOaM+V4kEZ1pV9gUzvZ9GIhO+xBFXFElM=', 'nV9r0buqY2QHGTeuF+x+rNjEKeL9xuKyiS3r9b+AorN7jDlQsDzWiJb5/SgGDTk0NXwSRHUxkVc5s5Mlq/5Kcg==', 'kS1wFLYiFuObKAQh+k2fghorlr25JCdJxXcqCEjHH1A130GYGiEflRU/oCBYGbGsj3e1G/69kg/oRFFspFUjc6odM4oN8v63g0SMV9neFdBGRiaOZthxP9DqfPCpYsDNw/tciUcpdX+ZvHxnacJxV1s8rWLsIS6BZP2xb0ctQaBmYgLHZRa878R9Chav20RB9UkmkhH9hsG7JR0FiwssV8VRjIj7PWZFQj9YKMD4RFY/SEaEgsZqaSQfohZcLU6M9J4fM6OcgBAeoXKr1XNp6OSyYZi+vCn4S4sK7g/RDkOygVuRGyIyfEtZYG5a1PY9rlY8DCDemEt8D41LFsKqBtnb6yi18dyaEx4INZ0CwyC2nE1SIzi+a3AokxagFf+1JU0ISZYX+56Jcu9shokeXaainGYgubF+4sYm8wFwn0y779HULjPp4LzqBbTS4VdGZv0+Ayg5RKnTK6jsAlyUKLv2ItUYWB4kb53MOHTYwlvEB4VyhAFlxqSNbLNFRZ7EemFpB6lXlz3bWgTEB59Ay0L9O4iSAutqGqZLGARR8Wcz3R1b08hPrGFKfr6uNnGNUsMQeYo9AhHlxCtK3daOW3B82KISlB5KcyrSjoBLmtfxpA8iXzROCtwBcFSh5E578mz7Z9WL8m5TdvEDKeyCXEASh2a7q5oOFZoXI/D5XAbW6MOWNx94bFHYp+8AlprXIvN654wZf3AgmCl3/tL5/Xinxe2dU1Kd3cMyaOx0Mdm2cNVZFeeLCEmADeJ1BC8oqn0REQ6KTZAslOJqW0YB4DIE/Dt/BNQzZ7t7BaYY7qRIr1c1DqdYQf0+rKM5EsKe292cUcYYRpv9zPNpu4EXb+BdjB452X+0n1WiRRnEfGPSZ8Xd3ZHoy+Fi9Oh9YwjOazmAh8yeXRouKjDqi2u43ETLUmq30sUDVC32sqvWqrH6YHNQWeX7Vr4gGAxH61z2c9tNKJdVUcZrlIYURIiFmEQbK/ABIKHZxwwA1PjqQ/6WbwnNWygFtBK+0rwwxt4XMbhjE/J0heZBGKWkYZKvWK/JhvrC40Spn7Lr3Lsb5qjoFeWhaf6Lqi4HpHWTln1afl1Fl1gyQFjHTAHvGq3i/HAyiXIgh/fG0pqzRAD8YpTlMQn8yHhQAwWOgQpEmyTr8lSGtIM+f4Be5Veq/+2XK9ar7DChW/+keKb6wZ9YvgHiT5OqKmYMg/ormsxSXi3qvLxqYKjIPlsAiPBnkp97p3iQuqoBG6mbmKF+OAUHIQ+K7sXJSHMxLJb7mZYqNMgS72HxfmlbxWWt8gztKJ79pJ7UCpnvoWunwnffrTo1N6x5kSOyjqlQAYfaeK2iOH3mw1CfBpurIqm/aeg985PhM7J+8KQMmyFCG9qpu6U0E+B+deisfGjA7przGBRtSP7nfifIEQ3/zzUPLM2JfKRoLXrZWxcGNUFMbyE7y8XvI/gBrp+XZQnuTXg+UmJXpVf7hWKIC5ht+HztKwR+iIjDyChcNbGHKgzN30PGqneGYB4ZDDk8UFEtc+1gNrTLlp9sDIXAsDoiWQ9+5lPSYGixYxzjcYOAe38WKi6TiAzodgxVo5UJbb5Q2B3klNNYwx8VEscGSaFJ6ht3H0GlJpjOluqmHslF1D4W9FeyenfoMGkrtkjbbnFjfr5OMJuYzf41nmWETMGf0m9Fi8XqyvtLMVBjpiX2vMjiaYKpL5YG1VmIysRwXbG3oMa40L8MM70mkLXsUiSX+Q+HXEHRT1wuRUA5ojdHB7FGPORuejdNG+quvVXX7QCQpBYDyvyWRKq0oeOIsft/btYAEa8vah7/4vhrk2SVp/lUq+s0lk74f4w8KOwW7zjv8D+MonfqzfIr6fV+RbCwRzEkA8cRa9KmXeEv3ivxoljrIM2Q47kP+4ma4ravHDb7Rm0Emyt9ziWH//jLcVS7jd/fWLfE9DDv2WROGKDAuXirJz4F88ZefhwB1F2zLHdkWE+ucAuO2jgavUyaEC23OKuIjvwL4T1p0GQf6mXGnoVbFO9JYNwgbGaPuAQXyun2/Wu7vxLnHjFytjt9jnbAFSixg83GOxQ9eCYGumngY1n12EqLS+1FrRA6jO2mWWLA/MuypnUhcXTGLsHGfcmEFuZTXlR513wlkItqt396XE9cI/L9JLTgq6LzbkjtoQM6ejjk9yFtBu0TrOiBt/ERm5KhEgKkYn+mNNOqNmDOkZKL9U8Qs/6noJZvdHzswDa7TbTRY8OPPycR9mWdqs8lDK6l2OrApTypYRTzI9ZxeAX/xFSnoGBoSg2lJv9ZRXEsobRsHefvz1fEnDmZIAJ0lY5JHIROAxnoKULXV6RVgUJfhwwzNSQ9x84=', 'xYXm2TtNzNkwRHAor9clEVI2++f8TREMlW2vILUwWt3R8I8yBzm5IWMEnucat5MpWxRCxi3SbTJV5v7PqceBfSMWSUDdttUi+k4BYh3mnhWIpetiQ1MjddvAFjsdAB994HcPSIZLwDmfS1a+3qcB80i4cofS+CiKoy+BN0OHcQOwqmdJixN/BQyudN+eT9Ei8WZlBniXyw/MzFjU1xJXYGtPUi3AVNeuCDrG4TyjmOMFt+wr2udGMrjM0cGHzmG24p1iZuhNKqt9T7Z/8ZdiMmq+8OQ8bmBKk/T6aUwzH/VpjKFTyh7kihQSezKzNIiJTp2D7lyyx8o2XGlWXwoUhmWt5rw/vVn

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/2@2/1

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D337B5 GetLastError,FormatMessageW,

0_2_00D337B5

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D210BF AdjustTokenPrivileges,CloseHandle,		0_2_00D210BF
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00D216C3

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D351CD

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D4A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00D4A67C

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D3648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00D3648E

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00CC42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00CC42A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZWwiD1mukwdK

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

File created: C:\Users\user\AppData\Local\Temp\autFCDA.tmp

Jump to behavior

Source: RFQ_#24429725,pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ_#24429725,pdf.exe	Virustotal: Detection: 37%
Source: RFQ_#24429725,pdf.exe	ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe "C:\Users\user\Desktop\RFQ_#24429725,pdf.exe"
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ_#24429725,pdf.exe"
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ_#24429725,pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: RFQ_#24429725,pdf.exe

Static file information: File size 1093120 > 1048576

Source: RFQ_#24429725,pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RFQ_#24429725,pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RFQ_#24429725,pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RFQ_#24429725,pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RFQ_#24429725,pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RFQ_#24429725,pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: RFQ_#24429725,pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: RFQ_#24429725,pdf.exe, 00000000.00000003.2176855604.0000000004310000.00000004.00001000.00020000.00000000.sdmp, RFQ_#24429725,pdf.exe, 00000000.00000003.2176675088.0000000004170000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ_#24429725,pdf.exe, 00000000.00000003.2176855604.0000000004310000.00000004.00001000.00020000.00000000.sdmp, RFQ_#24429725,pdf.exe, 00000000.00000003.2176675088.0000000004170000.00000004.00001000.00020000.00000000.sdmp

Source: RFQ_#24429725,pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RFQ_#24429725,pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RFQ_#24429725,pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RFQ_#24429725,pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RFQ_#24429725,pdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00CC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CC42DE

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00CE0A76 push ecx; ret

0_2_00CE0A89

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_#24429725,pdf.exe PID: 6024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3108, type: MEMORYSTR

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CDF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00CDF98E
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D51C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D51C41

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RFQ_#24429725,pdf.exe PID: 6024, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_#24429725,pdf.exe PID: 6024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3108, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97301

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

API/Special instruction interceptor: Address: 1B2BA0C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RFQ_#24429725,pdf.exe, 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

API coverage: 3.8 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D2DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D2DBBE
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CFC2A2 FindFirstFileExW,	0_2_00CFC2A2
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D368EE FindFirstFileW,FindClose,	0_2_00D368EE
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D3698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D3698F
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D2D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D2D076
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D2D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D2D3A9
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D39642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D39642
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D3979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D3979D
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D39B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D39B2B
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D35C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D35C97

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00CC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CC42DE

Source: RegSvcs.exe, 00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.3407171395.0000000001747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH[

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D3EAA2 BlockInput,

0_2_00D3EAA2

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00CF2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CF2622

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00CC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CC42DE

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CE4CE8 mov eax, dword ptr fs:[00000030h]	0_2_00CE4CE8
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_01B2A648 mov eax, dword ptr fs:[00000030h]	0_2_01B2A648
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_01B2BCD8 mov eax, dword ptr fs:[00000030h]	0_2_01B2BCD8
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_01B2BC78 mov eax, dword ptr fs:[00000030h]	0_2_01B2BC78

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D20B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00D20B62

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CF2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CF2622
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CE083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CE083F
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CE09D5 SetUnhandledExceptionFilter,	0_2_00CE09D5
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00CE0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CE0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10B5008

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

0_2_00D21201

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D02BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D02BA5

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D2B226 SendInput,keybd_event,

0_2_00D2B226

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00D422DA

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ_#24429725,pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

0_2_00D20B62

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D21663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D21663

Source: RFQ_#24429725,pdf.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RFQ_#24429725,pdf.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00CE0698 cpuid

0_2_00CE0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D38195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00D38195

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00D1D27A GetUserNameW,

0_2_00D1D27A

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00CFB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00CFB952

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe

Code function: 0_2_00CC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CC42DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_#24429725,pdf.exe.1870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_#24429725,pdf.exe PID: 6024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3108, type: MEMORYSTR

Source: RFQ_#24429725,pdf.exe	Binary or memory string: WIN_81
Source: RFQ_#24429725,pdf.exe	Binary or memory string: WIN_XP
Source: RFQ_#24429725,pdf.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: RFQ_#24429725,pdf.exe	Binary or memory string: WIN_XPe
Source: RFQ_#24429725,pdf.exe	Binary or memory string: WIN_VISTA
Source: RFQ_#24429725,pdf.exe	Binary or memory string: WIN_7
Source: RFQ_#24429725,pdf.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D41204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00D41204
Source: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe	Code function: 0_2_00D41806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00D41806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	2 Valid Accounts	121 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	Input Capture	21 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	321 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ_#24429725,pdf.exe	38%	Virustotal		Browse
RFQ_#24429725,pdf.exe	53%	ReversingLabs	Win32.Trojan.AutoitInject
RFQ_#24429725,pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
oshaduck123.duckdns.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
oshaduck123.duckdns.org	192.169.69.26	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
oshaduck123.duckdns.org	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.169.69.26	oshaduck123.duckdns.org	United States		23033	WOWUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576556
Start date and time:	2024-12-17 08:59:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ_#24429725,pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/2@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 45 Number of non-executed functions: 298
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 40.126.53.12, 20.223.35.26, 20.223.36.55, 13.107.246.63, 2.18.40.136, 20.12.23.50, 150.171.28.10, 2.16.158.90, 20.103.156.88
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target RegSvcs.exe, PID 3108 because it is empty
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.169.69.26	f5ATZ1i5CU.exe	Get hash	malicious	RedLine, XWorm	Browse	duclog23.duckdns.org:37552/
	SX8OLQP63C.exe	Get hash	malicious	VjW0rm, AsyncRAT, RATDispenser	Browse	yuya0415.duckdns.org:1928/Vre
	confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbs	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	oKtkBYZMWl.exe	Get hash	malicious	Unknown	Browse	csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
	oKtkBYZMWl.exe	Get hash	malicious	Unknown	Browse	csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
	http://yvtplhuqem.duckdns.org/ja/	Get hash	malicious	Unknown	Browse	yvtplhuqem.duckdns.org/ja/
	http://fqqqffcydg.duckdns.org/en/	Get hash	malicious	Unknown	Browse	fqqqffcydg.duckdns.org/en/
	http://yugdzvsqnf.duckdns.org/en/	Get hash	malicious	Unknown	Browse	yugdzvsqnf.duckdns.org/en/
	&nuevo_pedido#..vbs	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e
	transferencia_Hsbc.xlsx	Get hash	malicious	Unknown	Browse	servidorarquivos.duckdns.org/e/e

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
oshaduck123.duckdns.org	hesaphareketi-01.pdf.exe	Get hash	malicious	AsyncRAT	Browse	192.169.69.26

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WOWUS	hesaphareketi-01.pdf.exe	Get hash	malicious	AsyncRAT	Browse	192.169.69.26
	seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.169.69.26
	sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.169.69.26
	1734388385543fca13ccf5614dc71c1922a5cd8cddeb80fc9e4bce55f618d2232c3744cd06117.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	x295IO8kqM.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	zvXPSu3dK5.exe	Get hash	malicious	AsyncRAT	Browse	192.169.69.26
	173398584769f9c5bcf28a71f77fba1335e77fe6b4cc4f05afc05fdd9f5830429be0bc9fb5758.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.169.69.26
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.169.69.26
	1733858044e64c59622ab494dda2ff98fce76991f7e15e513d6a3620e7f58ad7cc67d3889c571.dat-decoded.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	192.169.69.26
	f5ATZ1i5CU.exe	Get hash	malicious	RedLine, XWorm	Browse	192.169.69.26

Process:	C:\Users\user\Desktop\RFQ_#24429725,pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	6.7179085401983345
Encrypted:	false
SSDEEP:	768:wQG7JgwdKzwV4SXyqpAv8A+mpYscemds/vSyOwDeRODj6pm2aT5/ElDJ7vJ:wL15dKzwV3jA01mWsNmdK/DDeRkElDJN
MD5:	72D93B71C1911C7BCFBE41E07D487867
SHA1:	03924179C1881490AB8C049713DAFECA7C250E20
SHA-256:	C65E73E8FB648102FB95C5F4D6A08C97E51791DCD099E179742CD997096DD176
SHA-512:	A7A0DF7F12723B255E6F2582978AAA906A68156DC6FCDBC2747E48C51EF281A26807D9B5B4F2A2E0C33D349E2DB70896B0A8648B3892DEA2809C2F26A972BDDC
Malicious:	false
Reputation:	low
Preview:	.k.AYLMSHUNG.WL.TK8SGOS.1FAZLMSLUNG2UWLATK8SGOSY1FAZLMSLUNG.UWLOK.6S.F.x.G..m.;%&n7@:0> 9k[2)!<-.$$z>8=l< gv..l,;/]}JBY}1FAZLMS..NG~TTL..f]SGOSY1FA.LORGTFG2.WLA^K8SGOSW.FAZlMSL.NG2U.LAtK8SEOS]1FAZLMSHUNG2UWLAtJ8SEOSY1FAXL..LU^G2EWLAT[8SWOSY1FAJLMSLUNG2UWL..K8.GOSY.FA.KMSLUNG2UWLATK8SGOSY1GAVLMSLUNG2UWLATK8SGOSY1FAZLMSLUNG2UWLATK8SGOSY1FAZLMSLuNG:UWLATK8SGOSQ.FA.LMSLUNG2UWLo .@'GOSM.FAZlMSL.NG2WWLATK8SGOSY1FAzLM3b'=5QUWL.SK8S.OSY9FAZ.MSLUNG2UWLATK8.GO.wC#-5/MS@UNG2UVLAVK8S.OSY1FAZLMSLUNGrUW.ATK8SGOSY1FAZLMS..NG2UWL.TK8QGJS.hFA. MSOUNG3UWJATK8SGOSY1FAZLMSLUNG2UWLATK8SGOSY1FAZLMSLUNG2UWL..Un...h.(Dej.5.Lh...K5......v.w1iA.LMSRWf_2U]f[X8SCeM[.UAZHgI2ANG6.IN.@K8WmU-L1FEpRO.YUNC.O)ZATO.ME.EY1Bk@2ZSLQdY0.@LAPa"-_OS].XC.TMSH.T9+UWHkJI.JGOWs+8[ZLIyV+UG2Q}RC.P8SCeI'-FA^fSQ.ING6.M2\TK<yYM.D1FEpfO{rUNM$.Tfs@8SCL<f1FKpb>KLUD.(UWHk.c.SGIiq1FArfMSJoPG2U.gATM.GGOSq.FA\vGSLUfo2UQuGTK8Go9SY;l.r.MSF&.G2_wlCTKW.GOYs_8_ZLIj\UNGLKWLE;.8SM[.G1FEp23\LUJo%UWFx[K8So.SY7.DZLM{.UNA..%.dT;FCGOWq^FAP.nSLQd.A.WL

C:\Users\user\AppData\Local\Temp\autFCDA.tmp

Download File

Process:	C:\Users\user\Desktop\RFQ_#24429725,pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	39480
Entropy (8bit):	7.787521181642085
Encrypted:	false
SSDEEP:	768:I7puMbEvznYMaeav1FA968EVzUcyoRl3hYN1fPJJk:2uf7nYPF5tVzg1nDk
MD5:	6DBFAF8E96A5F88CF6E40ACB5253B807
SHA1:	5F38FED43513EF10938D36A82F96B06DB3779FCC
SHA-256:	4BB9F5E232D02748C80B1A19525D45095A8D5D4CE030ECE0D26785A2E53D31CD
SHA-512:	42BE4FBB569EC4C11218C9830E78691B175FF181972D97073B30266B0E344B0DD992BB96D7A8F56FEE4E618FAC174CDC7715E6FBF7501B00A158AFF613C63B5C
Malicious:	false
Reputation:	low
Preview:	EA06.....Z....2.S.Ui.~n..L..)s....S..h.....L..&UZ.2..1....v@..>..T.tl...G....Mn..'S..sk..2..#$.^...y ..PKd.w/..iT...#1.:.~.U).O......2.R..(.y.....<b...0-.....A..(7@...O..@.3H.....1.$5.d7.L...(..[.T......lw....#...F.A...<>z=.......}.Zu.t.1.F.A...v. .P$...7,......W.H.oT.l..'..j .....0i........x.btz\|N.C..f..mN..1U..........nUZ.8....d..1...4zUO[h.PrR.mN..`L.zP....1....n.b...\..e.zf..e.1..R.\........+...A.......2..l.UbqS..i...V.Z.Y.3.:.6..i....qW..e....p.S.u..:....kT..>%M......@.V.t...0..)....E-........T../.I..W.Z.T...O...s..j.I..uZ<.}.P......'..5.5N...<4.r.K.^k4....S.w.:.$..,.9U....O,..5..b.R.Z'.P...q....i....+56.J...B....T....$..-F....p...o.Uj7Z8..G..ju../r.Sjti7N.2...:......7:...PZ...2.W.Qg~i.N.[...$...L...Z.^.x......N.7...`..2.N.. rX...;.P.<..z.A.s-.$.....(....G..$..5.QF.....eS.q@*...O..{4Z.j.Y..+.L....P.0..}].R....>._..y..e.y..x#WP...e..0..T.A..l..u.qV.T.5J.B<..\.....'{.........0...Y...a..-..U.eT.g-.0..GO...6.!..2....p..%a..ju...]A.S

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.816023350614193
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ_#24429725,pdf.exe
File size:	1'093'120 bytes
MD5:	98c8ad44f3883561b9ec33744763f556
SHA1:	54d00d5fc3a5c1c287c371699b027b83afbd3be2
SHA256:	e508e38d56c2d0c62b80bf11aeb4af982e5ce44e925c4858c725db2ba02aca2d
SHA512:	10826e4abc66c19ef106c91332cd0fab7b2e29975781a66570136aa507e296ffa43f7f62eeb634321f2ba442589550a52e43c0e57a2dab755ed29ea5ff5394aa
SSDEEP:	24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8apS0MHt:6TvC/MTQYxsWR7apM
TLSH:	9735AE02B380D0A2FE5752734E9AE621467C6E6A0173D61F13993D39B9B16A2113FF73
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	82a88c96a29a8e53

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6760BE6D [Mon Dec 16 23:57:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F59892AF343h
jmp 00007F59892AEC4Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F59892AEE2Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F59892AEDFAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F59892B19EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F59892B1A38h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F59892B1A21h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x343e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x109000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x343e4	0x34400	e313254ee08f14dcf6310a0fe14aec9f	False	0.5777418510765551	data	7.151688818125161	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x109000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4410	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4538	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	Great Britain	0.6781914893617021
RT_ICON	0xd49a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.4383208255159475
RT_ICON	0xd5a48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	Great Britain	0.33070539419087136
RT_ICON	0xd7ff0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	Great Britain	0.2756849315068493
RT_ICON	0xdc218	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	Great Britain	0.09768721164083757
RT_STRING	0xeca40	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xecfd4	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xed660	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xedaf0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xee0ec	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xee748	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xeebb0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xeed08	0x191ad	data			1.0003987202053894
RT_GROUP_ICON	0x107eb8	0x4c	data	English	Great Britain	0.8026315789473685
RT_GROUP_ICON	0x107f04	0x14	data	English	Great Britain	1.15
RT_VERSION	0x107f18	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x107ff4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 09:00:08.694617987 CET	49723	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:08.814716101 CET	7707	49723	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:08.814840078 CET	49723	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:08.828686953 CET	49723	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:08.948451042 CET	7707	49723	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:19.182982922 CET	7707	49723	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:19.183187008 CET	49723	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:24.200773001 CET	49723	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:24.201788902 CET	49768	6606	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:24.320555925 CET	7707	49723	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:24.321583033 CET	6606	49768	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:24.321691036 CET	49768	6606	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:24.322107077 CET	49768	6606	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:24.441975117 CET	6606	49768	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:34.693953037 CET	6606	49768	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:34.694072008 CET	49768	6606	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:39.698781013 CET	49768	6606	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:39.699470043 CET	49814	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:39.818546057 CET	6606	49768	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:39.819180012 CET	8808	49814	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:39.819247007 CET	49814	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:39.819632053 CET	49814	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:39.939408064 CET	8808	49814	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:50.172492027 CET	8808	49814	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:50.172580957 CET	49814	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:55.182897091 CET	49814	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:55.183794975 CET	49850	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:55.302642107 CET	8808	49814	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:55.303570032 CET	8808	49850	192.169.69.26	192.168.2.6
Dec 17, 2024 09:00:55.303642035 CET	49850	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:55.303919077 CET	49850	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:00:55.423609018 CET	8808	49850	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:05.622981071 CET	8808	49850	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:05.623137951 CET	49850	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:10.636116028 CET	49850	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:10.756360054 CET	8808	49850	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:10.968379974 CET	49885	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:11.088135958 CET	7707	49885	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:11.088591099 CET	49885	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:11.088954926 CET	49885	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:11.208656073 CET	7707	49885	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:21.436301947 CET	7707	49885	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:21.436409950 CET	49885	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:26.448784113 CET	49885	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:26.449790001 CET	49922	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:26.568562984 CET	7707	49885	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:26.569621086 CET	7707	49922	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:26.569720984 CET	49922	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:26.570101976 CET	49922	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:26.689827919 CET	7707	49922	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:36.899430990 CET	7707	49922	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:36.899514914 CET	49922	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:41.901772022 CET	49922	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:41.902579069 CET	49957	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:42.021562099 CET	7707	49922	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:42.022317886 CET	7707	49957	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:42.022402048 CET	49957	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:42.022723913 CET	49957	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:42.143194914 CET	7707	49957	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:52.307344913 CET	7707	49957	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:52.307419062 CET	49957	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:57.308834076 CET	49957	7707	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:57.310311079 CET	49992	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:57.429959059 CET	7707	49957	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:57.432171106 CET	8808	49992	192.169.69.26	192.168.2.6
Dec 17, 2024 09:01:57.432265997 CET	49992	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:57.432652950 CET	49992	8808	192.168.2.6	192.169.69.26
Dec 17, 2024 09:01:57.552392960 CET	8808	49992	192.169.69.26	192.168.2.6
Dec 17, 2024 09:02:07.736605883 CET	8808	49992	192.169.69.26	192.168.2.6
Dec 17, 2024 09:02:07.736691952 CET	49992	8808	192.168.2.6	192.169.69.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 09:00:08.037445068 CET	65121	53	192.168.2.6	1.1.1.1
Dec 17, 2024 09:00:08.687719107 CET	53	65121	1.1.1.1	192.168.2.6
Dec 17, 2024 09:01:10.637183905 CET	64581	53	192.168.2.6	1.1.1.1
Dec 17, 2024 09:01:10.967494965 CET	53	64581	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 09:00:08.037445068 CET	192.168.2.6	1.1.1.1	0x84c3	Standard query (0)	oshaduck123.duckdns.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:01:10.637183905 CET	192.168.2.6	1.1.1.1	0xbce5	Standard query (0)	oshaduck123.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 09:00:08.687719107 CET	1.1.1.1	192.168.2.6	0x84c3	No error (0)	oshaduck123.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false
Dec 17, 2024 09:01:10.967494965 CET	1.1.1.1	192.168.2.6	0xbce5	No error (0)	oshaduck123.duckdns.org		192.169.69.26	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:59:57
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\RFQ_#24429725,pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ_#24429725,pdf.exe"
Imagebase:	0xcc0000
File size:	1'093'120 bytes
MD5 hash:	98C8AD44F3883561B9EC33744763F556
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.2178726682.0000000001870000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:00:01
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ_#24429725,pdf.exe"
Imagebase:	0xfd0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000002.3406481757.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	3%
Total number of Nodes:	1986
Total number of Limit Nodes:	71

Executed Functions

Function 00CC42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00CC430D

Part of subcall function 00CC6B57: _wcslen.LIBCMT ref: 00CC6B6A

GetCurrentProcess.KERNEL32(?,00D5CB64,00000000,?,?), ref: 00CC4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00CC4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00CC4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00CC4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00CC4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00CC447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00CC44A0

Strings

|O, xrefs: 00D036F8
kernel32.dll, xrefs: 00CC444F
GetNativeSystemInfo, xrefs: 00CC4460

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 856a0f4dc61c294412ac6d55a1546622fe5086d912b6998f6c6cd048ef94e511
Instruction ID: ccf6f4b304b620ecd77eb27ac9fbe8f342ce89cc21d49e0b81143b93ca240ed2
Opcode Fuzzy Hash: 856a0f4dc61c294412ac6d55a1546622fe5086d912b6998f6c6cd048ef94e511
Instruction Fuzzy Hash: DDA1D56D91A3C2DFCB1ADB79BC417A53FF86B26300B18999FD845D3B61D2214608DB31

Function 00CC42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00CC50AA,?,?,00000000,00000000), ref: 00CC42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00CC50AA,?,?,00000000,00000000), ref: 00CC42C9
LoadResource.KERNEL32(?,00000000,?,?,00CC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CC4F20), ref: 00D035BE
SizeofResource.KERNEL32(?,00000000,?,?,00CC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CC4F20), ref: 00D035D3
LockResource.KERNEL32(00CC50AA,?,?,00CC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CC4F20,?), ref: 00D035E6

Strings

SCRIPT, xrefs: 00CC42BF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: cb43b423f0346572c2fbd9b4bb8ec4730b4c75cb9e043adbc598d41092b7a5f1
Instruction ID: 32133e24374035ee1a363d97c9454aaaa12af92e7e92daa1635ac35cfb65271f
Opcode Fuzzy Hash: cb43b423f0346572c2fbd9b4bb8ec4730b4c75cb9e043adbc598d41092b7a5f1
Instruction Fuzzy Hash: 38117C70200700BFDB258B65DC49F277BB9EBC5B52F2481ADF816DA2A0DB71D800D630

Function 00D02BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00CC2B6B

Part of subcall function 00CC3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D91418,?,00CC2E7F,?,?,?,00000000), ref: 00CC3A78

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00D82224), ref: 00D02C10
ShellExecuteW.SHELL32(00000000,?,?,00D82224), ref: 00D02C17

Strings

runas, xrefs: 00D02C0B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 2679481a2f8b2805a3cd6cf01048d133d409781064d0abd8a1035011d2a8af5c
Instruction ID: 2380782417508870fc36a673799cf19d7b957da20466f80d98bcc2184d05097b
Opcode Fuzzy Hash: 2679481a2f8b2805a3cd6cf01048d133d409781064d0abd8a1035011d2a8af5c
Instruction Fuzzy Hash: 9411B4316083866EC714FF60E855F7EB7A49B95300F48542DF092521A2CF308A4AA722

Function 00D2DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00D05222), ref: 00D2DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00D2DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00D2DBEE
FindClose.KERNEL32(00000000), ref: 00D2DBFA

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 6aeb9cdb804d169566f996ec8ac534eb1774e3686dd4e9685d8aae149595bb5c
Instruction ID: 441317bdbb4c7ef64b8c04a979eadf2df0a91e50aa17c65d669cfcb2ec94862d
Opcode Fuzzy Hash: 6aeb9cdb804d169566f996ec8ac534eb1774e3686dd4e9685d8aae149595bb5c
Instruction Fuzzy Hash: 5BF0A030820B205B82206B78AC0D8AA377D9E1533BB144702F876D22E0EBB09954D6BA

Function 00CCD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CCD807
timeGetTime.WINMM ref: 00CCDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CCDB28
TranslateMessage.USER32(?), ref: 00CCDB7B
DispatchMessageW.USER32(?), ref: 00CCDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CCDB9F
Sleep.KERNEL32(0000000A), ref: 00CCDBB1

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 043aa1339086ba65aa40a21abd25d6f9096fc42a1f78d69fd7b3bb147998495d
Instruction ID: bae02f79fbbde5a8674417b1dc521030f6658c083b7beb5ac751ed3e72dd743f
Opcode Fuzzy Hash: 043aa1339086ba65aa40a21abd25d6f9096fc42a1f78d69fd7b3bb147998495d
Instruction Fuzzy Hash: 7342F130608341AFD728CF24D894FBAB7E1BF45300F18452EE5A687391DB71E994DBA2

Function 00CC2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CC2D07
RegisterClassExW.USER32(00000030), ref: 00CC2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CC2D42
InitCommonControlsEx.COMCTL32(?), ref: 00CC2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CC2D6F
LoadIconW.USER32(000000A9), ref: 00CC2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CC2D94

Strings

TaskbarCreated, xrefs: 00CC2D37
AutoIt v3 GUI, xrefs: 00CC2D23
0, xrefs: 00CC2CE9
+, xrefs: 00CC2CF0

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c6628ebd3bf14e2ad82a9dcea7862a05f8362a72b28fac761eed7be09956c3a5
Instruction ID: 45dc236b256e5df77d26f8bff3941e178040ba912a187cac296951e1a6c58721
Opcode Fuzzy Hash: c6628ebd3bf14e2ad82a9dcea7862a05f8362a72b28fac761eed7be09956c3a5
Instruction Fuzzy Hash: 6421B2B9911319AFDB00DFA4EC49B9DBBB4FB08702F10511AE921E63A0D7B15544CFA1

Function 00D0065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D0039A: CreateFileW.KERNELBASE(00000000,00000000,?,00D00704,?,?,00000000,?,00D00704,00000000,0000000C), ref: 00D003B7

GetLastError.KERNEL32 ref: 00D0076F
__dosmaperr.LIBCMT ref: 00D00776
GetFileType.KERNELBASE(00000000), ref: 00D00782
GetLastError.KERNEL32 ref: 00D0078C
__dosmaperr.LIBCMT ref: 00D00795
CloseHandle.KERNEL32(00000000), ref: 00D007B5
CloseHandle.KERNEL32(?), ref: 00D008FF
GetLastError.KERNEL32 ref: 00D00931
__dosmaperr.LIBCMT ref: 00D00938

Strings

H, xrefs: 00D008BD

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 514a5b645c3f43d94cef7fc84f9f5e6daae7e8810cf795ed12425f9524dc0459
Instruction ID: 91dac639d3bb91bba26a4190edae10151acf63c8b25168c7818ea26f587e2db5
Opcode Fuzzy Hash: 514a5b645c3f43d94cef7fc84f9f5e6daae7e8810cf795ed12425f9524dc0459
Instruction Fuzzy Hash: FDA12632A002489FDF19AF68E851BAD3FA0EB46320F18415DF919DB3D1D7359913DBA1

Function 00CC344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CC3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D91418,?,00CC2E7F,?,?,?,00000000), ref: 00CC3A78

Part of subcall function 00CC3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CC3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00CC356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D0318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D031CE
RegCloseKey.ADVAPI32(?), ref: 00D03210
_wcslen.LIBCMT ref: 00D03277
_wcslen.LIBCMT ref: 00D03286

Strings

Include, xrefs: 00D03184, 00D031C5
\, xrefs: 00D0328C
\Include\, xrefs: 00CC3527
Software\AutoIt v3\AutoIt, xrefs: 00CC3560

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 05a342dd832c7bf32dfdda1ae3e2bac596ec98388b78989f6ce0d69576e8cdc5
Instruction ID: ea65e241482c1e0063084350beb95d8f44e83d2e711d16eff332e88895ba6a3d
Opcode Fuzzy Hash: 05a342dd832c7bf32dfdda1ae3e2bac596ec98388b78989f6ce0d69576e8cdc5
Instruction Fuzzy Hash: AE716C71505301AEC714EF65EC86AABBBE8FF89740F40452EF545D32A1EB309A48DB72

Function 00CC2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CC2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00CC2B9D
LoadIconW.USER32(00000063), ref: 00CC2BB3
LoadIconW.USER32(000000A4), ref: 00CC2BC5
LoadIconW.USER32(000000A2), ref: 00CC2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00CC2BEF
RegisterClassExW.USER32(?), ref: 00CC2C40

Part of subcall function 00CC2CD4: GetSysColorBrush.USER32(0000000F), ref: 00CC2D07
Part of subcall function 00CC2CD4: RegisterClassExW.USER32(00000030), ref: 00CC2D31
Part of subcall function 00CC2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CC2D42
Part of subcall function 00CC2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00CC2D5F
Part of subcall function 00CC2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CC2D6F
Part of subcall function 00CC2CD4: LoadIconW.USER32(000000A9), ref: 00CC2D85
Part of subcall function 00CC2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CC2D94

Strings

0, xrefs: 00CC2C0F
AutoIt v3, xrefs: 00CC2C2F
#, xrefs: 00CC2C16

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0f5310d4d0966830fbdc1cc3d50604b4803129ea86f4741bdd1692b9eb8c6d56
Instruction ID: 4522c2e657921fc823a6aa7a1f561689b2b1e7c72aeb7990b580532555955af9
Opcode Fuzzy Hash: 0f5310d4d0966830fbdc1cc3d50604b4803129ea86f4741bdd1692b9eb8c6d56
Instruction Fuzzy Hash: 2E210778E10319AFDB109FE5EC55AA97FB4FB48B51F14411BE904E67A0D7B11540CFA0

Function 00CC3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00CC316A,?,?), ref: 00CC31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00CC316A,?,?), ref: 00CC3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CC3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00CC316A,?,?), ref: 00CC3232
CreatePopupMenu.USER32 ref: 00CC3246
PostQuitMessage.USER32(00000000), ref: 00CC3267

Strings

TaskbarCreated, xrefs: 00CC322D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c6e808e3b200bb994f04f134df198d7c2717009fcbbfac747b1397d863706afe
Instruction ID: f6611b9ab02dcca8c2e6d2512055b4d77e22a301560950acfce45de398d0625e
Opcode Fuzzy Hash: c6e808e3b200bb994f04f134df198d7c2717009fcbbfac747b1397d863706afe
Instruction Fuzzy Hash: 0141D539254385AEDF151B78ED0DFBD3A29E705340F08811EF916C57D2C7619F40AAB1

Function 00CF8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f850ee265daf9da1ada1dea60204594707ee0ccbe4b1b3450a51c2fc27af88b
Instruction ID: ce5f3fd5eb20a2179e18ec31503c7a790c48fba94a58b40b5e229bce01fad571
Opcode Fuzzy Hash: 9f850ee265daf9da1ada1dea60204594707ee0ccbe4b1b3450a51c2fc27af88b
Instruction Fuzzy Hash: 7CC1E17590434DAFDF51DFA9D841BBDBBB0EF09310F044099EA25A7392CB358A41CB62

Function 01B2ADC8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01B2AE99
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01B2B0BF

Memory Dump Source

Source File: 00000000.00000002.2179141183.0000000001B28000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b28000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 97b835fa2a08fe4ab38fdc92d52d64db81d93d8020aa4a81d2672791213182e2
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 56A14A70E00219EBDB18DFA4C984BEEBBB5FF48704F208599E215BB281C7795A85CF50

Function 00CC2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CC2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CC2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CC1CAD,?), ref: 00CC2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CC1CAD,?), ref: 00CC2CCF

Strings

edit, xrefs: 00CC2CAC
AutoIt v3, xrefs: 00CC2C89, 00CC2C8E, 00CC2C8F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8e3f2506111a8a1c1810634fb5cc7da038b32598650948c3f57255953577fd9e
Instruction ID: 8c016f5f2dd93dacdc8603aea8bb7d165dd1ab677a9fb15d6bc636edfe5a4f00
Opcode Fuzzy Hash: 8e3f2506111a8a1c1810634fb5cc7da038b32598650948c3f57255953577fd9e
Instruction Fuzzy Hash: 68F0D4796503917EEB311B67AC08EB72EBDD7CAF61B00109AFD04E27A0C6711854DEB0

Function 01B2AB88 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01B2AA78: Sleep.KERNELBASE(000001F4), ref: 01B2AA89

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01B2ACB7

Strings

Y1FAZLMSLUNG2UWLATK8SGOS, xrefs: 01B2AD1A, 01B2AD1D

Memory Dump Source

Source File: 00000000.00000002.2179141183.0000000001B28000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b28000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CreateFileSleep
String ID: Y1FAZLMSLUNG2UWLATK8SGOS
API String ID: 2694422964-2667126457
Opcode ID: 97902ca47130778bc1acc45e1b38db7539cb5ab6fe61ae9bc44ad5a7df63d7af
Instruction ID: 2892669d01550140b87baffeee5b10f646a979dee46c604e9db3a325cdf405f5
Opcode Fuzzy Hash: 97902ca47130778bc1acc45e1b38db7539cb5ab6fe61ae9bc44ad5a7df63d7af
Instruction Fuzzy Hash: 14519F70D04299DBEF15DBB8C854BEEBBB5AF15305F004199E608BB2C1D7B90B48CBA5

Function 00D32947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D32C05
DeleteFileW.KERNEL32(?), ref: 00D32C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D32C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D32CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D32CC0

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 49d9f7e47555783493ecf9781f693c5348fa63b5e075a633fd4b586bde12b1b4
Instruction ID: 94730052a1255ee78bf6083b2ccd109487474169c233dcb3b6eee4956177c9c8
Opcode Fuzzy Hash: 49d9f7e47555783493ecf9781f693c5348fa63b5e075a633fd4b586bde12b1b4
Instruction Fuzzy Hash: A6B15E72D01219ABDF21DFA4CC85EEEB77DEF48350F1040AAF609E6145EA31AA449F71

Function 00CC3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00CC3B0F,SwapMouseButtons,00000004,?), ref: 00CC3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00CC3B0F,SwapMouseButtons,00000004,?), ref: 00CC3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00CC3B0F,SwapMouseButtons,00000004,?), ref: 00CC3B83

Strings

Control Panel\Mouse, xrefs: 00CC3B3E

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a4c4a41d9101432baa3912e3f81ba0fd588140d606e10fbcc3397d2558921576
Instruction ID: 5eb561386eb9e9f2c18906a0a7e9103f4f5e27432684aeb713d29a0f352755d2
Opcode Fuzzy Hash: a4c4a41d9101432baa3912e3f81ba0fd588140d606e10fbcc3397d2558921576
Instruction Fuzzy Hash: 911118B5520348FFDB208FA9EC54EAEB7B8EF04755B108459E805D7210D2319F409B60

Function 01B29A78 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01B2A2A5
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01B2A2C9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01B2A2EB

Memory Dump Source

Source File: 00000000.00000002.2179141183.0000000001B28000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b28000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction ID: cdb0c2c55f9aca39a06def78d4bd995402905ab0704e5a7423b7dda7a9abc212
Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction Fuzzy Hash: 6D620A30A142189BEB24DFA4C850BDEB772FF58300F1091A9D10DEB794E77A9E85CB59

Function 00CCDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00D132B7

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 14460e04f31680868eeaa3ff7700b8b3efe7c4a766f4e2fde3882831d8bc5b4b
Instruction ID: 902df1ad552365f77068dd52ad84928322773c6d66b3cd6294dc9df1bfdd0961
Opcode Fuzzy Hash: 14460e04f31680868eeaa3ff7700b8b3efe7c4a766f4e2fde3882831d8bc5b4b
Instruction Fuzzy Hash: 58C27C71A00204DFCB14CF59D880FADB7B1BF0A310F288159E956AB3A1D775EE41DBA1

Function 00CCEC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CCFE66

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 9d91cf5d8abd42baa4c471b9412fe1e400e399e15cbe8320267a8a04457b29a9
Instruction ID: 244b7215790ab93d852da357957086772f5734bbd7bdd014466696e25ca8ba2a
Opcode Fuzzy Hash: 9d91cf5d8abd42baa4c471b9412fe1e400e399e15cbe8320267a8a04457b29a9
Instruction Fuzzy Hash: CEB27D74608340DFCB14CF19D490B2AB7E2BF89314F24486EE9968B351D771ED86DBA2

Function 00CDFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00CE0668

Part of subcall function 00CE32A4: RaiseException.KERNEL32(?,?,?,00CE068A,?,00D91444,?,?,?,?,?,?,00CE068A,00CC1129,00D88738,00CC1129), ref: 00CE3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00CE0685

Strings

Unknown exception, xrefs: 00CE0692

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 06b1646b2d7e87db8f93f0c6988ffd1ff2a9a2c466b7481bb505b38e8793b93c
Instruction ID: f82e784f1f9c97ecb35a5e0626d4ee0fd705eaacedc5e69685f61889d28a6558
Opcode Fuzzy Hash: 06b1646b2d7e87db8f93f0c6988ffd1ff2a9a2c466b7481bb505b38e8793b93c
Instruction Fuzzy Hash: FFF0C83490038D77CB00BA66D846D5E777D6E00350BB04536BD24D6592EFB1EB5AE6D0

Function 00D33017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00D3302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00D33044

Strings

aut, xrefs: 00D33038

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e77b82fd85aaf7e47e34da3bca4c74742f5d671d46b4105ff33824d5548395e4
Instruction ID: 07ad890ab4a991a2a28f8a0fbe6f2ad3598282f38051e317e8528c4865809e14
Opcode Fuzzy Hash: e77b82fd85aaf7e47e34da3bca4c74742f5d671d46b4105ff33824d5548395e4
Instruction Fuzzy Hash: C4D05E725003286BDA20A7A5AC4EFCB3A6CDB05761F0002A1BA55E2191EAB0D984CBE4

Function 00D47F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00D482F5
TerminateProcess.KERNEL32(00000000), ref: 00D482FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00D484DD

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: aaa6941ed337d7dfeb0355c97dd4e663d718f5d66732cc5ba3414220a3596f84
Instruction ID: e938ab91c0ed79919823cf4a3cd44669c9c998faaa46591240aff9bc7c5eed65
Opcode Fuzzy Hash: aaa6941ed337d7dfeb0355c97dd4e663d718f5d66732cc5ba3414220a3596f84
Instruction Fuzzy Hash: E0126A71A083419FC714DF28C484B2ABBE1FF89354F18895DE8898B352DB71E945DFA2

Function 00CF5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7eed739cf2d67397ffb58349d220f195379e7f1137fff52c413990469f3ae0c
Instruction ID: 60dd7c3dc55eae237bdfa0cbc2f5c835df26d0adf532233cb7a924e17f426d12
Opcode Fuzzy Hash: a7eed739cf2d67397ffb58349d220f195379e7f1137fff52c413990469f3ae0c
Instruction Fuzzy Hash: 1751A075D00A0D9FCB559FA5C845FFE7FB8AF09310F14005AF716A7291D7319A029B62

Function 00CC10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CC1BF4
Part of subcall function 00CC1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00CC1BFC
Part of subcall function 00CC1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CC1C07
Part of subcall function 00CC1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CC1C12
Part of subcall function 00CC1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00CC1C1A
Part of subcall function 00CC1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00CC1C22

Part of subcall function 00CC1B4A: RegisterWindowMessageW.USER32(00000004,?,00CC12C4), ref: 00CC1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00CC136A
OleInitialize.OLE32 ref: 00CC1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00D024AB

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: a0bd5664021806d4facadaa02e74a74045a40f406d3e45860c96c7ce6e357be5
Instruction ID: 51086dd7a10b8bcecea7d72cbeb1c40f4407bcef0110e61359fbafe67e51bbdf
Opcode Fuzzy Hash: a0bd5664021806d4facadaa02e74a74045a40f406d3e45860c96c7ce6e357be5
Instruction Fuzzy Hash: 7B71A8BC9113079FCB84EF6AE945A593AF0BB8934575A822FD81AC7361EB308445DF70

Function 00D2C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CC3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D2C259
KillTimer.USER32(?,00000001,?,?), ref: 00D2C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D2C270

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 24f0bedc923bad60cb87339214456acea6519107591f9bc37b0bf43c259cd7b0
Instruction ID: bfa5bb90ef45fc0d47d9cdc1860b8a90443a48e41da0da98dade948ebfe158f3
Opcode Fuzzy Hash: 24f0bedc923bad60cb87339214456acea6519107591f9bc37b0bf43c259cd7b0
Instruction Fuzzy Hash: 3A31E370910364AFEB22CF649845BEBBBEC9F1630CF04109ED5DA93241C7745E84CB65

Function 00CF86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00CF85CC,?,00D88CC8,0000000C), ref: 00CF8704
GetLastError.KERNEL32(?,00CF85CC,?,00D88CC8,0000000C), ref: 00CF870E
__dosmaperr.LIBCMT ref: 00CF8739

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: ac9b76cb6004dc2802df94afe74320de4d2703ced805b0ef5d66840fbe73117c
Instruction ID: 87d3732feb1429b2d32efa4fc659420506b4f8cdab59c9906183751c4c893d88
Opcode Fuzzy Hash: ac9b76cb6004dc2802df94afe74320de4d2703ced805b0ef5d66840fbe73117c
Instruction Fuzzy Hash: 0B014233605B6C1AD6E47334784977E67854B82779F35011AFB24CB1E2DE70CD899153

Function 00CCDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00CCDB7B
DispatchMessageW.USER32(?), ref: 00CCDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CCDB9F
Sleep.KERNEL32(0000000A), ref: 00CCDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00D11CC9

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 6d013ea8e49f331127c55eb159d6931f781900f2478539e6e127ef130c5cfb0f
Instruction ID: 88279a9853bc1f4a3e12b0592df1e784be97b0d54cb3495a03a36067a5e33813
Opcode Fuzzy Hash: 6d013ea8e49f331127c55eb159d6931f781900f2478539e6e127ef130c5cfb0f
Instruction Fuzzy Hash: 74F08230654341ABEB30CBA0DC99FEA73ADEB88311F504629E61AC31C0EB309488DB75

Function 00D32FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00D32CD4,?,?,?,00000004,00000001), ref: 00D32FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00D32CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D33006
CloseHandle.KERNEL32(00000000,?,00D32CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D3300D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: fc7e304713d5d6d59244d8fb76a9789b6fd0e00946efb2002cb4c8a643a910fd
Instruction ID: 3302aa7155fefc04ca40605316b933a675a3282f6f25edbef5f0f576edc986da
Opcode Fuzzy Hash: fc7e304713d5d6d59244d8fb76a9789b6fd0e00946efb2002cb4c8a643a910fd
Instruction Fuzzy Hash: D3E086366907147BE2301765BC0DF8B3A1CD786B72F104210FB29B91D046A0150182B8

Function 00CD1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CD17F6

Strings

CALL, xrefs: 00CD17C6

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 479e26e524e0b9d67b230042051beac092e8744c232569e55058c110b168afec
Instruction ID: 9909ee5ac0a97b49a8cb9a9f8d3d4403568f41463ecf02841f76dcc01dd4b235
Opcode Fuzzy Hash: 479e26e524e0b9d67b230042051beac092e8744c232569e55058c110b168afec
Instruction Fuzzy Hash: F1229C70608301AFC714DF15D480A6ABBF1FF85314F18895EFA968B3A1DB31E985DB92

Function 00D36EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D36F6B

Part of subcall function 00CC4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CC4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00D36F5A, 00D36F63

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: b83c5973d8f00957e2e02691e4d7f52eb2b6a756279fc13c735f37cf955b5e8a
Instruction ID: 4797c96aaf6452ed5196679796a0d147ccaca618bf7492932e1e9970cad90f88
Opcode Fuzzy Hash: b83c5973d8f00957e2e02691e4d7f52eb2b6a756279fc13c735f37cf955b5e8a
Instruction Fuzzy Hash: 05B1A1715086019FCB14EF20C491E6EB7E5EF94304F04896DF496972A2EF30ED49DBA2

Function 00CC2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00D02C8C

Part of subcall function 00CC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CC3A97,?,?,00CC2E7F,?,?,?,00000000), ref: 00CC3AC2

Part of subcall function 00CC2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CC2DC4

Strings

X, xrefs: 00D02C5A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 329a5f7db5a9e8fdcd649253bf9bf30b40066e4ed3055c59128dbd6d3596813a
Instruction ID: eec51728749f053b9e631cc5ca7c6c4dd0215e8e6bba521149b9c1936b43eb73
Opcode Fuzzy Hash: 329a5f7db5a9e8fdcd649253bf9bf30b40066e4ed3055c59128dbd6d3596813a
Instruction Fuzzy Hash: A2218471A102989BDB01EF94C845BEE7BB89F48315F00805DE505B7381DBB499899F71

Function 00D32557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D32587

Strings

EA06, xrefs: 00D325B9

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 7500a412712bc54ca55e6cf4789985d8b7e1bf91794fbc95aa4e1bb5126d566e
Instruction ID: f7abe458d1975c76783cc3ee5d82e5015d39590df76f9e00a9eee95c4012f855
Opcode Fuzzy Hash: 7500a412712bc54ca55e6cf4789985d8b7e1bf91794fbc95aa4e1bb5126d566e
Instruction Fuzzy Hash: 2401B172D042587EDF28C7A9CC56EFEBBF89B05311F00459AE192D21C1E5B8E7089B60

Function 01B29A75 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01B2A2A5
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01B2A2C9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01B2A2EB

Memory Dump Source

Source File: 00000000.00000002.2179141183.0000000001B28000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b28000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: 047dc298d7c9dbd2069f456e601effbf619d7fc7472bce8fc168233f85411116
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 5212DE24E14668C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A4E85CF5A

Function 00CDFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00CDFD1F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 71d23cbbae0faf39571d11c4fbeec775ae76e63b291256ae24b2c8ad0999ff5f
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: EA310674A00109DBC728CF59D480969F7A2FF89304B2486AAE91ACF755D731EED2CBC0

Function 00CC4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CC4EDD,?,00D91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CC4E9C
Part of subcall function 00CC4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CC4EAE
Part of subcall function 00CC4E90: FreeLibrary.KERNEL32(00000000,?,?,00CC4EDD,?,00D91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CC4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CC4EFD

Part of subcall function 00CC4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D03CDE,?,00D91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CC4E62
Part of subcall function 00CC4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CC4E74
Part of subcall function 00CC4E59: FreeLibrary.KERNEL32(00000000,?,?,00D03CDE,?,00D91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CC4E87

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 701d351b6889f3b0ef4a7cb9ecd94ac425ec2e3d3e26c4577ec7e0f6f4532bc9
Instruction ID: 36a9460d5e60eaaad6c5c4e32a5a56265ae0aff6119d5dc60325e070ce5ed4cf
Opcode Fuzzy Hash: 701d351b6889f3b0ef4a7cb9ecd94ac425ec2e3d3e26c4577ec7e0f6f4532bc9
Instruction Fuzzy Hash: 12110632610305AADF18FFA4DC22FAD77A5AF50711F10C42DF542E61D1EEB1AE45A760

Function 00CF8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00CF8440

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 69dfcbb036a87467f6b691184b6ccdf7162382ef7d61c403142640334e5af6a9
Instruction ID: 8944cd0cef3e9df50c815da74ff5e33e827bf41a7fc94f359c6461c3c51ef5a2
Opcode Fuzzy Hash: 69dfcbb036a87467f6b691184b6ccdf7162382ef7d61c403142640334e5af6a9
Instruction Fuzzy Hash: A511487190420AAFCB05DF58E941AAE7BF4EF48304F144059F908AB312DB30DA15CBA5

Function 00CEE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 762744d7b99e1d66bea3baad5b42d20cb14b72bea2d4cfe092ae3c8b4afd6e77
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 28F0F432511A5CD7CA313A6B9C05BAA339C9F523B4F100715F621931D2DF70D906A6A6

Function 00CF3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D91444,?,00CDFDF5,?,?,00CCA976,00000010,00D91440,00CC13FC,?,00CC13C6,?,00CC1129), ref: 00CF3852

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9c17a3e0464ff67f956872b854681dd815ce1f1322ebd4dddb02b69e212495e7
Instruction ID: ebfb406fba762e0789a5b4585e1073961189c4df520e9beafadebe703384c59a
Opcode Fuzzy Hash: 9c17a3e0464ff67f956872b854681dd815ce1f1322ebd4dddb02b69e212495e7
Instruction Fuzzy Hash: 07E0E5312003EDB6D7A126779D00BBA3758AB427F0F150023BE24966C0DB19DF0191F2

Function 00CC4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CC4F6D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b053c3ecd7a35d37d7c522267c745953454083a6a944f65ce50dd264e420bf43
Instruction ID: 7c0975990942e66aaf41b43361239a0406a3f9fe89c2a8c0ab0661cfab961acd
Opcode Fuzzy Hash: b053c3ecd7a35d37d7c522267c745953454083a6a944f65ce50dd264e420bf43
Instruction Fuzzy Hash: 21F03971105752CFDB389FA5D4A0E22BBE4AF14329320C97EE5EA82621CB319844EF10

Function 00CC2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CC2DC4

Part of subcall function 00CC6B57: _wcslen.LIBCMT ref: 00CC6B6A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 8fa9debec97ed060e4f78a460b2fa6f3f159907a5c5153c976925a4db3240f03
Instruction ID: 1f19a48c6ac5725a45621209d62c4588ce35a7a61f9118fea5e23e5841ba9648
Opcode Fuzzy Hash: 8fa9debec97ed060e4f78a460b2fa6f3f159907a5c5153c976925a4db3240f03
Instruction Fuzzy Hash: C8E0C276A043245BCB20E298DC06FEA77EDDFC8791F0400B5FD0DE7248DA60AD8086A0

Function 00D32693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D326B5

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: a3bc1dd8437c84d4787188f8eda8820db5a9ef6756053de652cdf7e8e2242cd5
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: D6E04FB0609B005FDF396A28A8627B677E89F49300F04086EF69B82252E57268458A5D

Function 00CC2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CC3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CC3908

Part of subcall function 00CCD730: GetInputState.USER32 ref: 00CCD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00CC2B6B

Part of subcall function 00CC30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00CC314E

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: e05287bc157e04d0bb680d30715a57be339bf31abf128350117d136558db618c
Instruction ID: e6120812f02d7ac3ccdb8948abc6a1ca81b3dfbd182137e888b4fe9b5e79741e
Opcode Fuzzy Hash: e05287bc157e04d0bb680d30715a57be339bf31abf128350117d136558db618c
Instruction Fuzzy Hash: C1E0862230438907CB04BB74E856F7DB7599BD5351F40553EF143872A2CE248A465361

Function 00D0039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00D00704,?,?,00000000,?,00D00704,00000000,0000000C), ref: 00D003B7

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8527837710f5286377998e630964423cbbd01e3d591296867f181fddf7259a1e
Instruction ID: 2591ce60beaa8e33bd459c248c3c744931c34250b73d2aae90a7bde125a725e7
Opcode Fuzzy Hash: 8527837710f5286377998e630964423cbbd01e3d591296867f181fddf7259a1e
Instruction Fuzzy Hash: 71D06C3205020DBFDF028F84DD06EDA3BAAFB48714F014000BE1896120C732E821AB90

Function 00CC1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00CC1CBC

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: f95d20eb8a90199bf29d912bdf5490300266957ea06c5a499d043a1d5e0bea4a
Instruction ID: 837feb311e988aeb71c29fcbeea5fdc4947a85752cf9af327b4f6ecf87bc9048
Opcode Fuzzy Hash: f95d20eb8a90199bf29d912bdf5490300266957ea06c5a499d043a1d5e0bea4a
Instruction Fuzzy Hash: DBC0923A280305AFF2148BD0BC4AF207774A348B01F448002FA0DE9BE3D3B22820EA70

Function 01B2AA78 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01B2AA89

Memory Dump Source

Source File: 00000000.00000002.2179141183.0000000001B28000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b28000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: f1e98e8b892c9577c9987230c739abd075a6da1e5d9d1849da42c9dfac54b30b
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: C8E0E67494010DDFDB00DFB4D6496DD7BF4EF04301F1001A1FD05D2281D7319D508A62

Non-executed Functions

Function 00D59576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CD9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D5961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D5965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D5969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D596C9
SendMessageW.USER32 ref: 00D596F2
GetKeyState.USER32(00000011), ref: 00D5978B
GetKeyState.USER32(00000009), ref: 00D59798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D597AE
GetKeyState.USER32(00000010), ref: 00D597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D597E9
SendMessageW.USER32 ref: 00D59810
SendMessageW.USER32(?,00001030,?,00D57E95), ref: 00D59918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D5992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D59941
SetCapture.USER32(?), ref: 00D5994A
ClientToScreen.USER32(?,?), ref: 00D599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D599D6
ReleaseCapture.USER32 ref: 00D599E1
GetCursorPos.USER32(?), ref: 00D59A19
ScreenToClient.USER32(?,?), ref: 00D59A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D59A80
SendMessageW.USER32 ref: 00D59AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D59AEB
SendMessageW.USER32 ref: 00D59B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D59B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D59B4A
GetCursorPos.USER32(?), ref: 00D59B68
ScreenToClient.USER32(?,?), ref: 00D59B75
GetParent.USER32(?), ref: 00D59B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D59BFA
SendMessageW.USER32 ref: 00D59C2B
ClientToScreen.USER32(?,?), ref: 00D59C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D59CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D59CDE
SendMessageW.USER32 ref: 00D59D01
ClientToScreen.USER32(?,?), ref: 00D59D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D59D82

Part of subcall function 00CD9944: GetWindowLongW.USER32(?,000000EB), ref: 00CD9952

GetWindowLongW.USER32(?,000000F0), ref: 00D59E05

Strings

@GUI_DRAGID, xrefs: 00D5997D
F, xrefs: 00D59D07

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: fffc36340b8d698e3901aa5cbe44ae77c34be4a32949c20dccbbe8b8dc695f33
Instruction ID: b66dce7807100b184c1029d2a58a29eed2b764b37607ceb43ca5b281656164b1
Opcode Fuzzy Hash: fffc36340b8d698e3901aa5cbe44ae77c34be4a32949c20dccbbe8b8dc695f33
Instruction Fuzzy Hash: 54426B34204301EFDB25CF24CD64AAABBE5EF49312F14061AFE99872A1D731E958DF61

Function 00D54873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00D548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00D54908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00D54927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00D5494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00D5495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00D5497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00D549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00D549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00D54A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D54A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D54A7E
IsMenu.USER32(?), ref: 00D54A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D54AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D54B20
GetWindowLongW.USER32(?,000000F0), ref: 00D54B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00D54BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00D54C82
wsprintfW.USER32 ref: 00D54CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D54CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D54CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D54D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D54D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D54D5A

Strings

%d/%02d/%02d, xrefs: 00D54CA8

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 9c9a5f0aa86704a8e7af6a5d5e85555676f90158dad26d09aaa8ad5865f7a489
Instruction ID: 752943c1af8653edeb79f1183d8f31274eab990f51e3874803f8a68d518bb00a
Opcode Fuzzy Hash: 9c9a5f0aa86704a8e7af6a5d5e85555676f90158dad26d09aaa8ad5865f7a489
Instruction Fuzzy Hash: 7012DE71600314ABEF248F28CC49FAE7BB8EF4531AF144119FD16DA2A1DB74DA85CB61

Function 00CDF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00CDF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D1F474
IsIconic.USER32(00000000), ref: 00D1F47D
ShowWindow.USER32(00000000,00000009), ref: 00D1F48A
SetForegroundWindow.USER32(00000000), ref: 00D1F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D1F4AA
GetCurrentThreadId.KERNEL32 ref: 00D1F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D1F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D1F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D1F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00D1F4DE
SetForegroundWindow.USER32(00000000), ref: 00D1F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D1F4F6
keybd_event.USER32(00000012,00000000), ref: 00D1F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D1F50B
keybd_event.USER32(00000012,00000000), ref: 00D1F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D1F519
keybd_event.USER32(00000012,00000000), ref: 00D1F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D1F528
keybd_event.USER32(00000012,00000000), ref: 00D1F52D
SetForegroundWindow.USER32(00000000), ref: 00D1F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00D1F557

Strings

Shell_TrayWnd, xrefs: 00D1F46F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f531f97ab368edc7e00e716d9caad2294da06ff0109f5109d513885ff760fd2e
Instruction ID: 1ab037338adf72685082ed3191c4834feb519e435198f1712fc0d6fbf19867fc
Opcode Fuzzy Hash: f531f97ab368edc7e00e716d9caad2294da06ff0109f5109d513885ff760fd2e
Instruction Fuzzy Hash: 1F31B471A50318BFFB206BB59C4AFBF7E6DEB44B51F141065FA00E62D1DAB09D40AA70

Function 00D21201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00D216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D2170D
Part of subcall function 00D216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D2173A
Part of subcall function 00D216C3: GetLastError.KERNEL32 ref: 00D2174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00D21286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00D212A8
CloseHandle.KERNEL32(?), ref: 00D212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D212D1
GetProcessWindowStation.USER32 ref: 00D212EA
SetProcessWindowStation.USER32(00000000), ref: 00D212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D21310

Part of subcall function 00D210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D211FC), ref: 00D210D4
Part of subcall function 00D210BF: CloseHandle.KERNEL32(?,?,00D211FC), ref: 00D210E9

Strings

winsta0, xrefs: 00D212CC
default, xrefs: 00D2130B
, xrefs: 00D2125A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 45ac58b3d18a40ee69fab9c750c95746f561929239ea774a07365f5462dc74e1
Instruction ID: bd9804f18bb73931263cb54375e73296b48f51335898daade1de7f73bcbd4d7a
Opcode Fuzzy Hash: 45ac58b3d18a40ee69fab9c750c95746f561929239ea774a07365f5462dc74e1
Instruction Fuzzy Hash: 6E818E75900319AFDF109FA4EC49BEE7BB9EF24708F188119F915E62A0C7319A45CB70

Function 00D20B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D21114
Part of subcall function 00D210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D20B9B,?,?,?), ref: 00D21120
Part of subcall function 00D210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D20B9B,?,?,?), ref: 00D2112F
Part of subcall function 00D210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D20B9B,?,?,?), ref: 00D21136
Part of subcall function 00D210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D2114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D20BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D20C00
GetLengthSid.ADVAPI32(?), ref: 00D20C17
GetAce.ADVAPI32(?,00000000,?), ref: 00D20C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D20C6D
GetLengthSid.ADVAPI32(?), ref: 00D20C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D20C8C
HeapAlloc.KERNEL32(00000000), ref: 00D20C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D20CB4
CopySid.ADVAPI32(00000000), ref: 00D20CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D20CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D20D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D20D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D20D45
HeapFree.KERNEL32(00000000), ref: 00D20D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D20D55
HeapFree.KERNEL32(00000000), ref: 00D20D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D20D65
HeapFree.KERNEL32(00000000), ref: 00D20D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D20D78
HeapFree.KERNEL32(00000000), ref: 00D20D7F

Part of subcall function 00D21193: GetProcessHeap.KERNEL32(00000008,00D20BB1,?,00000000,?,00D20BB1,?), ref: 00D211A1
Part of subcall function 00D21193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D20BB1,?), ref: 00D211A8
Part of subcall function 00D21193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D20BB1,?), ref: 00D211B7

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 198411b215666028a78d37bd8c212a80e24ede1ab942740df5419e9f1df6a307
Instruction ID: f9f2046280b15dd0ccee4626ac288eab8a08b20d6a013c8cb63393f75e9264ad
Opcode Fuzzy Hash: 198411b215666028a78d37bd8c212a80e24ede1ab942740df5419e9f1df6a307
Instruction Fuzzy Hash: 78713676A0131AAFDF109FA4EC44BEEBBB8AF14315F084515E914E6292DB71AA05CB70

Function 00D3EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D5CC08), ref: 00D3EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D3EB37
GetClipboardData.USER32(0000000D), ref: 00D3EB43
CloseClipboard.USER32 ref: 00D3EB4F
GlobalLock.KERNEL32(00000000), ref: 00D3EB87
CloseClipboard.USER32 ref: 00D3EB91
GlobalUnlock.KERNEL32(00000000), ref: 00D3EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00D3EBC9
GetClipboardData.USER32(00000001), ref: 00D3EBD1
GlobalLock.KERNEL32(00000000), ref: 00D3EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00D3EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00D3EC38
GetClipboardData.USER32(0000000F), ref: 00D3EC44
GlobalLock.KERNEL32(00000000), ref: 00D3EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00D3EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D3EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D3ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00D3ECF3
CountClipboardFormats.USER32 ref: 00D3ED14
CloseClipboard.USER32 ref: 00D3ED59

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 4448654b0411e2bbef098919dd310ebd85aa72f84d7e0b72dd2fa59653d73993
Instruction ID: 321da82eadf67730d6579acd449661070d3d9f03a92f059b8da7d0b1c224d1b1
Opcode Fuzzy Hash: 4448654b0411e2bbef098919dd310ebd85aa72f84d7e0b72dd2fa59653d73993
Instruction Fuzzy Hash: F6618834204302AFD300EF24D899F6AB7A4AF84704F18555DF896D72E2DB71E906DBB2

Function 00D3698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D369BE
FindClose.KERNEL32(00000000), ref: 00D36A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D36A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D36A75

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00D36AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D36ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00D36B6A
%4d, xrefs: 00D36BB1
%02d, xrefs: 00D36C00, 00D36C0A, 00D36C5A, 00D36CAA, 00D36CFA, 00D36D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00D36B32
%03d, xrefs: 00D36DA2

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: ef3eca8139b6c8ac7082586f5ee6e8c1dd51f5c72844243b0a6a82f4f26979f3
Instruction ID: 7694a5233c8c0c030f10b07b5096633615775efa03a51690d6ffbe8416c7dbf6
Opcode Fuzzy Hash: ef3eca8139b6c8ac7082586f5ee6e8c1dd51f5c72844243b0a6a82f4f26979f3
Instruction Fuzzy Hash: 63D14072508300AFC714EBA4C985EABB7ECEF88704F04491DF589D7291EB74DA48DB62

Function 00D39642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00D39663
GetFileAttributesW.KERNEL32(?), ref: 00D396A1
SetFileAttributesW.KERNEL32(?,?), ref: 00D396BB
FindNextFileW.KERNEL32(00000000,?), ref: 00D396D3
FindClose.KERNEL32(00000000), ref: 00D396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00D396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00D3974A
SetCurrentDirectoryW.KERNEL32(00D86B7C), ref: 00D39768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D39772
FindClose.KERNEL32(00000000), ref: 00D3977F
FindClose.KERNEL32(00000000), ref: 00D3978F

Strings

*.*, xrefs: 00D396F5

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b283dbdef6e592a69dabd1f88cadb758112fd351229875371607f3abe9d53f67
Instruction ID: 43ac276155b04a603a86a9e175a7ba16cc9bd4f1059c0c18c09f4ac876c0fabc
Opcode Fuzzy Hash: b283dbdef6e592a69dabd1f88cadb758112fd351229875371607f3abe9d53f67
Instruction Fuzzy Hash: 2231F37255131A6FDF14AFB4DC59AEEB7AC9F09322F144055F905E21E0DBB0DD448A34

Function 00D3979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00D397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00D39819
FindClose.KERNEL32(00000000), ref: 00D39824
FindFirstFileW.KERNEL32(*.*,?), ref: 00D39840
SetCurrentDirectoryW.KERNEL32(?), ref: 00D39890
SetCurrentDirectoryW.KERNEL32(00D86B7C), ref: 00D398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D398B8
FindClose.KERNEL32(00000000), ref: 00D398C5
FindClose.KERNEL32(00000000), ref: 00D398D5

Part of subcall function 00D2DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D2DB00

Strings

*.*, xrefs: 00D3983B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 384607fac87cebe7ff5e47700f09e52f8c1aa729b86f3acd550db3fe1891aeea
Instruction ID: 5df71c9aa3931aae72f6554713073fcb14d3ea0b3d308623ed8c832bcaf85dc9
Opcode Fuzzy Hash: 384607fac87cebe7ff5e47700f09e52f8c1aa729b86f3acd550db3fe1891aeea
Instruction Fuzzy Hash: AF31E37250031A6EDF10AFB4EC58ADEB7AC9F46325F144156E814E21A0DBB0DD49CB74

Function 00D38195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D38257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D38267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D38273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D38310
SetCurrentDirectoryW.KERNEL32(?), ref: 00D38324
SetCurrentDirectoryW.KERNEL32(?), ref: 00D38356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D3838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00D38395

Strings

*.*, xrefs: 00D3839B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e07415c46e5e0a30d064c29b9769cd7eaea1b361f33739c4eddee9153463982b
Instruction ID: 4104a6130bb12f18636d7204f5fa9444a8b60c6277b71967610549d37a284f39
Opcode Fuzzy Hash: e07415c46e5e0a30d064c29b9769cd7eaea1b361f33739c4eddee9153463982b
Instruction Fuzzy Hash: EF6159B25043459FC710EF64C881AAEB3E8FF89314F04892EF989C7251DB35E945DBA2

Function 00D2D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CC3A97,?,?,00CC2E7F,?,?,?,00000000), ref: 00CC3AC2

Part of subcall function 00D2E199: GetFileAttributesW.KERNEL32(?,00D2CF95), ref: 00D2E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D2D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00D2D1DD
MoveFileW.KERNEL32(?,?), ref: 00D2D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D2D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D2D237

Part of subcall function 00D2D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00D2D21C,?,?), ref: 00D2D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00D2D253
FindClose.KERNEL32(00000000), ref: 00D2D264

Strings

\*.*, xrefs: 00D2D0CD, 00D2D0D6, 00D2D0EB

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 0a0b8d173acd999ac8bcee4fd73189f94a696b64f6f9f368dcf814382fd3f654
Instruction ID: b7d1172e44c411ba9872c010e8122185d9a233e80c3218f2fe00bd0b7b8f2e86
Opcode Fuzzy Hash: 0a0b8d173acd999ac8bcee4fd73189f94a696b64f6f9f368dcf814382fd3f654
Instruction Fuzzy Hash: F2615C3180125D9ECF05EBE0EA92EEDB776AF65304F244169E402771A1EB30AF09DB74

Function 00D3ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D3ED91
EmptyClipboard.USER32 ref: 00D3ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00D3EDAC
CloseClipboard.USER32 ref: 00D3EEA3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9f919c76cc02b27c248ffceb18cb0f63c1a444d79ba22f292ce3c4d56a7b956e
Instruction ID: 4a725feb92590617f1c6eb4d3ce9320fb0c913127d8ba736604c4e5e5de405cf
Opcode Fuzzy Hash: 9f919c76cc02b27c248ffceb18cb0f63c1a444d79ba22f292ce3c4d56a7b956e
Instruction Fuzzy Hash: 35417C35204711AFD710DF15E888F1ABBA5EF44319F188099E8599B7A2C735ED42CBA0

Function 00D2E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D2170D
Part of subcall function 00D216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D2173A
Part of subcall function 00D216C3: GetLastError.KERNEL32 ref: 00D2174A

ExitWindowsEx.USER32(?,00000000), ref: 00D2E932

Strings

, xrefs: 00D2E95C
@, xrefs: 00D2E925
SeShutdownPrivilege, xrefs: 00D2E902
, xrefs: 00D2E920

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ac9a6c870d760eb9883db15a277de7b8c0d2ba06542ad4c6310b8633aa0f726b
Instruction ID: 782e2c3093067aa57d7a5f83ca9affa9b5f36aebc17f07be6b7c7f5bafc85a82
Opcode Fuzzy Hash: ac9a6c870d760eb9883db15a277de7b8c0d2ba06542ad4c6310b8633aa0f726b
Instruction Fuzzy Hash: 1D01DB72620331AFEB5427B4BC85BBF735C9734759F194423FC02E21D1D5609C8489B4

Function 00D41204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D41276
WSAGetLastError.WSOCK32 ref: 00D41283
bind.WSOCK32(00000000,?,00000010), ref: 00D412BA
WSAGetLastError.WSOCK32 ref: 00D412C5
closesocket.WSOCK32(00000000), ref: 00D412F4
listen.WSOCK32(00000000,00000005), ref: 00D41303
WSAGetLastError.WSOCK32 ref: 00D4130D
closesocket.WSOCK32(00000000), ref: 00D4133C

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 231db58d21692f1d958518f82dda10a255d705bf6825aedf4fcbfa9aaac98fb0
Instruction ID: 272b2bbae3d2e0c01eeb6102dd7ef76c428a3d779f646e7c725170050267049a
Opcode Fuzzy Hash: 231db58d21692f1d958518f82dda10a255d705bf6825aedf4fcbfa9aaac98fb0
Instruction Fuzzy Hash: 4E415D35A002509FD710DF68C4C9B2ABBE5AF46318F188198E856DF396C771ED85CBB1

Function 00CFB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CFB9D4
_free.LIBCMT ref: 00CFB9F8
_free.LIBCMT ref: 00CFBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D63700), ref: 00CFBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D9121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CFBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D91270,000000FF,?,0000003F,00000000,?), ref: 00CFBC36
_free.LIBCMT ref: 00CFBD4B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 026c5791235a9b3e7fe5a9565ac01c250333eea58b8c27d76594a76e772db353
Instruction ID: a585ee291dbb807624b59b78766989b6295a03f265ad4c747a9c3bc5a1fc0f7e
Opcode Fuzzy Hash: 026c5791235a9b3e7fe5a9565ac01c250333eea58b8c27d76594a76e772db353
Instruction Fuzzy Hash: 21C1277590420EAFCB60AF79DC41BBABBB8EF41310F14419AE6A4D7251EB309F41D762

Function 00D2D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CC3A97,?,?,00CC2E7F,?,?,?,00000000), ref: 00CC3AC2

Part of subcall function 00D2E199: GetFileAttributesW.KERNEL32(?,00D2CF95), ref: 00D2E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D2D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D2D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D2D481
FindClose.KERNEL32(00000000), ref: 00D2D498
FindClose.KERNEL32(00000000), ref: 00D2D4A1

Strings

\*.*, xrefs: 00D2D3F2

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c7ca7dcaccb2c7fec37ca99d46f5c58f422e364a2d884b4ce8d83f88c4fc57e1
Instruction ID: 48315be5fe2be28b8d5738ed5a0f376685e0dcc8f0213cfd9236233962ad604a
Opcode Fuzzy Hash: c7ca7dcaccb2c7fec37ca99d46f5c58f422e364a2d884b4ce8d83f88c4fc57e1
Instruction Fuzzy Hash: 5B318F310183959FC200EF60E855DAF77A8AEA1309F444A1DF4D1931A1EB30EA099766

Function 00CFE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CFE645

Strings

1#IND, xrefs: 00CFF83D
1#INF, xrefs: 00CFF852
1#SNAN, xrefs: 00CFF844
1#QNAN, xrefs: 00CFF84B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 49db60e45a48cd101c72d8f04ac20d9d181e8f68965bd7cbf60177d2db8cd21f
Instruction ID: d19c54ef2b5a805b2b86aefa805ff22be2f551c781273dd6e82bc28e46e230c5
Opcode Fuzzy Hash: 49db60e45a48cd101c72d8f04ac20d9d181e8f68965bd7cbf60177d2db8cd21f
Instruction Fuzzy Hash: E9C23872E0862C8FDBA5CE289D407EAB7B5EF44304F1441EAD95DE7250E774AE828F41

Function 00D3648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D364DC
CoInitialize.OLE32(00000000), ref: 00D36639
CoCreateInstance.OLE32(00D5FCF8,00000000,00000001,00D5FB68,?), ref: 00D36650
CoUninitialize.OLE32 ref: 00D368D4

Strings

.lnk, xrefs: 00D364BA, 00D36524, 00D365E0

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 83b331c8199d38d34e29a6739246c35f6f0e5c64a6509e0d4b3b950e495ddcd8
Instruction ID: eacb90384f124a126fcb4a1490bfef92eaf12f1c767e35b7cc09cfc55075964c
Opcode Fuzzy Hash: 83b331c8199d38d34e29a6739246c35f6f0e5c64a6509e0d4b3b950e495ddcd8
Instruction Fuzzy Hash: 91D14A71508301AFC304EF24C881E6BB7E8FF99704F04896DF5958B2A1DB70E949CBA2

Function 00D422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00D422E8

Part of subcall function 00D3E4EC: GetWindowRect.USER32(?,?), ref: 00D3E504

GetDesktopWindow.USER32 ref: 00D42312
GetWindowRect.USER32(00000000), ref: 00D42319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00D42355
GetCursorPos.USER32(?), ref: 00D42381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D423DF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 3d40b8f611714cca74ab04395638aeed40672144e8dc4c26ca9961bcfcbf9933
Instruction ID: 1da308603b6225ae7e05851a08461c663003cca29b866284cdf14e247166a813
Opcode Fuzzy Hash: 3d40b8f611714cca74ab04395638aeed40672144e8dc4c26ca9961bcfcbf9933
Instruction Fuzzy Hash: F131CD72504315AFCB20DF54D849A6BBBA9FF88314F44091DF985D7291DB34EA08CBA2

Function 00D39B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00D39B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00D39C8B

Part of subcall function 00D33874: GetInputState.USER32 ref: 00D338CB
Part of subcall function 00D33874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D33966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00D39BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00D39C75

Strings

*.*, xrefs: 00D39B5D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 092c74209d6c01fefd873a618b8f1bc26aedc25196d66c42ab2fdf43a9858e97
Instruction ID: e2e6a7df5250cee81f3b30073380752916eea3af43afbed4217d9a009a568ad4
Opcode Fuzzy Hash: 092c74209d6c01fefd873a618b8f1bc26aedc25196d66c42ab2fdf43a9858e97
Instruction Fuzzy Hash: 0241817190420AAFCF14DFA4D899BEEBBB8EF05311F284159E805A3191EB709E84DF70

Function 00CD997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CD9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00CD9A4E
GetSysColor.USER32(0000000F), ref: 00CD9B23
SetBkColor.GDI32(?,00000000), ref: 00CD9B36

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: f45f7b239f7a6d25612b1e1e0566ac3087671b4b3fe91b216e96fe73f3778d66
Instruction ID: 4973555b8747a869dfb782c59da7904160521b658bb0fbc14cfeedaa36a53c8b
Opcode Fuzzy Hash: f45f7b239f7a6d25612b1e1e0566ac3087671b4b3fe91b216e96fe73f3778d66
Instruction Fuzzy Hash: 62A12A75208504BEEB24AA3D9C98EBB36ADDB46340F15020BFA16C67E1DE35DE41E271

Function 00D41806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D4307A
Part of subcall function 00D4304E: _wcslen.LIBCMT ref: 00D4309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D4185D
WSAGetLastError.WSOCK32 ref: 00D41884
bind.WSOCK32(00000000,?,00000010), ref: 00D418DB
WSAGetLastError.WSOCK32 ref: 00D418E6
closesocket.WSOCK32(00000000), ref: 00D41915

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 39fd5c3f049434e7ec81a0b3922fa8c7b5924b8d412c170c48d90b81ba826e87
Instruction ID: 8f7e7e7d821d12fec373c57cdff6d93911cf9ebee961a0baaeedec4cc21a9b82
Opcode Fuzzy Hash: 39fd5c3f049434e7ec81a0b3922fa8c7b5924b8d412c170c48d90b81ba826e87
Instruction Fuzzy Hash: F351B375A00210AFDB10AF24C886F2A7BE5EB44718F18805CF9569F3D3C771AD819BA1

Function 00D51C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D51CC0
IsWindowEnabled.USER32 ref: 00D51CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00D51CDB
IsIconic.USER32 ref: 00D51CE9
IsZoomed.USER32 ref: 00D51CF7

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b27580ca4dd28823106fa9180671fc0258761eb454206bb1bc164d715ad8f78d
Instruction ID: 9d029e9fe0aa750f61949128805237241fc441ca26d445077b5d33da54eb5264
Opcode Fuzzy Hash: b27580ca4dd28823106fa9180671fc0258761eb454206bb1bc164d715ad8f78d
Instruction Fuzzy Hash: 5B217E357403115FDB208F1AC884B6ABBA5AF95316B198058EC4ACB351DB72ED4ACBB0

Function 00CC8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00CC83E8
VUUU, xrefs: 00CC843C
VUUU, xrefs: 00CC83FA
VUUU, xrefs: 00D05DF0
ERCP, xrefs: 00CC813C

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 4e9538dee8af4826ce67c5120f8c4ee9f245897ec5debbe8ca7090a29636d1b3
Instruction ID: 4290cec70efcc381a3c4da80a36b8a646e74f5fa329131780ab76b98cbffc3eb
Opcode Fuzzy Hash: 4e9538dee8af4826ce67c5120f8c4ee9f245897ec5debbe8ca7090a29636d1b3
Instruction Fuzzy Hash: 76A27370D0061ACBDF24CF59C844BAEB7B1BF54310F28819AE859A7285EB74DE95CF60

Function 00D4A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D4A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00D4A6BA

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00D4A79C
CloseHandle.KERNEL32(00000000), ref: 00D4A7AB

Part of subcall function 00CDCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00D03303,?), ref: 00CDCE8A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 42d350108533d76047566ef1f96964d632fa023f6338a9b75903f87fe45592ee
Instruction ID: 6bdb48492adbee3fd235d465a24a93a19a97374d80d17f167de3eaf01fc66303
Opcode Fuzzy Hash: 42d350108533d76047566ef1f96964d632fa023f6338a9b75903f87fe45592ee
Instruction Fuzzy Hash: BD512B71508701AFD710EF28C886E6BBBE8FF89754F44491DF589972A1EB30D904DBA2

Function 00D2AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00D2AAAC
SetKeyboardState.USER32(00000080), ref: 00D2AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00D2AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00D2AB88

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 75605ecef8e4c7a544c888fdc5b99ecaa807487704a8bc1538a2359287971c27
Instruction ID: 970ae38863710e438a62adb60c3a2b785281afd905c32b94bb54be7a7a520cfb
Opcode Fuzzy Hash: 75605ecef8e4c7a544c888fdc5b99ecaa807487704a8bc1538a2359287971c27
Instruction Fuzzy Hash: 94311A30A40328AFFB358A6CAC05BFA77A6EF64318F08421AF591961E0D3758985C772

Function 00D3CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00D3CE89
GetLastError.KERNEL32(?,00000000), ref: 00D3CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00D3CEFE

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 131fc257acb1a176448465515cb44762e912129586cf951b7f1fe3260e23c60d
Instruction ID: e3fb9926787554108fc3329acf05aba7f55a02299b39519aa55027179b6777df
Opcode Fuzzy Hash: 131fc257acb1a176448465515cb44762e912129586cf951b7f1fe3260e23c60d
Instruction Fuzzy Hash: 7D21A9B1510305AFEB209FA5C948BAAB7F8EF00358F14541AE946E2251E770EE048B64

Function 00D28298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D282AA

Strings

(, xrefs: 00D282F0
|, xrefs: 00D282DA

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b8a18342f8df93b5e56981468cf023834252bd2735a3e3d20ecb878d643e2add
Instruction ID: 2a4bbedc64a639e0f609478473cd19256354e5cf1eb35b8e78b0e714f4da00dd
Opcode Fuzzy Hash: b8a18342f8df93b5e56981468cf023834252bd2735a3e3d20ecb878d643e2add
Instruction Fuzzy Hash: A6324474A007159FCB28CF59D080A6AB7F0FF58724B15C46EE49ADB7A1EB70E941CB60

Function 00D35C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D35CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00D35D17
FindClose.KERNEL32(?), ref: 00D35D5F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1bc87b70e6c7f77a4b513f7b6055ed419315a92cdd4ceed47ba5a30ff0531f31
Instruction ID: 1ace68bb5f75bd0a290e87d1fe5c9e45de7cc6a294cf804b8f50dc29fb3e2d95
Opcode Fuzzy Hash: 1bc87b70e6c7f77a4b513f7b6055ed419315a92cdd4ceed47ba5a30ff0531f31
Instruction Fuzzy Hash: B1518974604B019FC714DF28E494E9AB7E4FF49324F18855EE99A8B3A1CB30ED45CBA1

Function 00CF2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00CF271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CF2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00CF2731

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: abfef80730f9c43c8592c639457cddec1c291f1d0cb7ac51a73dc023e2ae88e9
Instruction ID: 23578ba2c2b651d9a8d816ee38ba798823f9dc195cbaf35afdd5af022f9e6af0
Opcode Fuzzy Hash: abfef80730f9c43c8592c639457cddec1c291f1d0cb7ac51a73dc023e2ae88e9
Instruction Fuzzy Hash: 2A31D37491131CABCB21DF69DC8879CBBB8AF08310F5041EAE81CA7260E7709F819F55

Function 00D351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D35238
SetErrorMode.KERNEL32(00000000), ref: 00D352A1

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1c36abf4d914447c1be58ca406e90ed722e92a23a94c9d9e76acd22307b15f74
Instruction ID: 8908b348b59e7e8b9f72c3ca281f11d49b9fe346f274ddd3410325d314e6e8cc
Opcode Fuzzy Hash: 1c36abf4d914447c1be58ca406e90ed722e92a23a94c9d9e76acd22307b15f74
Instruction Fuzzy Hash: C7313075A10618DFDB00DF54D884FAEBBB5FF49314F088099E8059B356DB31E856CBA0

Function 00D216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00CDFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CE0668
Part of subcall function 00CDFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CE0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D2170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D2173A
GetLastError.KERNEL32 ref: 00D2174A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 765a2d3c79e73eeaff844fda5301a96f9dd0fc37ff8db18f87483a630447813d
Instruction ID: 5094fd5ce429d7d7c7fdca0d51abc3ccde159ed863d3ddff7efb0dec62b161f3
Opcode Fuzzy Hash: 765a2d3c79e73eeaff844fda5301a96f9dd0fc37ff8db18f87483a630447813d
Instruction Fuzzy Hash: EA1191B2414304AFD7189F54EC86D6BB7B9FB44765B24C52EE45697241EB70FC418A30

Function 00D2D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D2D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00D2D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D2D650

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 047f6b107a164fd28f73ec9c757a68d386e321adbe90607f517f046573d13966
Instruction ID: 9a63c2ac9ac27450797d3eee98b9403ddfca0c41149961bea3d5c0cecb649332
Opcode Fuzzy Hash: 047f6b107a164fd28f73ec9c757a68d386e321adbe90607f517f046573d13966
Instruction Fuzzy Hash: 75113C75E05328BFDB108F95AC45FAFBBBCEB45B51F108115F914E7290D6704A058BA1

Function 00D21663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00D2168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D216A1
FreeSid.ADVAPI32(?), ref: 00D216B1

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 7a54f9576635ee5f4583b55591c0f58b2b2184b8e99e857638f44ade0513f29f
Instruction ID: 4545901ef7bc0200b4b726c26f27ea92db21820011415234f6ba9a0931477fd0
Opcode Fuzzy Hash: 7a54f9576635ee5f4583b55591c0f58b2b2184b8e99e857638f44ade0513f29f
Instruction Fuzzy Hash: 07F0F475950309FFDB00DFE49C89AAEBBBCEB08605F504565E901E2281E774AA448A60

Function 00CE4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00CF28E9,?,00CE4CBE,00CF28E9,00D888B8,0000000C,00CE4E15,00CF28E9,00000002,00000000,?,00CF28E9), ref: 00CE4D09
TerminateProcess.KERNEL32(00000000,?,00CE4CBE,00CF28E9,00D888B8,0000000C,00CE4E15,00CF28E9,00000002,00000000,?,00CF28E9), ref: 00CE4D10
ExitProcess.KERNEL32 ref: 00CE4D22

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 16852e8a5ff0b881e8dbf3e25dd75faf3cb439fe5d8e166b1886a3abe8d6029d
Instruction ID: 81d9e1e0e7aaa3ff4a5ff49c57e22c0db9569ad28c615d05c347df6a6a3189fa
Opcode Fuzzy Hash: 16852e8a5ff0b881e8dbf3e25dd75faf3cb439fe5d8e166b1886a3abe8d6029d
Instruction Fuzzy Hash: 05E0B672010788AFDF15AF55DD09A583F69FF81782B104054FD15CA223CB35DE42DA90

Function 00CFC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00CFC36C

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 77ad8245829557d1064e7819c657e8dbbd815b92e222e79aba5c604ba8ce169d
Instruction ID: 3f83163bb40bb15d54c394288f253a2ee3b613ea93c034ca9bfbdc218197d4ab
Opcode Fuzzy Hash: 77ad8245829557d1064e7819c657e8dbbd815b92e222e79aba5c604ba8ce169d
Instruction Fuzzy Hash: CA415B72A0021DAFCB249FB9CD88EFB7778EB84354F104269FA15C7190E6719E44CB51

Function 00D1D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00D1D28C

Strings

X64, xrefs: 00D1D2A8

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 0c9f77e9bb062aa97302db35884b09ea62ec8e592fd40cc2d777412b6aab2cbb
Instruction ID: 382d52c2a5e2b92b70057489ff9998ee4b482c37ea782f933dd8814496d5af02
Opcode Fuzzy Hash: 0c9f77e9bb062aa97302db35884b09ea62ec8e592fd40cc2d777412b6aab2cbb
Instruction Fuzzy Hash: F4D0C9B481121DFECF90CB90ECC8DD9B3BCBB04305F100152F506E2140DB7495488F20

Function 00CECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 61e24c011ace7863fbc849fae79ac03da6ffef2ddee203c8c156d6f3f7ac637c
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: D7020D71E012599FDF14CFA9C8C06ADFBF1EF48314F254169D929E7384D731AA428B94

Function 00D368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D36918
FindClose.KERNEL32(00000000), ref: 00D36961

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: fd43c6bc1051ff82fcd4491d5bcd1273ce58995f6af199d486cdc77f538d2b10
Instruction ID: ac49f297c5eda8b57b910ecd7d56ed223898028c1a70c2419ae3e60dd04c98b9
Opcode Fuzzy Hash: fd43c6bc1051ff82fcd4491d5bcd1273ce58995f6af199d486cdc77f538d2b10
Instruction Fuzzy Hash: 03118E31614200AFC710DF69D484B16BBE5EF85329F18C6ADE8698F7A2C730EC45CBA1

Function 00D337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00D44891,?,?,00000035,?), ref: 00D337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00D44891,?,?,00000035,?), ref: 00D337F4

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 56fe6ae3fe2f2df6ddbc76ec5639745deb52f8adbf89fe7326f3eb6679249221
Instruction ID: 5ff35c73903857ef1abdb1976d79cf2b7fcd4a8cf5b4d4d8fd47930425d38f09
Opcode Fuzzy Hash: 56fe6ae3fe2f2df6ddbc76ec5639745deb52f8adbf89fe7326f3eb6679249221
Instruction Fuzzy Hash: B3F0E5B17043292AE72017668C4DFEB3AAEEFC5761F000165F509D2291D9609904C7B0

Function 00D2B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00D2B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00D2B270

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c76c1bcb8108248c9457dcd369646a72ddef9340b8c2a01b7c64ce5b97076327
Instruction ID: e3258981639cacfa8848532b025ad7e488c6c4309e6327e39a51f1c2feddd3e7
Opcode Fuzzy Hash: c76c1bcb8108248c9457dcd369646a72ddef9340b8c2a01b7c64ce5b97076327
Instruction Fuzzy Hash: B4F01D7181434DAFDB059FA0D805BAE7FB4FF08319F04900AF955A5192D379C611DFA4

Function 00D210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D211FC), ref: 00D210D4
CloseHandle.KERNEL32(?,?,00D211FC), ref: 00D210E9

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 668692cc6ae2cedf9b14f5f7683fb9edb8cc2e1683891eed6e70195213321482
Instruction ID: 806fcc9489e11ecba0211b8006a18be5b81b8302c185719e160df51efb9a3dc8
Opcode Fuzzy Hash: 668692cc6ae2cedf9b14f5f7683fb9edb8cc2e1683891eed6e70195213321482
Instruction Fuzzy Hash: 24E04F32014710AEF7252B51FC05E7377A9FB04311B14882EF9A6805B1DB626C90EB60

Function 00CCCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00D10C40

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: fa96e5760e072b3f7e77f93087979b6f08d582c30bcd3abc104f2c2e6c9f3ac8
Instruction ID: f6f38183f609edeb524f378c29088fdfee6309282d9f67431852a9e2a4c49e19
Opcode Fuzzy Hash: fa96e5760e072b3f7e77f93087979b6f08d582c30bcd3abc104f2c2e6c9f3ac8
Instruction Fuzzy Hash: 1C327E70900218EBCF14EF94D985FEDBBB5BF05304F14405DE81AAB292DB75AE86DB60

Function 00CF676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CF6766,?,?,00000008,?,?,00CFFEFE,00000000), ref: 00CF6998

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7d8dd696d65ac0e5aca64d02ff3cecb6ea4c7a01f815c97e4a73e1ffe73b9819
Instruction ID: d9ca4f116d04f5217d7570f8ef82ca5029749e22f34b07cd968681dec3f8e1d1
Opcode Fuzzy Hash: 7d8dd696d65ac0e5aca64d02ff3cecb6ea4c7a01f815c97e4a73e1ffe73b9819
Instruction Fuzzy Hash: 38B14B316106089FD759CF28C48AB657BE0FF45364F25865CE9AACF2E2C335EA91CB41

Function 00CDB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00D1851F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 545b3a62e866f39b06c33da2fe1c45fd911e9ff2bfc777200f08aeaf646ac12b
Instruction ID: f6dc4e54c3b2f0bda1027606650374816828a99cbd3579ea40bf926467714485
Opcode Fuzzy Hash: 545b3a62e866f39b06c33da2fe1c45fd911e9ff2bfc777200f08aeaf646ac12b
Instruction Fuzzy Hash: 02125E71900229DBDB14CF59D880AEEB7B5FF48710F15819AE949EB351EB309E81DFA0

Function 00D3EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D3EABD

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: d6af4fbd3225efa5e1082c9d632d00039199e58bfb2278b193d7e73e9e1d5e48
Instruction ID: 4a605cb3baee2e50f31294b383ad3fe6cdcecacd04b46bfee5a642ea73ed9c06
Opcode Fuzzy Hash: d6af4fbd3225efa5e1082c9d632d00039199e58bfb2278b193d7e73e9e1d5e48
Instruction Fuzzy Hash: A0E04F312103059FC710EF99D845E9AF7E9AF98760F00841AFC49C73A1DBB0EC418BA0

Function 00CE09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00CE03EE), ref: 00CE09DA

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a66d6bb39c2510fa4816d72fbeaa83600e4966bde54a9de2e3acecae6b392fcb
Instruction ID: 3fa51fe07e11cb03f60395116bc4200f4fe8b8def04d6e41eb95eefaf1faf44f
Opcode Fuzzy Hash: a66d6bb39c2510fa4816d72fbeaa83600e4966bde54a9de2e3acecae6b392fcb
Instruction Fuzzy Hash:

Function 00CE781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00CE798B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 449a69e1ea7aeaaeb694e0da865e8a0631f69e5fdfeb55554f50d4e80152f290
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2E51897160C7C55BDF38866B895E7BE27899F22340F180719E8A6EB2C3C619DF05E352

Function 00CF6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b030900edd92be6001a737094c6e7204679a4e91993539dc9c27ff0ef723543
Instruction ID: 81913bfb2a6229d4d2af6070b812540d560b59bb47045838f7e347452b80aa78
Opcode Fuzzy Hash: 5b030900edd92be6001a737094c6e7204679a4e91993539dc9c27ff0ef723543
Instruction Fuzzy Hash: 98325432D28F054DD7639634CC22335A649AFB73C4F14C737F82AB5AAAEB69C5834111

Function 00CDCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83551833aaf08e48e946aa17a47c77fafc297b7e825e06b9494c1db90c667433
Instruction ID: 2e4600696552c47e766ede02f055271758eb2b453f5cdea9c1a164b96e00a2a0
Opcode Fuzzy Hash: 83551833aaf08e48e946aa17a47c77fafc297b7e825e06b9494c1db90c667433
Instruction Fuzzy Hash: D8322731AA4116ABCF24CB28E5D06FD77A1EF85300F28A567D699C7391DA30DDC1DB60

Function 00CC7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9593f89289a341d1b24dffc1c1656f45070c433318780bee058d94988ddd4a95
Instruction ID: 010180fdb89b08bd84fa111b71c911ef6b061276a92bb369959de813c5f3b05c
Opcode Fuzzy Hash: 9593f89289a341d1b24dffc1c1656f45070c433318780bee058d94988ddd4a95
Instruction Fuzzy Hash: 5522AF70A0060A9FDF14CFA5D881BAEB7F5FF44300F244629E816A7295EB369E51DF60

Function 00CC91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c93cd72f9f57b808e1fba1645e4d46f8ce353e9d3e8fdade630cd1d67b9d5ef
Instruction ID: e1a9eb0b46e954809eb784545ce39ccf7591d572947a3bad38bff1c6a613c1e4
Opcode Fuzzy Hash: 8c93cd72f9f57b808e1fba1645e4d46f8ce353e9d3e8fdade630cd1d67b9d5ef
Instruction Fuzzy Hash: 4B02B6B0E00205EBDB04DF54D881BAEB7B1FF44300F148569E85ADB391EB31EA51DBA5

Function 00CF9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d69a79ab3ceef5e75fec519d2829cce92f5b3e14be2a20853bf69d6e4426ab0
Instruction ID: 26e4b9050e0ae64e88c1bf6868d0328167f1126a164cd2db449942d05379f68b
Opcode Fuzzy Hash: 9d69a79ab3ceef5e75fec519d2829cce92f5b3e14be2a20853bf69d6e4426ab0
Instruction Fuzzy Hash: 61B1F320D2AF414DD32396398831336B65CAFBB6D5F91D71BFC1AB4E62EB2186834151

Function 00CE7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562ae18d87041847eebda7302b89bb5e1afdb8462bec27161d32c2ac724a9715
Instruction ID: d8a01341996c1c65e5b720f8b4df18625d3cc1fb96ac6702106e04f112308474
Opcode Fuzzy Hash: 562ae18d87041847eebda7302b89bb5e1afdb8462bec27161d32c2ac724a9715
Instruction Fuzzy Hash: 5F6157716087C997DE349A2B8D95BBE3398DF41700F201B2EE863DB281DA119F46A356

Function 00CE7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a633ef4e5596c1dd7e20979354b5e3563c4a764b85d4f1b9436abfb3038d21fd
Instruction ID: 7748c9ce76161d3de06fa9da3f56f3c9be8c90f56e137e209b9265a156e14b53
Opcode Fuzzy Hash: a633ef4e5596c1dd7e20979354b5e3563c4a764b85d4f1b9436abfb3038d21fd
Instruction Fuzzy Hash: 06619D7160C7C96BDE388A2B4C96BBF3389EF42740F100B59E953DB281EA12DF469355

Function 01B2BDE8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179141183.0000000001B28000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b28000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: d5c6eda1f329eb014ae7bf3c470391c188d059fbedc996c150402b2791fffa11
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: AD41C171D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80

Function 00D32046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a829466a962a97b9468ce5a3bfa974e4a892393faff5ee025b0a5f733be632e
Instruction ID: c1515f0501239a88848e59289fbc2961640872c9c9d49813e5d31ac3a1501121
Opcode Fuzzy Hash: 3a829466a962a97b9468ce5a3bfa974e4a892393faff5ee025b0a5f733be632e
Instruction Fuzzy Hash: B12193326216118BDB28CE79C82267E73E5AB54310F19862EE4A7C77D0DE35A904CBA0

Function 01B2BC78 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179141183.0000000001B28000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b28000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 5d5be421a72e20e0a10a91700b7e1c873f08eddbc9fabd5d2c0418b5c55f091a
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 45014278A01119EFCB58DF98C6909AEF7B5FB48310F2085D9D819A7745DB30AE41DB80

Function 01B2BCD8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179141183.0000000001B28000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b28000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 01aaaf74ed2cabb3c4a2022ecb53b15af947b6464b4512b5dcb8760f4675b541
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 93019278A11109EFCB48DF98C6909AEF7B5FB48310F2086D9D809A7305D730AE41DF81

Function 01B2A648 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2179141183.0000000001B28000.00000040.00000020.00020000.00000000.sdmp, Offset: 01B28000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1b28000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00D42ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D42B30
DeleteObject.GDI32(00000000), ref: 00D42B43
DestroyWindow.USER32 ref: 00D42B52
GetDesktopWindow.USER32 ref: 00D42B6D
GetWindowRect.USER32(00000000), ref: 00D42B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00D42CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00D42CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D42CF8
GetClientRect.USER32(00000000,?), ref: 00D42D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D42D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D42D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D42D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D42D80
GlobalLock.KERNEL32(00000000), ref: 00D42D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D42D98
GlobalUnlock.KERNEL32(00000000), ref: 00D42DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D42DA8
GlobalFree.KERNEL32(00000000), ref: 00D42DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D42DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D5FC38,00000000), ref: 00D42DDB
GlobalFree.KERNEL32(00000000), ref: 00D42DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00D42E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00D42E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D42E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D4303F

Strings

, xrefs: 00D42FC5
static, xrefs: 00D42D3A, 00D42E91
DISPLAY, xrefs: 00D42EA2
AutoIt v3, xrefs: 00D42CF2

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d7d727d5422a6663b82fa71c237cd6b07a7f5b1d6ab45df33e1fbf467de81ae2
Instruction ID: 75559b7021474b24280985ae9ee50c69bfc1b2eb0ea3bdb2ec6bceddf208e45f
Opcode Fuzzy Hash: d7d727d5422a6663b82fa71c237cd6b07a7f5b1d6ab45df33e1fbf467de81ae2
Instruction Fuzzy Hash: A5024775910309AFDB14DFA8CC89EAE7BB9EB48711F048158F915EB2A1DB70ED01CB60

Function 00D570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D5712F
GetSysColorBrush.USER32(0000000F), ref: 00D57160
GetSysColor.USER32(0000000F), ref: 00D5716C
SetBkColor.GDI32(?,000000FF), ref: 00D57186
SelectObject.GDI32(?,?), ref: 00D57195
InflateRect.USER32(?,000000FF,000000FF), ref: 00D571C0
GetSysColor.USER32(00000010), ref: 00D571C8
CreateSolidBrush.GDI32(00000000), ref: 00D571CF
FrameRect.USER32(?,?,00000000), ref: 00D571DE
DeleteObject.GDI32(00000000), ref: 00D571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00D57230
FillRect.USER32(?,?,?), ref: 00D57262
GetWindowLongW.USER32(?,000000F0), ref: 00D57284

Part of subcall function 00D573E8: GetSysColor.USER32(00000012), ref: 00D57421
Part of subcall function 00D573E8: SetTextColor.GDI32(?,?), ref: 00D57425
Part of subcall function 00D573E8: GetSysColorBrush.USER32(0000000F), ref: 00D5743B
Part of subcall function 00D573E8: GetSysColor.USER32(0000000F), ref: 00D57446
Part of subcall function 00D573E8: GetSysColor.USER32(00000011), ref: 00D57463
Part of subcall function 00D573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D57471
Part of subcall function 00D573E8: SelectObject.GDI32(?,00000000), ref: 00D57482
Part of subcall function 00D573E8: SetBkColor.GDI32(?,00000000), ref: 00D5748B
Part of subcall function 00D573E8: SelectObject.GDI32(?,?), ref: 00D57498
Part of subcall function 00D573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00D574B7
Part of subcall function 00D573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D574CE
Part of subcall function 00D573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00D574DB

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 668b056f5bb7fa281dd4ba1251d79b5d41d440d1e7acdcc0ea6915d1834c6843
Instruction ID: 38f08ec8dedc33c73bdde9c574f19c4561f305938d50ebac95e64bccc299c5b7
Opcode Fuzzy Hash: 668b056f5bb7fa281dd4ba1251d79b5d41d440d1e7acdcc0ea6915d1834c6843
Instruction Fuzzy Hash: EDA1A072018701BFDB009F64DC48E5BBBA9FB49322F241A19FDA2D62E1D771E944CB61

Function 00D42711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D4273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D4286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00D428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00D428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00D42900
GetClientRect.USER32(00000000,?), ref: 00D4290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00D42955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D42964
GetStockObject.GDI32(00000011), ref: 00D42974
SelectObject.GDI32(00000000,00000000), ref: 00D42978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00D42988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D42991
DeleteDC.GDI32(00000000), ref: 00D4299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00D42A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D42A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D42A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00D42A77
GetStockObject.GDI32(00000011), ref: 00D42A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D42A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00D42A97

Strings

static, xrefs: 00D4294F, 00D42A71
DISPLAY, xrefs: 00D4295A
AutoIt v3, xrefs: 00D428F8
msctls_progress32, xrefs: 00D42A13

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 2db6bfc9400c0a5d210c1caaa31fd85390dd531884d7b937375293861bb4778d
Instruction ID: 83a01382d46cb446d4c20674f7296fadadf38510c7b21dfa6dc11f5219e2528e
Opcode Fuzzy Hash: 2db6bfc9400c0a5d210c1caaa31fd85390dd531884d7b937375293861bb4778d
Instruction Fuzzy Hash: DCB12A75A10315AFEB14DFA8CC8AFAE7BB9EB08711F004219F915E7290D770AD40CBA0

Function 00D34ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D34AED
GetDriveTypeW.KERNEL32(?,00D5CB68,?,\\.\,00D5CC08), ref: 00D34BCA
SetErrorMode.KERNEL32(00000000,00D5CB68,?,\\.\,00D5CC08), ref: 00D34D36

Strings

SATA, xrefs: 00D34CD0
RAMDisk, xrefs: 00D34BF4
FileBackedVirtual, xrefs: 00D34CEC
Virtual, xrefs: 00D34CE5
1394, xrefs: 00D34C9F
MMC, xrefs: 00D34CDE
Unknown, xrefs: 00D34BED, 00D34C83
ATA, xrefs: 00D34C98
PhysicalDrive, xrefs: 00D34B76
\\.\, xrefs: 00D34B3F
CDROM, xrefs: 00D34BFB
SSD, xrefs: 00D34C4A
SCSI, xrefs: 00D34C8A
Removable, xrefs: 00D34C10, 00D34C15
Fibre, xrefs: 00D34CAD
iSCSI, xrefs: 00D34CC2
RAID, xrefs: 00D34CBB
USB, xrefs: 00D34CB4
SSA, xrefs: 00D34CA6
Network, xrefs: 00D34C02
Fixed, xrefs: 00D34C09
SAS, xrefs: 00D34CC9
ATAPI, xrefs: 00D34C91

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f465aaa9afcec8e40de59b244c7d902d987d95d5cdba1e24e65db10caff1d829
Instruction ID: 92647127fb7b108818906c8fe0d4b80bf1aca7f7788d616927bbbb2353dfe846
Opcode Fuzzy Hash: f465aaa9afcec8e40de59b244c7d902d987d95d5cdba1e24e65db10caff1d829
Instruction Fuzzy Hash: 1061BF316052059FCB04EF24CA82E6DB7A1EF04754F289019F846AB392DB39FD45EB71

Function 00D573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D57421
SetTextColor.GDI32(?,?), ref: 00D57425
GetSysColorBrush.USER32(0000000F), ref: 00D5743B
GetSysColor.USER32(0000000F), ref: 00D57446
CreateSolidBrush.GDI32(?), ref: 00D5744B
GetSysColor.USER32(00000011), ref: 00D57463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D57471
SelectObject.GDI32(?,00000000), ref: 00D57482
SetBkColor.GDI32(?,00000000), ref: 00D5748B
SelectObject.GDI32(?,?), ref: 00D57498
InflateRect.USER32(?,000000FF,000000FF), ref: 00D574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00D574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D5752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D57554
InflateRect.USER32(?,000000FD,000000FD), ref: 00D57572
DrawFocusRect.USER32(?,?), ref: 00D5757D
GetSysColor.USER32(00000011), ref: 00D5758E
SetTextColor.GDI32(?,00000000), ref: 00D57596
DrawTextW.USER32(?,00D570F5,000000FF,?,00000000), ref: 00D575A8
SelectObject.GDI32(?,?), ref: 00D575BF
DeleteObject.GDI32(?), ref: 00D575CA
SelectObject.GDI32(?,?), ref: 00D575D0
DeleteObject.GDI32(?), ref: 00D575D5
SetTextColor.GDI32(?,?), ref: 00D575DB
SetBkColor.GDI32(?,?), ref: 00D575E5

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9da2e0f7f34e41d229fc1131afdb9adbab70fe066e1948e067f11fc584df4095
Instruction ID: d19ac0b9976d7f6f01483fb52cc298dc135b3680da6ce2c6e15fcb73c3c95c2b
Opcode Fuzzy Hash: 9da2e0f7f34e41d229fc1131afdb9adbab70fe066e1948e067f11fc584df4095
Instruction Fuzzy Hash: E6614B72900318AFDF019FA4DC49EAEBFB9EB08322F255115FD15EB2A1D7749940CBA0

Function 00D50FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D51128
GetDesktopWindow.USER32 ref: 00D5113D
GetWindowRect.USER32(00000000), ref: 00D51144
GetWindowLongW.USER32(?,000000F0), ref: 00D51199
DestroyWindow.USER32(?), ref: 00D511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D5120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D5121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00D51232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00D51245
IsWindowVisible.USER32(00000000), ref: 00D512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00D512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00D512D0
GetWindowRect.USER32(00000000,?), ref: 00D512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00D5130E
GetMonitorInfoW.USER32(00000000,?), ref: 00D51328
CopyRect.USER32(?,?), ref: 00D5133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00D513AA

Strings

tooltips_class32, xrefs: 00D511E6
(, xrefs: 00D5131B
0, xrefs: 00D510D3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 7f6fed60e441fc62a79731e296a89ef08ce2adda49468aa0e7018388f2c83d5c
Instruction ID: 83daf9de8e303720d834027f3cffcbf0da2943edc43c6932bf07705c1c323fb4
Opcode Fuzzy Hash: 7f6fed60e441fc62a79731e296a89ef08ce2adda49468aa0e7018388f2c83d5c
Instruction Fuzzy Hash: 4DB16975604341AFDB10DF64C885F6ABBE4EF84351F04891CFD999B2A1DB71E848CBA1

Function 00D50241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D502E5
_wcslen.LIBCMT ref: 00D5031F
_wcslen.LIBCMT ref: 00D50389
_wcslen.LIBCMT ref: 00D503F1
_wcslen.LIBCMT ref: 00D50475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D504C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D50504

Part of subcall function 00CDF9F2: _wcslen.LIBCMT ref: 00CDF9FD

Part of subcall function 00D2223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D22258
Part of subcall function 00D2223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D2228A

Strings

SELECTINVERT, xrefs: 00D5057E
GETSELECTEDCOUNT, xrefs: 00D50470, 00D5048B
GETITEMCOUNT, xrefs: 00D50316, 00D50337
GETSUBITEMCOUNT, xrefs: 00D50384, 00D5039F
VIEWCHANGE, xrefs: 00D50675
FINDITEM, xrefs: 00D50627
SELECTALL, xrefs: 00D50515
SELECTCLEAR, xrefs: 00D5052D
DESELECT, xrefs: 00D5059C
ISSELECTED, xrefs: 00D504DD
GETTEXT, xrefs: 00D503EC, 00D50407
GETSELECTED, xrefs: 00D505E1
SELECT, xrefs: 00D50548

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 4755ee13d8608b89095644cc44c6962821e67f19b31cca1ba7b65d03d86a1ad8
Instruction ID: 193eac369d9d2f04a2bd507e4e847543effbf5569c610b05c6bb7ec00d72cf76
Opcode Fuzzy Hash: 4755ee13d8608b89095644cc44c6962821e67f19b31cca1ba7b65d03d86a1ad8
Instruction Fuzzy Hash: D4E18D312082019FCB14EF24C55192ABBE6BF98315F18495DFC969B3A1DB30ED49DBA1

Function 00CD8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CD8968
GetSystemMetrics.USER32(00000007), ref: 00CD8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CD899B
GetSystemMetrics.USER32(00000008), ref: 00CD89A3
GetSystemMetrics.USER32(00000004), ref: 00CD89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00CD89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00CD89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00CD8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CD8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00CD8A5A
GetStockObject.GDI32(00000011), ref: 00CD8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CD8A81

Part of subcall function 00CD912D: GetCursorPos.USER32(?), ref: 00CD9141
Part of subcall function 00CD912D: ScreenToClient.USER32(00000000,?), ref: 00CD915E
Part of subcall function 00CD912D: GetAsyncKeyState.USER32(00000001), ref: 00CD9183
Part of subcall function 00CD912D: GetAsyncKeyState.USER32(00000002), ref: 00CD919D

SetTimer.USER32(00000000,00000000,00000028,00CD90FC), ref: 00CD8AA8

Strings

AutoIt v3 GUI, xrefs: 00CD8A20

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 37a1041e7c4688dd70c753d63295bfc953b4eebc99dd4961269df6d894360bad
Instruction ID: 1e601c549625ad09f1a5bc9126f9e2b1bd455065769ab1eaa1456a5b8e93262b
Opcode Fuzzy Hash: 37a1041e7c4688dd70c753d63295bfc953b4eebc99dd4961269df6d894360bad
Instruction Fuzzy Hash: 8CB15B75A0030AAFDB14DFA8DC85BAA3BB5FB48315F14421AFA15E7390DB30E941CB60

Function 00D20D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D21114
Part of subcall function 00D210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D20B9B,?,?,?), ref: 00D21120
Part of subcall function 00D210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D20B9B,?,?,?), ref: 00D2112F
Part of subcall function 00D210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D20B9B,?,?,?), ref: 00D21136
Part of subcall function 00D210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D2114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D20DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D20E29
GetLengthSid.ADVAPI32(?), ref: 00D20E40
GetAce.ADVAPI32(?,00000000,?), ref: 00D20E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D20E96
GetLengthSid.ADVAPI32(?), ref: 00D20EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D20EB5
HeapAlloc.KERNEL32(00000000), ref: 00D20EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D20EDD
CopySid.ADVAPI32(00000000), ref: 00D20EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D20F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D20F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D20F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D20F6E
HeapFree.KERNEL32(00000000), ref: 00D20F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D20F7E
HeapFree.KERNEL32(00000000), ref: 00D20F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D20F8E
HeapFree.KERNEL32(00000000), ref: 00D20F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00D20FA1
HeapFree.KERNEL32(00000000), ref: 00D20FA8

Part of subcall function 00D21193: GetProcessHeap.KERNEL32(00000008,00D20BB1,?,00000000,?,00D20BB1,?), ref: 00D211A1
Part of subcall function 00D21193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D20BB1,?), ref: 00D211A8
Part of subcall function 00D21193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D20BB1,?), ref: 00D211B7

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bc89decd7b900c36b68a0c229511f52774f953dc337e93e8d456c6a306df3875
Instruction ID: c771225d774c2383c06e9ef9ed058e1e95d1c8b490cbc2fbd7fbc4d0df4315a3
Opcode Fuzzy Hash: bc89decd7b900c36b68a0c229511f52774f953dc337e93e8d456c6a306df3875
Instruction Fuzzy Hash: 0E715A7290431AAFDF209FA4ED44FAEBBB8EF14315F084115F919E6292DB319905CB70

Function 00D4C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D4C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D5CC08,00000000,?,00000000,?,?), ref: 00D4C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00D4C5A4
_wcslen.LIBCMT ref: 00D4C5F4
_wcslen.LIBCMT ref: 00D4C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00D4C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00D4C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00D4C84D
RegCloseKey.ADVAPI32(?), ref: 00D4C881
RegCloseKey.ADVAPI32(00000000), ref: 00D4C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00D4C960

Strings

REG_MULTI_SZ, xrefs: 00D4C6F5
REG_QWORD, xrefs: 00D4C8C3
REG_BINARY, xrefs: 00D4C913
REG_SZ, xrefs: 00D4C644
REG_EXPAND_SZ, xrefs: 00D4C5CD
REG_DWORD, xrefs: 00D4C804

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 76e31c2229ad95722daa11e9a297ff19e83e125aa7fce65e809004408d313999
Instruction ID: 9c42188329d38d64402db02347004cf4b7ca878dc191da4126e24cd70e959762
Opcode Fuzzy Hash: 76e31c2229ad95722daa11e9a297ff19e83e125aa7fce65e809004408d313999
Instruction Fuzzy Hash: 141247356142019FDB54DF14C881F2AB7E5EF88714F18899CF88A9B3A2DB31ED41DB91

Function 00D5091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D509C6
_wcslen.LIBCMT ref: 00D50A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D50A54
_wcslen.LIBCMT ref: 00D50A8A
_wcslen.LIBCMT ref: 00D50B06
_wcslen.LIBCMT ref: 00D50B81

Part of subcall function 00CDF9F2: _wcslen.LIBCMT ref: 00CDF9FD

Part of subcall function 00D22BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D22BFA

Strings

GETTOTALCOUNT, xrefs: 00D509F2, 00D50A17
EXPAND, xrefs: 00D50BF8
GETTEXT, xrefs: 00D50C97
GETITEMCOUNT, xrefs: 00D50C1E
UNCHECK, xrefs: 00D50D3E
GETSELECTED, xrefs: 00D50C4E
EXISTS, xrefs: 00D50B7C, 00D50B97
COLLAPSE, xrefs: 00D50B01, 00D50B1C
SELECT, xrefs: 00D50D11
CHECK, xrefs: 00D50A85, 00D50AA0
ISCHECKED, xrefs: 00D50CE1

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 69964c22a84be4a50a11e4024f01c6eb40f53484cda33e2b7e3bd66bdca94b1d
Instruction ID: 3da26e899354f178e23f28db1d8b2dacbffc37831b9be5dd3475cade9e75d54e
Opcode Fuzzy Hash: 69964c22a84be4a50a11e4024f01c6eb40f53484cda33e2b7e3bd66bdca94b1d
Instruction Fuzzy Hash: D5E18D316083019FCB14EF24C49092ABBE1FF98315B18895DFC969B762DB31ED49DBA1

Function 00D4C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D4B6AE,?,?), ref: 00D4C9B5
_wcslen.LIBCMT ref: 00D4C9F1
_wcslen.LIBCMT ref: 00D4CA68
_wcslen.LIBCMT ref: 00D4CA9E
_wcslen.LIBCMT ref: 00D4CAF9
_wcslen.LIBCMT ref: 00D4CB2F
_wcslen.LIBCMT ref: 00D4CB7F

Strings

HKLM, xrefs: 00D4CA98, 00D4CA9D
HKEY_USERS, xrefs: 00D4CBDF
HKCU, xrefs: 00D4CBCE
HKEY_CURRENT_USER, xrefs: 00D4CBBD
HKCC, xrefs: 00D4CBAC
HKU, xrefs: 00D4CBF0
HKEY_CURRENT_CONFIG, xrefs: 00D4CB79, 00D4CB7E
HKEY_LOCAL_MACHINE, xrefs: 00D4CA62, 00D4CA67
HKEY_CLASSES_ROOT, xrefs: 00D4CAF3, 00D4CAF8
HKCR, xrefs: 00D4CB29, 00D4CB2E

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 795fd935c9432375a3c1b4160cc9255ec43ca954f5f67b98b05557458ce31284
Instruction ID: bd11a308c3ff47965a4ab43d4ead06240068ae25c3e6af18b96d8ae286ae1d2a
Opcode Fuzzy Hash: 795fd935c9432375a3c1b4160cc9255ec43ca954f5f67b98b05557458ce31284
Instruction Fuzzy Hash: 8571253262112A8BCB60DE7CCC426BE3391AF60754F292528FC66A7384EA31CD45D7B0

Function 00D5833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D5835A
_wcslen.LIBCMT ref: 00D5836E
_wcslen.LIBCMT ref: 00D58391
_wcslen.LIBCMT ref: 00D583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00D55BF2), ref: 00D5844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D58487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D58501
FreeLibrary.KERNEL32(?), ref: 00D5850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D5851D
DestroyIcon.USER32(?,?,?,?,?,00D55BF2), ref: 00D5852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D58549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D58555

Strings

.dll, xrefs: 00D583AB
.icl, xrefs: 00D58368
.exe, xrefs: 00D58388

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 978a6a75ffdfeac064af5880e6d08e9321e32cccd109ef8b5af91f935edd85a1
Instruction ID: 3a70eaf3ebc77edfff3258e30af8e13cbcf24d9afa0cb45671652283f6c2e0d4
Opcode Fuzzy Hash: 978a6a75ffdfeac064af5880e6d08e9321e32cccd109ef8b5af91f935edd85a1
Instruction Fuzzy Hash: EE619D71900315BEEF149F64CC81BBE77A8AB08722F104609FD15E61D1EB74AA84EBB0

Function 00CC7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00CC7873, 00CC78C5
#OnAutoItStartRegister, xrefs: 00CC7817
#include-once, xrefs: 00CC782F
#comments-end, xrefs: 00CC78D9
Bad directive syntax error, xrefs: 00D0519A
', xrefs: 00D05169
Cannot parse #include, xrefs: 00D05279
#comments-start, xrefs: 00CC785F, 00CC78B1
", xrefs: 00D05153
Unterminated group of comments, xrefs: 00D0528C
#pragma compile, xrefs: 00CC77D3
#include, xrefs: 00CC7847
#ce, xrefs: 00CC78ED
#notrayicon, xrefs: 00CC77E7
#requireadmin, xrefs: 00CC77FF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 76afe01f83a90e4e62f22f172f74927da774ed306cdba22b9c3d6673711d49b2
Instruction ID: 1132142fa26f509feb0e12703ba7e713eb75ec17fb15bd2180397cba0e5bcb61
Opcode Fuzzy Hash: 76afe01f83a90e4e62f22f172f74927da774ed306cdba22b9c3d6673711d49b2
Instruction Fuzzy Hash: 3B81D271604205BBDF21AF61DD42FAF37A8EF15300F044129FD09AB196EB70DA59DBA1

Function 00D25A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D25A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D25A40
SetWindowTextW.USER32(?,?), ref: 00D25A57
GetDlgItem.USER32(?,000003EA), ref: 00D25A6C
SetWindowTextW.USER32(00000000,?), ref: 00D25A72
GetDlgItem.USER32(?,000003E9), ref: 00D25A82
SetWindowTextW.USER32(00000000,?), ref: 00D25A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D25AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D25AC3
GetWindowRect.USER32(?,?), ref: 00D25ACC
_wcslen.LIBCMT ref: 00D25B33
SetWindowTextW.USER32(?,?), ref: 00D25B6F
GetDesktopWindow.USER32 ref: 00D25B75
GetWindowRect.USER32(00000000), ref: 00D25B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00D25BD3
GetClientRect.USER32(?,?), ref: 00D25BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00D25C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D25C2F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 98c4ce7af0d72940c809e697b976c332cae6e705a2836290045c4f901de74161
Instruction ID: 10ba92fb28b087fc06dc5a3cd700ecfb02c9cafb23ab1a34fdfb3abb42cdcce8
Opcode Fuzzy Hash: 98c4ce7af0d72940c809e697b976c332cae6e705a2836290045c4f901de74161
Instruction Fuzzy Hash: 29717D31900B15AFDB20DFA8EE85F6EBBF5FF58709F144518E582A26A4D771E940CB20

Function 00CE00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00CE00C6

Part of subcall function 00CE00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D9070C,00000FA0,99107C6A,?,?,?,?,00D023B3,000000FF), ref: 00CE011C
Part of subcall function 00CE00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00D023B3,000000FF), ref: 00CE0127
Part of subcall function 00CE00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00D023B3,000000FF), ref: 00CE0138
Part of subcall function 00CE00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00CE014E
Part of subcall function 00CE00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00CE015C
Part of subcall function 00CE00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00CE016A
Part of subcall function 00CE00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CE0195
Part of subcall function 00CE00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CE01A0

___scrt_fastfail.LIBCMT ref: 00CE00E7

Part of subcall function 00CE00A3: __onexit.LIBCMT ref: 00CE00A9

Strings

InitializeConditionVariable, xrefs: 00CE0148
SleepConditionVariableCS, xrefs: 00CE0154
kernel32.dll, xrefs: 00CE0133
WakeAllConditionVariable, xrefs: 00CE0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00CE0122

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: cf0bb00f3d72eb8347f3715906a3f2e4333bebbf9d2e3e19e54a19cf5ae3dc09
Instruction ID: f9cac76d346ad5cc4ca9dbe6c511be2b1afc1e3f046fc83583ed62b79009011a
Opcode Fuzzy Hash: cf0bb00f3d72eb8347f3715906a3f2e4333bebbf9d2e3e19e54a19cf5ae3dc09
Instruction Fuzzy Hash: DE21A7326557506FEB115BA5AC06F6E37A4EB05B62F20012BFD01EA791DAA498448AF0

Function 00D230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D2318D
_wcslen.LIBCMT ref: 00D231F8

Strings

NAME, xrefs: 00D23335, 00D23346
CLASS, xrefs: 00D23188, 00D231A5
INSTANCE, xrefs: 00D23453
REGEXPCLASS, xrefs: 00D23255, 00D23266
CLASSNN, xrefs: 00D231F3, 00D23204
TEXT, xrefs: 00D2347C

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 6981e7337222a5a9f60ede9f8275bdd34810044f10779a15d7edf788fd6ee2e3
Instruction ID: b0034fa752e5021960cd7615210aa22c52fb0ece958d502b76e703cd6ca9a40c
Opcode Fuzzy Hash: 6981e7337222a5a9f60ede9f8275bdd34810044f10779a15d7edf788fd6ee2e3
Instruction Fuzzy Hash: 82E10831A00626ABCB18DF78D451BEDBBB4BF24718F588119E456B7240DB34AF8597B0

Function 00D344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00D5CC08), ref: 00D34527
_wcslen.LIBCMT ref: 00D3453B
_wcslen.LIBCMT ref: 00D34599
_wcslen.LIBCMT ref: 00D345F4
_wcslen.LIBCMT ref: 00D3463F
_wcslen.LIBCMT ref: 00D346A7

Part of subcall function 00CDF9F2: _wcslen.LIBCMT ref: 00CDF9FD

GetDriveTypeW.KERNEL32(?,00D86BF0,00000061), ref: 00D34743

Strings

all, xrefs: 00D34531, 00D34536
fixed, xrefs: 00D34635, 00D3463A
network, xrefs: 00D3469D, 00D346A2
cdrom, xrefs: 00D3458F, 00D34594
unknown, xrefs: 00D34708
ramdisk, xrefs: 00D346F1
removable, xrefs: 00D345EA, 00D345EF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: d87352ca76d0b1ac01a8c758b09bd0e1a1e7cf48bb17fbda54ee9bda77d56c0d
Instruction ID: 85346eabf154bdf9f1936cf71cafeeea08f0f3c003226dba526bfeaaf67411f1
Opcode Fuzzy Hash: d87352ca76d0b1ac01a8c758b09bd0e1a1e7cf48bb17fbda54ee9bda77d56c0d
Instruction Fuzzy Hash: 18B1F071A083029FC710DF28C891AAAB7E5EFA5764F54891DF496C7291D738E844CBB2

Function 00D4AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D4B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D4B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D4B1D4
_wcslen.LIBCMT ref: 00D4B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D4B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D4B236
_wcslen.LIBCMT ref: 00D4B332

Part of subcall function 00D305A7: GetStdHandle.KERNEL32(000000F6), ref: 00D305C6

_wcslen.LIBCMT ref: 00D4B34B
_wcslen.LIBCMT ref: 00D4B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D4B3B6
GetLastError.KERNEL32(00000000), ref: 00D4B407
CloseHandle.KERNEL32(?), ref: 00D4B439
CloseHandle.KERNEL32(00000000), ref: 00D4B44A
CloseHandle.KERNEL32(00000000), ref: 00D4B45C
CloseHandle.KERNEL32(00000000), ref: 00D4B46E
CloseHandle.KERNEL32(?), ref: 00D4B4E3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5c1bd0c1c15ffc5c183d0f372b22e125cf8109c058d510314a9b466e117fc2a8
Instruction ID: b4fdf8d247069799ac2902fcb30cb08d4c1136d2ddbc0d8e7309d6db4b49966d
Opcode Fuzzy Hash: 5c1bd0c1c15ffc5c183d0f372b22e125cf8109c058d510314a9b466e117fc2a8
Instruction Fuzzy Hash: BEF1AE315083409FC714EF24C891B6EBBE5EF95324F18855EF8999B2A2CB31EC45DB62

Function 00CC326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D91990), ref: 00D02F8D
GetMenuItemCount.USER32(00D91990), ref: 00D0303D
GetCursorPos.USER32(?), ref: 00D03081
SetForegroundWindow.USER32(00000000), ref: 00D0308A
TrackPopupMenuEx.USER32(00D91990,00000000,?,00000000,00000000,00000000), ref: 00D0309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D030A9

Strings

0, xrefs: 00CC327D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: d37f86556304efc4cae79d01fe933ca2e7aa5ac5db07fb64486a2538ac84027b
Instruction ID: 0ba47e3e3643922f7cc4a21b82d63feaac24bda64c2aa97cc4f867b1feaefff5
Opcode Fuzzy Hash: d37f86556304efc4cae79d01fe933ca2e7aa5ac5db07fb64486a2538ac84027b
Instruction Fuzzy Hash: 7C713A70641356BEEB218F65DC49FAABF68FF00364F244206F919A61E1C7B1AD10DB70

Function 00D56CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00D56DEB

Part of subcall function 00CC6B57: _wcslen.LIBCMT ref: 00CC6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D56E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D56E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D56E94
DestroyWindow.USER32(?), ref: 00D56EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00CC0000,00000000), ref: 00D56EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D56EFD
GetDesktopWindow.USER32 ref: 00D56F16
GetWindowRect.USER32(00000000), ref: 00D56F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D56F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D56F4D

Part of subcall function 00CD9944: GetWindowLongW.USER32(?,000000EB), ref: 00CD9952

Strings

0, xrefs: 00D56D98
tooltips_class32, xrefs: 00D56E58, 00D56EDD

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 8f27b3d13543b7316e5fe32faa461608e361057328d7b336c53a42f3635d8433
Instruction ID: c390add154a96daef6be03f836abaf56c9ec5d99bf7ecdc8368bf3b05765888f
Opcode Fuzzy Hash: 8f27b3d13543b7316e5fe32faa461608e361057328d7b336c53a42f3635d8433
Instruction Fuzzy Hash: BA716674504341AFDB21CF18D848FAABBE9EB89305F48491EFD9987260D770E90ADB21

Function 00D5911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CD9BB2

DragQueryPoint.SHELL32(?,?), ref: 00D59147

Part of subcall function 00D57674: ClientToScreen.USER32(?,?), ref: 00D5769A
Part of subcall function 00D57674: GetWindowRect.USER32(?,?), ref: 00D57710
Part of subcall function 00D57674: PtInRect.USER32(?,?,00D58B89), ref: 00D57720

SendMessageW.USER32(?,000000B0,?,?), ref: 00D591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D59225
SendMessageW.USER32(?,000000B0,?,?), ref: 00D5923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D59255
SendMessageW.USER32(?,000000B1,?,?), ref: 00D59277
DragFinish.SHELL32(?), ref: 00D5927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D59371

Strings

@GUI_DROPID, xrefs: 00D5929E
@GUI_DRAGFILE, xrefs: 00D59320
@GUI_DRAGID, xrefs: 00D592E9

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 40ceaf6a22630ebbc82c482860a09e12b23ef11da8ba1d471854bc59bffe60bd
Instruction ID: 754646cf28c2dd1d1db626c43269bc0672b644b90e28bf64c4b1984f9c3842bc
Opcode Fuzzy Hash: 40ceaf6a22630ebbc82c482860a09e12b23ef11da8ba1d471854bc59bffe60bd
Instruction Fuzzy Hash: 03617F71108301AFD701DF64DC89EAFBBE8EF89751F40091EF995932A1DB309A49CB62

Function 00D3C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D3C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D3C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D3C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00D3C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00D3C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00D3C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D3C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D3C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D3C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D3C5F0
InternetCloseHandle.WININET(00000000), ref: 00D3C5FB

Strings

, xrefs: 00D3C575

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 8ddfef377d1d51f0f28f7ee6310f8d72b3bec3ef61e9a187ff150e381ad328ae
Instruction ID: e5e17a4c1ee28ce9e9430b0b0ca8a4675f2f35f529961464412c259b73d6afd0
Opcode Fuzzy Hash: 8ddfef377d1d51f0f28f7ee6310f8d72b3bec3ef61e9a187ff150e381ad328ae
Instruction Fuzzy Hash: 735139B1511308BFEB219F60C988AAB7BBCFF08755F046419F945E6610EB34E944DB70

Function 00D5856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00D58592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D585A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D585AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D585BA
GlobalLock.KERNEL32(00000000), ref: 00D585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D585D7
GlobalUnlock.KERNEL32(00000000), ref: 00D585E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00D585F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00D5FC38,?), ref: 00D58611
GlobalFree.KERNEL32(00000000), ref: 00D58621
GetObjectW.GDI32(?,00000018,?), ref: 00D58641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00D58671
DeleteObject.GDI32(?), ref: 00D58699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D586AF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 4688afb9cc1643f3f087ebeb01426a23c0dcccdfcc16bbce12ba8a9e4c4b2b3d
Instruction ID: 6590e6ab0947a0d50b0816bf2a6b50bd13b5d6315331b473e61fc6fcc4bee336
Opcode Fuzzy Hash: 4688afb9cc1643f3f087ebeb01426a23c0dcccdfcc16bbce12ba8a9e4c4b2b3d
Instruction Fuzzy Hash: B441F975610308AFDB119FA5DC48EAA7BB8EF89712F144058FD16E7260DB309945DF70

Function 00D314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00D31502
VariantCopy.OLEAUT32(?,?), ref: 00D3150B
VariantClear.OLEAUT32(?), ref: 00D31517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00D315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00D31657
VariantInit.OLEAUT32(?), ref: 00D31708
SysFreeString.OLEAUT32(?), ref: 00D3178C
VariantClear.OLEAUT32(?), ref: 00D317D8
VariantClear.OLEAUT32(?), ref: 00D317E7
VariantInit.OLEAUT32(00000000), ref: 00D31823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00D31625
Default, xrefs: 00D316AF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 7ffaeaec1a30e25fae0772067ff926b55f4517cf175267804f8c91bcc42415cb
Instruction ID: 2a8f54a74bac1e468196a9b91b228e7746accaca2b01ea4686ea3417b50c4f80
Opcode Fuzzy Hash: 7ffaeaec1a30e25fae0772067ff926b55f4517cf175267804f8c91bcc42415cb
Instruction Fuzzy Hash: C4D1EF75A00216EFDB10AF65E885B7DB7B5BF44700F18885AE846EB290DB30EC45EB71

Function 00D4B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

Part of subcall function 00D4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D4B6AE,?,?), ref: 00D4C9B5
Part of subcall function 00D4C998: _wcslen.LIBCMT ref: 00D4C9F1
Part of subcall function 00D4C998: _wcslen.LIBCMT ref: 00D4CA68
Part of subcall function 00D4C998: _wcslen.LIBCMT ref: 00D4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D4B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D4B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00D4B80A
RegCloseKey.ADVAPI32(?), ref: 00D4B87E
RegCloseKey.ADVAPI32(?), ref: 00D4B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00D4B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D4B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00D4B922
FreeLibrary.KERNEL32(00000000), ref: 00D4B983
RegCloseKey.ADVAPI32(00000000), ref: 00D4B994

Strings

RegDeleteKeyExW, xrefs: 00D4B8FE
advapi32.dll, xrefs: 00D4B8ED

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5afc84806b70f4e00b35d317d875ca004dc20f93617e86c6f4eb8ce73a15f0f8
Instruction ID: b2641d8e63be8f5fd7462993093730fd76d7bf5c141071875d2b7d9d4ce75342
Opcode Fuzzy Hash: 5afc84806b70f4e00b35d317d875ca004dc20f93617e86c6f4eb8ce73a15f0f8
Instruction Fuzzy Hash: 90C16B30208701AFD714DF24C495F2ABBE5FF94318F18855DE49A8B2A2CB71ED46DBA1

Function 00D4255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00D425E8
CreateCompatibleDC.GDI32(?), ref: 00D425F4
SelectObject.GDI32(00000000,?), ref: 00D42601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00D4266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00D426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00D426D0
SelectObject.GDI32(?,?), ref: 00D426D8
DeleteObject.GDI32(?), ref: 00D426E1
DeleteDC.GDI32(?), ref: 00D426E8
ReleaseDC.USER32(00000000,?), ref: 00D426F3

Strings

(, xrefs: 00D4268D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 727bc059eb02400a887f615246b322d58559e360559936ae59943959c1866d03
Instruction ID: 066b3aebf0a899941fea6064f8a88d8a4f5290ae34e951324e6c986579160737
Opcode Fuzzy Hash: 727bc059eb02400a887f615246b322d58559e360559936ae59943959c1866d03
Instruction Fuzzy Hash: 3661CF75D00319EFCB04CFA8D884AAEBBB5FF48310F24852AE956A7350D770A951CFA4

Function 00CFDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00CFDAA1

Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD659
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD66B
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD67D
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD68F
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD6A1
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD6B3
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD6C5
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD6D7
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD6E9
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD6FB
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD70D
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD71F
Part of subcall function 00CFD63C: _free.LIBCMT ref: 00CFD731

_free.LIBCMT ref: 00CFDA96

Part of subcall function 00CF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000), ref: 00CF29DE
Part of subcall function 00CF29C8: GetLastError.KERNEL32(00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000,00000000), ref: 00CF29F0

_free.LIBCMT ref: 00CFDAB8
_free.LIBCMT ref: 00CFDACD
_free.LIBCMT ref: 00CFDAD8
_free.LIBCMT ref: 00CFDAFA
_free.LIBCMT ref: 00CFDB0D
_free.LIBCMT ref: 00CFDB1B
_free.LIBCMT ref: 00CFDB26
_free.LIBCMT ref: 00CFDB5E
_free.LIBCMT ref: 00CFDB65
_free.LIBCMT ref: 00CFDB82
_free.LIBCMT ref: 00CFDB9A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 3b786d4086caff55f555aa7a46cf5a7bf7ab248e68783034adc48b8d138175f1
Instruction ID: 0e14a11567426ec8bc7393ad1929bc0b043b940b2a9fbc9df9c6c2dfbca16bcc
Opcode Fuzzy Hash: 3b786d4086caff55f555aa7a46cf5a7bf7ab248e68783034adc48b8d138175f1
Instruction Fuzzy Hash: 78319C3164430D9FEBA1AE38E845B7A77EAFF00310F104419F26AD7191DA70EE80A726

Function 00D2365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D2369C
_wcslen.LIBCMT ref: 00D236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D23797
GetClassNameW.USER32(?,?,00000400), ref: 00D2380C
GetDlgCtrlID.USER32(?), ref: 00D2385D
GetWindowRect.USER32(?,?), ref: 00D23882
GetParent.USER32(?), ref: 00D238A0
ScreenToClient.USER32(00000000), ref: 00D238A7
GetClassNameW.USER32(?,?,00000100), ref: 00D23921
GetWindowTextW.USER32(?,?,00000400), ref: 00D2395D

Strings

%s%u, xrefs: 00D23734

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: f1b47618ea72c7b9ad52f11e4df6937c0a20badfc3a5fd14b086811d205e6cca
Instruction ID: aab5ca124f0086dda44b95bb9cb47b3f3431deb6e5feac034dcf777a80960cd6
Opcode Fuzzy Hash: f1b47618ea72c7b9ad52f11e4df6937c0a20badfc3a5fd14b086811d205e6cca
Instruction Fuzzy Hash: FF91D171200716AFD718DF24D884BAAF7A8FF64318F048629F999C2190DB34EA45CBB1

Function 00D24954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00D24994
GetWindowTextW.USER32(?,?,00000400), ref: 00D249DA
_wcslen.LIBCMT ref: 00D249EB
CharUpperBuffW.USER32(?,00000000), ref: 00D249F7
_wcsstr.LIBVCRUNTIME ref: 00D24A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00D24A64
GetWindowTextW.USER32(?,?,00000400), ref: 00D24A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00D24AE6
GetClassNameW.USER32(?,?,00000400), ref: 00D24B20
GetWindowRect.USER32(?,?), ref: 00D24B8B

Strings

ThumbnailClass, xrefs: 00D24A6F, 00D24AF1

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: d9aa5e8ed68eb1696294688fdd0d54f6ac3cfe793ed2627c2a508b75cd276eaa
Instruction ID: 27dddfeafcc5e4d5c0009f2bf973a3b1866a1f2d2e1cf71450888a5f9aceaa3e
Opcode Fuzzy Hash: d9aa5e8ed68eb1696294688fdd0d54f6ac3cfe793ed2627c2a508b75cd276eaa
Instruction Fuzzy Hash: E291BD311043159FDB04DF14E985BAAB7E8FFA4318F088469FD859A196DB30ED45CBB1

Function 00D58D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CD9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D58D5A
GetFocus.USER32 ref: 00D58D6A
GetDlgCtrlID.USER32(00000000), ref: 00D58D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00D58E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D58ECF
GetMenuItemCount.USER32(?), ref: 00D58EEC
GetMenuItemID.USER32(?,00000000), ref: 00D58EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D58F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D58F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D58FA1

Strings

0, xrefs: 00D58E9F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: d90c8426fc468c80752f2899d950c8f8e9b6f3d36f63a27b95dab26dc153b681
Instruction ID: 7f4911df8ba0c1b637db7864d2eae93dbf406672b184941fb274bdfbb0c451aa
Opcode Fuzzy Hash: d90c8426fc468c80752f2899d950c8f8e9b6f3d36f63a27b95dab26dc153b681
Instruction Fuzzy Hash: 27817B71508301AFDB10CF14C885A6BBBE9FF88356F18091AFD95A7291DB71D908EBB1

Function 00D2DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00D2DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00D2DC46
_wcslen.LIBCMT ref: 00D2DC50
_wcsstr.LIBVCRUNTIME ref: 00D2DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00D2DCBC

Strings

%u.%u.%u.%u, xrefs: 00D2DD9A
04090000, xrefs: 00D2DCF2
StringFileInfo\, xrefs: 00D2DC8F
DefaultLangCodepage, xrefs: 00D2DD1F
\VarFileInfo\Translation, xrefs: 00D2DCB4

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: e5b2fb9014315745b0b24395e64507bccd6f55c465a200a7f34229941511fe31
Instruction ID: c4d0aa0c11e24262740bb9b1782dd72538c91bf90eea9a2c516f05f610d16364
Opcode Fuzzy Hash: e5b2fb9014315745b0b24395e64507bccd6f55c465a200a7f34229941511fe31
Instruction Fuzzy Hash: 48410F32A403117EDB14A765AC47EBF37ACEF55720F14006AFE01A6282EA71DA05A7B4

Function 00D4CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D4CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00D4CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D4CD48

Part of subcall function 00D4CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00D4CCAA
Part of subcall function 00D4CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00D4CCBD
Part of subcall function 00D4CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D4CCCF
Part of subcall function 00D4CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D4CD05
Part of subcall function 00D4CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D4CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D4CCF3

Strings

RegDeleteKeyExW, xrefs: 00D4CCC9
advapi32.dll, xrefs: 00D4CCB8

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 92ba87842e84e156aaaff0818bd47f4dbb730563f59023e8cae9b7dccfdc6531
Instruction ID: a8fcb00735d3b0750b694249fc3cfaa5f05a35a35aa0a3d8a85af1816b5ee082
Opcode Fuzzy Hash: 92ba87842e84e156aaaff0818bd47f4dbb730563f59023e8cae9b7dccfdc6531
Instruction Fuzzy Hash: 98318A71A12329BFDB209BA4DC88EFFBB7CEF05751F041165A906E2250DB309A45DAB0

Function 00D33D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D33D40
_wcslen.LIBCMT ref: 00D33D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D33D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D33DBE
RemoveDirectoryW.KERNEL32(?), ref: 00D33DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D33E55
CloseHandle.KERNEL32(00000000), ref: 00D33E60
CloseHandle.KERNEL32(00000000), ref: 00D33E6B

Strings

\??\%s, xrefs: 00D33D5B
:, xrefs: 00D33D82
\, xrefs: 00D33D77

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1138801ce35b70e1d0036ad0d40c60198a39df28ee20114eb73f2fb74ea4f9bf
Instruction ID: 1f1f9039c3432e07fb763f7d53b416942b63eae40c9d7f1f69e1235b8623a101
Opcode Fuzzy Hash: 1138801ce35b70e1d0036ad0d40c60198a39df28ee20114eb73f2fb74ea4f9bf
Instruction Fuzzy Hash: C831A172910349ABDB219BA0DD49FEB37BCEF88701F1041A6FA09D6160EB7097848B34

Function 00D2E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D2E6B4

Part of subcall function 00CDE551: timeGetTime.WINMM(?,?,00D2E6D4), ref: 00CDE555

Sleep.KERNEL32(0000000A), ref: 00D2E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00D2E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D2E727
SetActiveWindow.USER32 ref: 00D2E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D2E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D2E773
Sleep.KERNEL32(000000FA), ref: 00D2E77E
IsWindow.USER32 ref: 00D2E78A
EndDialog.USER32(00000000), ref: 00D2E79B

Strings

BUTTON, xrefs: 00D2E719

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ef68f04a488f6815839128348e46b7a1e3ffb600ef66494ab310c1c1b17d886f
Instruction ID: 68a81ed02e61764a2e19a9fe2c328eb778ec2b52d40a32d732b6edb81f270bb8
Opcode Fuzzy Hash: ef68f04a488f6815839128348e46b7a1e3ffb600ef66494ab310c1c1b17d886f
Instruction Fuzzy Hash: 8A215EB0214315BFEB115F61FC8AA363B69F76574EB142426F916C27B2DB71AC009A34

Function 00D2E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D2EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D2EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D2EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D2EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D2EAA7

Strings

open , xrefs: 00D2EA0C
play PlayMe, xrefs: 00D2EAA2
close PlayMe, xrefs: 00D2EA6E, 00D2EA9B
play PlayMe wait, xrefs: 00D2EA91
alias PlayMe, xrefs: 00D2EA36
status PlayMe mode, xrefs: 00D2EA58

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 1ed9dd942008fcf5dea367f0fc41a5f565bb6b5f8430556f2584bece8077cd90
Instruction ID: 81f6d9de6fbe5840915c8e014bc11fe825d6e4ba7829d0f7654f9b8d9f443f6b
Opcode Fuzzy Hash: 1ed9dd942008fcf5dea367f0fc41a5f565bb6b5f8430556f2584bece8077cd90
Instruction Fuzzy Hash: 9C118631A902697DD720B7A2EC4AEFF6B7CEBD1B14F440469F811A20D1EE704D09CAB0

Function 00D25CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D25CE2
GetWindowRect.USER32(00000000,?), ref: 00D25CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00D25D59
GetDlgItem.USER32(?,00000002), ref: 00D25D69
GetWindowRect.USER32(00000000,?), ref: 00D25D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00D25DCF
GetDlgItem.USER32(?,000003E9), ref: 00D25DDD
GetWindowRect.USER32(00000000,?), ref: 00D25DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00D25E31
GetDlgItem.USER32(?,000003EA), ref: 00D25E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D25E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00D25E67

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 91c5b6696ccb2532a03832dae16ebaae64c734626aafd09df5400e733d583267
Instruction ID: 0db21e5cf8a78d92d74c4926aed8bb8b33bf840559a7cdde8852f51a8852c4bf
Opcode Fuzzy Hash: 91c5b6696ccb2532a03832dae16ebaae64c734626aafd09df5400e733d583267
Instruction Fuzzy Hash: 46513D70A10715AFDB18CF68ED89EAEBBB5FB58301F148129F915E7294D7709E00CB60

Function 00CD8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CD8BE8,?,00000000,?,?,?,?,00CD8BBA,00000000,?), ref: 00CD8FC5

DestroyWindow.USER32(?), ref: 00CD8C81
KillTimer.USER32(00000000,?,?,?,?,00CD8BBA,00000000,?), ref: 00CD8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00D16973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00CD8BBA,00000000,?), ref: 00D169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00CD8BBA,00000000,?), ref: 00D169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00CD8BBA,00000000), ref: 00D169D4
DeleteObject.GDI32(00000000), ref: 00D169E6

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7e2963cfd3af4a3d49c9990b4695d3fefddbf8de38e93afda9dde55ff0799d76
Instruction ID: 2ece2257e11fb227cf7730e3c4aa37bd2347dfdafc8776b2336cece450bea9ca
Opcode Fuzzy Hash: 7e2963cfd3af4a3d49c9990b4695d3fefddbf8de38e93afda9dde55ff0799d76
Instruction Fuzzy Hash: C1619B34512701EFCB219F19E948B69BBF1FB84312F14451AE6529ABA0CB31A984DFB0

Function 00CD9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9944: GetWindowLongW.USER32(?,000000EB), ref: 00CD9952

GetSysColor.USER32(0000000F), ref: 00CD9862

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e27709bdf8c2024bb1dd638753f53ef54685fd0e6f7c522afc537f3bb38edd1f
Instruction ID: 2a12045a894fa8f55314f009c4cd2535d848a55a4372540b5252094b1ba0bdbb
Opcode Fuzzy Hash: e27709bdf8c2024bb1dd638753f53ef54685fd0e6f7c522afc537f3bb38edd1f
Instruction Fuzzy Hash: 3E418235104740AFDB205F389C88BB93BA6EB06772F144616FAB6873E1D7319D41EB20

Function 00D296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00D0F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00D29717
LoadStringW.USER32(00000000,?,00D0F7F8,00000001), ref: 00D29720

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00D0F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00D29742
LoadStringW.USER32(00000000,?,00D0F7F8,00000001), ref: 00D29745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00D29866

Strings

Error: , xrefs: 00D2981D
^ ERROR, xrefs: 00D297FB
Line %d (File "%s"):, xrefs: 00D2978F
%s (%d) : ==> %s: %s %s, xrefs: 00D2984A
Line %d:, xrefs: 00D297A0

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 5ab636de6771dd42c028a127857a6f7cdab4613d3e50253c37f6474edfe7cfb8
Instruction ID: ea020a03343048509290cfbf1c9bd9e9fbe1ac67f250cc431f685ec134f2e8c3
Opcode Fuzzy Hash: 5ab636de6771dd42c028a127857a6f7cdab4613d3e50253c37f6474edfe7cfb8
Instruction Fuzzy Hash: 87417F72900219AACB04FBE0ED96EEEB378EF55304F140029F60172092EB356F49DB71

Function 00D206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC6B57: _wcslen.LIBCMT ref: 00CC6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00D207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00D207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00D207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00D20804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00D2082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D20837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D2083C

Strings

SOFTWARE\Classes\, xrefs: 00D2070E
\CLSID, xrefs: 00D20724
\IPC$, xrefs: 00D20784

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ffd659c53e371c55899b449cb156dddf36d132ff3c4023e7d5d477e3f335673a
Instruction ID: cde33a9e07f7a2ba72e8bc084d6b90fef7391cd5305f1176f5b0c12c8b9e7215
Opcode Fuzzy Hash: ffd659c53e371c55899b449cb156dddf36d132ff3c4023e7d5d477e3f335673a
Instruction Fuzzy Hash: D741E572D10229AFDF15EBA4EC95DEEB778FF54354F044169E901A32A1EB309E04DBA0

Function 00D43C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D43C5C
CoInitialize.OLE32(00000000), ref: 00D43C8A
CoUninitialize.OLE32 ref: 00D43C94
_wcslen.LIBCMT ref: 00D43D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00D43DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D43ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00D43F0E
CoGetObject.OLE32(?,00000000,00D5FB98,?), ref: 00D43F2D
SetErrorMode.KERNEL32(00000000), ref: 00D43F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D43FC4
VariantClear.OLEAUT32(?), ref: 00D43FD8

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4a72c81377fa9e3576ea47818372e043c9cf3a858fe569f1fc29556ab81b4d9e
Instruction ID: 2833c4daa659aeb0e23af903ea6e069b4bac362e245b9974f8108a7e972676f2
Opcode Fuzzy Hash: 4a72c81377fa9e3576ea47818372e043c9cf3a858fe569f1fc29556ab81b4d9e
Instruction Fuzzy Hash: F3C114716083059FD700DF68C88492BBBE9FF89748F14495DF98A9B251DB31EE05CBA2

Function 00D37A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D37AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D37B8F
SHGetDesktopFolder.SHELL32(?), ref: 00D37BA3
CoCreateInstance.OLE32(00D5FD08,00000000,00000001,00D86E6C,?), ref: 00D37BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D37C74
CoTaskMemFree.OLE32(?,?), ref: 00D37CCC
SHBrowseForFolderW.SHELL32(?), ref: 00D37D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D37D7A
CoTaskMemFree.OLE32(00000000), ref: 00D37D81
CoTaskMemFree.OLE32(00000000), ref: 00D37DD6
CoUninitialize.OLE32 ref: 00D37DDC

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 267f29fc82e0b2d0dad4e361dd39f11f9c0c3e6f4fcb37e22266fbed13fe3770
Instruction ID: a270fbc3f4c7aab280b88bd64caf6cec688b043d5f51030d0731c14628eecedb
Opcode Fuzzy Hash: 267f29fc82e0b2d0dad4e361dd39f11f9c0c3e6f4fcb37e22266fbed13fe3770
Instruction Fuzzy Hash: E1C1F775A04609AFCB14DFA4C884DAEBBB9EF48304F148599E819DB361D730EE45CBA0

Function 00D5541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D55504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D55515
CharNextW.USER32(00000158), ref: 00D55544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D55585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D5559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D555AC

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a4cd02e30d0c679a5209a34f74c34c252e1442237857cf81dcec3eaad6fa645f
Instruction ID: 03f6e42e1300131f9b6af762726f22a0397dd506d46196a4bf3e74a52cc841e6
Opcode Fuzzy Hash: a4cd02e30d0c679a5209a34f74c34c252e1442237857cf81dcec3eaad6fa645f
Instruction Fuzzy Hash: 32618B34900709EFDF128F90EC94AFE3BB9EB09322F144145FD65A62A4D7748A889F70

Function 00D1FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D1FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00D1FB08
VariantInit.OLEAUT32(?), ref: 00D1FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00D1FB3A
VariantCopy.OLEAUT32(?,?), ref: 00D1FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00D1FBA1
VariantClear.OLEAUT32(?), ref: 00D1FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00D1FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D1FBCC
VariantClear.OLEAUT32(?), ref: 00D1FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D1FBE9

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e2fada65b4efed7db83b302ce32b1e9ed83c79d155879884b0e1cf66891abbd8
Instruction ID: 34576da4958e5cdc9800c727667730b9d89974a9282c5d2b8366229f9c34e956
Opcode Fuzzy Hash: e2fada65b4efed7db83b302ce32b1e9ed83c79d155879884b0e1cf66891abbd8
Instruction Fuzzy Hash: BA413D75A00319AFCB00DF68D854DEEBBB9EF48345F048069E955E7261CB34A986CBB0

Function 00D29C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D29CA1
GetAsyncKeyState.USER32(000000A0), ref: 00D29D22
GetKeyState.USER32(000000A0), ref: 00D29D3D
GetAsyncKeyState.USER32(000000A1), ref: 00D29D57
GetKeyState.USER32(000000A1), ref: 00D29D6C
GetAsyncKeyState.USER32(00000011), ref: 00D29D84
GetKeyState.USER32(00000011), ref: 00D29D96
GetAsyncKeyState.USER32(00000012), ref: 00D29DAE
GetKeyState.USER32(00000012), ref: 00D29DC0
GetAsyncKeyState.USER32(0000005B), ref: 00D29DD8
GetKeyState.USER32(0000005B), ref: 00D29DEA

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 59b35cd0f7f80de3b53f9aa7506cb7b46dea5c8e7ee866721760dad572c68a9e
Instruction ID: b246bc47f60b1aeddc00d3168c12b28855e7a34fe39d7ffb7976ec53199a60e8
Opcode Fuzzy Hash: 59b35cd0f7f80de3b53f9aa7506cb7b46dea5c8e7ee866721760dad572c68a9e
Instruction Fuzzy Hash: DE41C6345047D96DFF319660E8243B5FEA06F31348F0C805ADAC6566C2EBA599C8D7B2

Function 00D4055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D405BC
inet_addr.WSOCK32(?), ref: 00D4061C
gethostbyname.WSOCK32(?), ref: 00D40628
IcmpCreateFile.IPHLPAPI ref: 00D40636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00D407B9
WSACleanup.WSOCK32 ref: 00D407BF

Strings

Ping, xrefs: 00D40676

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ac4db4c1785870824069c777ebcae319874bc591d48e4143abc2192511199c7f
Instruction ID: 7629c1e337c40051aff210ae638032424a90294537f766b7db1cdf7a0fbc6327
Opcode Fuzzy Hash: ac4db4c1785870824069c777ebcae319874bc591d48e4143abc2192511199c7f
Instruction Fuzzy Hash: 8B915D755043019FD720DF15C489F1ABBE0EF48318F1985A9E6AA9B7A2C730ED45CFA2

Function 00D48CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00D48CF3

Part of subcall function 00D28E54: _wcslen.LIBCMT ref: 00D28E77

_wcslen.LIBCMT ref: 00D48D4E
_wcslen.LIBCMT ref: 00D48D9C
_wcslen.LIBCMT ref: 00D48DDC
_wcslen.LIBCMT ref: 00D48E6E

Strings

cdecl, xrefs: 00D48D48, 00D48D4D
winapi, xrefs: 00D48D96, 00D48D9B
stdcall, xrefs: 00D48DD6, 00D48DDB
none, xrefs: 00D48E65, 00D48E6A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 6c502d5ae949a2085b48964ebf9c8d376a19a76928190e4033b446aefd03d5cf
Instruction ID: 055147517b87b2b60b9e511b53c5e58f64dff12e39075ab4bae01dfcbcbd985e
Opcode Fuzzy Hash: 6c502d5ae949a2085b48964ebf9c8d376a19a76928190e4033b446aefd03d5cf
Instruction Fuzzy Hash: E251B231A001169BCF14DF6CC9419BEB7A5FF643A4B284229F866E72C4EB31DD40E7A0

Function 00D4372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00D43774
CoUninitialize.OLE32 ref: 00D4377F
CoCreateInstance.OLE32(?,00000000,00000017,00D5FB78,?), ref: 00D437D9
IIDFromString.OLE32(?,?), ref: 00D4384C
VariantInit.OLEAUT32(?), ref: 00D438E4
VariantClear.OLEAUT32(?), ref: 00D43936

Strings

NULL Pointer assignment, xrefs: 00D4381E
Invalid parameter, xrefs: 00D43865
Failed to create object, xrefs: 00D437E4, 00D4389A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d7fde5469d0ac969a4a12ca9e57744b6b6710920b6dc4c799f9252f66f1861df
Instruction ID: fe8ffd64a58acf34347fdd90c1fbd81056f3f7fdf4cbbbee23efa84fe62791d7
Opcode Fuzzy Hash: d7fde5469d0ac969a4a12ca9e57744b6b6710920b6dc4c799f9252f66f1861df
Instruction Fuzzy Hash: 74618A70608311AFD310DF68C889F6ABBE8EF48715F144919F9859B291C770EE48DBB2

Function 00D33388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00D333CF

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00D333F0

Strings

Error: , xrefs: 00D334D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00D33504
Line %d (File "%s"):, xrefs: 00D33443, 00D3345C
"%s" (%d) : ==> %s:, xrefs: 00D33522
^ ERROR , xrefs: 00D3349E
Incorrect parameters to object property !, xrefs: 00D334AB

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 70fc308e02a9a55c00af5c9fc261822f003a353232a39f7217d3846aff5eb895
Instruction ID: e35932474afbbf63e8c025282a0ca04ef7f289dc21dd411b747109b43b2a2fa1
Opcode Fuzzy Hash: 70fc308e02a9a55c00af5c9fc261822f003a353232a39f7217d3846aff5eb895
Instruction Fuzzy Hash: 7A517C3190020AAADF15EBE0DE46EEEB778EF14340F144169F505B21A2EB316F58EB70

Function 00D2B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D2B5FC
_wcslen.LIBCMT ref: 00D2B608
_wcslen.LIBCMT ref: 00D2B64D
_wcslen.LIBCMT ref: 00D2B68C
_wcslen.LIBCMT ref: 00D2B6C7

Strings

REMOVE, xrefs: 00D2B602, 00D2B607
KEYS, xrefs: 00D2B647, 00D2B64C
APPEND, xrefs: 00D2B6C1, 00D2B6C6
EXISTS, xrefs: 00D2B686, 00D2B68B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: fcf8fdfdba4c7079e755a34323b4870d3e2d42737001225376b9dca2907292c7
Instruction ID: 58e50ae4078b27ebef22f896495a73430b1fc76e39bc11eb931f029e3a894b3f
Opcode Fuzzy Hash: fcf8fdfdba4c7079e755a34323b4870d3e2d42737001225376b9dca2907292c7
Instruction Fuzzy Hash: B641A632A001369ACB206F7D9C905BE77A5ABB077DB28412AE461DB284E771CD81C7B0

Function 00D35393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D35416
GetLastError.KERNEL32 ref: 00D35420
SetErrorMode.KERNEL32(00000000,READY), ref: 00D354A7

Strings

INVALID, xrefs: 00D35459
NOTREADY, xrefs: 00D3544B
READY, xrefs: 00D35460, 00D35468
READONLY, xrefs: 00D35452
UNKNOWN, xrefs: 00D35444

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: be983a7e4b72e5a4ce51d898118791d8df6c32643c962443d0c18d03137657ea
Instruction ID: 1dcdc5593f892c561098371f95ab0e805891a5d1a4e30d5b17888accaa35f3a9
Opcode Fuzzy Hash: be983a7e4b72e5a4ce51d898118791d8df6c32643c962443d0c18d03137657ea
Instruction Fuzzy Hash: 6131A135A006049FD718DF68D884FAABBB4EF45315F188069E806CB3A6D771DD86CBB0

Function 00D53C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00D53C79
SetMenu.USER32(?,00000000), ref: 00D53C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D53D10
IsMenu.USER32(?), ref: 00D53D24
CreatePopupMenu.USER32 ref: 00D53D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D53D5B
DrawMenuBar.USER32 ref: 00D53D63

Strings

F, xrefs: 00D53D4E
0, xrefs: 00D53C54

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b28d181d860a4a82aafe458b36bd6b30c14eefd4e62e47d116435edf016c319c
Instruction ID: 2766b71b5798e5c76d1b8ca92f9ce5b03d73798240ef4e47bd211eb2739bc6f4
Opcode Fuzzy Hash: b28d181d860a4a82aafe458b36bd6b30c14eefd4e62e47d116435edf016c319c
Instruction Fuzzy Hash: 6C415979A01309AFDF14CFA4D844BAA7BB5FF49391F180029ED5697360D730AA14CFA0

Function 00D21EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

Part of subcall function 00D23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D23CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00D21F64
GetDlgCtrlID.USER32 ref: 00D21F6F
GetParent.USER32 ref: 00D21F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D21F8E
GetDlgCtrlID.USER32(?), ref: 00D21F97
GetParent.USER32(?), ref: 00D21FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D21FAE

Strings

ComboBox, xrefs: 00D21EEC
ListBox, xrefs: 00D21F21

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 1e85c5670138b6d214b85cf508f359be1f396fe8246c8885ab4551aa2dee3f2b
Instruction ID: 7d87795baacaff51fcf785ccc50cdb817298b96ca1f3728bba7a6f953b63b022
Opcode Fuzzy Hash: 1e85c5670138b6d214b85cf508f359be1f396fe8246c8885ab4551aa2dee3f2b
Instruction Fuzzy Hash: D421A175900314BFCF04AFA0DC45EEEBBA8EF25314B004155F961A72A1CB345A18DB70

Function 00D53A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D53A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D53AA0
GetWindowLongW.USER32(?,000000F0), ref: 00D53AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D53AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D53B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00D53BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00D53BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00D53BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00D53BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00D53C13

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8939f7f0c959e09fcca912ce4244d0fb3ec307f7bd0c34b4baeb0bb9096e4bb6
Instruction ID: f00f2ad0a654a0517ba181bcaa4d6d5bb1346b425cea157d1df7656ed87a0f20
Opcode Fuzzy Hash: 8939f7f0c959e09fcca912ce4244d0fb3ec307f7bd0c34b4baeb0bb9096e4bb6
Instruction Fuzzy Hash: 07615875A00248AFDB11DFA8CC81EEE77B8EB09740F14419AFE15E72A1D770AE45DB60

Function 00CF2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CF2C94

Part of subcall function 00CF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000), ref: 00CF29DE
Part of subcall function 00CF29C8: GetLastError.KERNEL32(00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000,00000000), ref: 00CF29F0

_free.LIBCMT ref: 00CF2CA0
_free.LIBCMT ref: 00CF2CAB
_free.LIBCMT ref: 00CF2CB6
_free.LIBCMT ref: 00CF2CC1
_free.LIBCMT ref: 00CF2CCC
_free.LIBCMT ref: 00CF2CD7
_free.LIBCMT ref: 00CF2CE2
_free.LIBCMT ref: 00CF2CED
_free.LIBCMT ref: 00CF2CFB

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7b939c4ebff9df326e91120e258b32a338dc1515b70473a6e9bd4a760f07c7fc
Instruction ID: b8a83e179ba0efa545a2fa4aba0525ae8a9557006035a8e86bcf7ccaf292fbe2
Opcode Fuzzy Hash: 7b939c4ebff9df326e91120e258b32a338dc1515b70473a6e9bd4a760f07c7fc
Instruction Fuzzy Hash: 0111A47614010DAFCB82EF94D882CED3BA5FF05350F4144A5FA489F222DA71EF50AB92

Function 00CC1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00CC1459
OleUninitialize.OLE32(?,00000000), ref: 00CC14F8
UnregisterHotKey.USER32(?), ref: 00CC16DD
DestroyWindow.USER32(?), ref: 00D024B9
FreeLibrary.KERNEL32(?), ref: 00D0251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D0254B

Strings

close all, xrefs: 00CC1454

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 09c6170ed060664182a480a31dcffe9161e6dfd1c74ad8c93e847a928a6c7c3d
Instruction ID: 2c7a633f20aca33899ce92242d0e6db513935277373713f412577a3da558424f
Opcode Fuzzy Hash: 09c6170ed060664182a480a31dcffe9161e6dfd1c74ad8c93e847a928a6c7c3d
Instruction Fuzzy Hash: 3DD14C317022128FCB19EF16C899F29F7A4BF05711F18419DE94AAB292DB31ED12DF64

Function 00D37DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D37FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00D37FC1
GetFileAttributesW.KERNEL32(?), ref: 00D37FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00D38005
SetCurrentDirectoryW.KERNEL32(?), ref: 00D38017
SetCurrentDirectoryW.KERNEL32(?), ref: 00D38060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D380B0

Strings

*.*, xrefs: 00D38066

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: f7f1a71343f7ecf57102868efb34157dcaeb51998830d706a0adcaa6531a0dba
Instruction ID: 6b8cd1aaec2ae141f2b2ade1caf0e0943a928e44af2cfd0801dc2d6f9eda9159
Opcode Fuzzy Hash: f7f1a71343f7ecf57102868efb34157dcaeb51998830d706a0adcaa6531a0dba
Instruction Fuzzy Hash: 7C8181B25087469FCB34DF54C884AAAB3E8BF88314F18486EF885D7250DB35DD45DB62

Function 00CC5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00CC5C7A

Part of subcall function 00CC5D0A: GetClientRect.USER32(?,?), ref: 00CC5D30
Part of subcall function 00CC5D0A: GetWindowRect.USER32(?,?), ref: 00CC5D71
Part of subcall function 00CC5D0A: ScreenToClient.USER32(?,?), ref: 00CC5D99

GetDC.USER32 ref: 00D046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D04708
SelectObject.GDI32(00000000,00000000), ref: 00D04716
SelectObject.GDI32(00000000,00000000), ref: 00D0472B
ReleaseDC.USER32(?,00000000), ref: 00D04733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D047C4

Strings

U, xrefs: 00D04693

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 77c93219b3c2a4d9c4b5c529e8da15262f1f1a467156c4692bbc0a444505651a
Instruction ID: 05c2aebc747cdc999f528a577be1a8c858ad57a7674e6792e14ada5bfa2669a5
Opcode Fuzzy Hash: 77c93219b3c2a4d9c4b5c529e8da15262f1f1a467156c4692bbc0a444505651a
Instruction Fuzzy Hash: 7271AE74400205DFCF218F64C984FAA3BB5FF8A351F184269EE595A2A6D7319881DFB0

Function 00D3359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00D335E4

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

LoadStringW.USER32(00D92390,?,00000FFF,?), ref: 00D3360A

Strings

Error: , xrefs: 00D336EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00D33724
^ ERROR, xrefs: 00D336C9
Line %d (File "%s"):, xrefs: 00D3366B
"%s" (%d) : ==> %s:, xrefs: 00D33742

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 3d817332181914c16e868f8a59be12aac6b906466a4798153a0b435d0afb2bbe
Instruction ID: 1b94d6e713a1f6463db16e14e8382f7fe0d3199d15a40d0d771344d939aba084
Opcode Fuzzy Hash: 3d817332181914c16e868f8a59be12aac6b906466a4798153a0b435d0afb2bbe
Instruction Fuzzy Hash: FF516D71D0024ABADF14EBA0DD46EEEBB38EF14340F184129F505721A1EB315A99EF70

Function 00D58B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CD9BB2

Part of subcall function 00CD912D: GetCursorPos.USER32(?), ref: 00CD9141
Part of subcall function 00CD912D: ScreenToClient.USER32(00000000,?), ref: 00CD915E
Part of subcall function 00CD912D: GetAsyncKeyState.USER32(00000001), ref: 00CD9183
Part of subcall function 00CD912D: GetAsyncKeyState.USER32(00000002), ref: 00CD919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00D58B6B
ImageList_EndDrag.COMCTL32 ref: 00D58B71
ReleaseCapture.USER32 ref: 00D58B77
SetWindowTextW.USER32(?,00000000), ref: 00D58C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D58C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00D58CFF

Strings

@GUI_DROPID, xrefs: 00D58C51
@GUI_DRAGFILE, xrefs: 00D58C9A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 4a57ac3ebc889fc910deb08dc5c968d152f7f949d0285c8525479e8060d43a23
Instruction ID: c0cc5c52a8e39ac9180ba3b2a9d38c7dc38abea1efa9140f8185d144997509d5
Opcode Fuzzy Hash: 4a57ac3ebc889fc910deb08dc5c968d152f7f949d0285c8525479e8060d43a23
Instruction Fuzzy Hash: 6B517974104304AFDB00EF24D89AFAA77E4EB88715F00062DF996A72E1DB709948DB72

Function 00D3C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D3C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D3C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D3C2CA
GetLastError.KERNEL32 ref: 00D3C322
SetEvent.KERNEL32(?), ref: 00D3C336
InternetCloseHandle.WININET(00000000), ref: 00D3C341

Strings

, xrefs: 00D3C2BB

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 20628009596aa273e5a18731e7a1df27f6363ee52d3eb27dd95c1d020704d3c3
Instruction ID: 8957b868fb82a69e8b3e458d1d300461216e3059db6af567a9000d8cf33047bc
Opcode Fuzzy Hash: 20628009596aa273e5a18731e7a1df27f6363ee52d3eb27dd95c1d020704d3c3
Instruction Fuzzy Hash: F0316BB1620308AFD7219F648C88AAB7BFCEB49744F14951EF886E2210DB30DD059B71

Function 00D2989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00D03AAF,?,?,Bad directive syntax error,00D5CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00D298BC
LoadStringW.USER32(00000000,?,00D03AAF,?), ref: 00D298C3

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00D29987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00D298F1
Line %d (File "%s"):, xrefs: 00D2992D
., xrefs: 00D2996D
Line %d:, xrefs: 00D29912
Error: , xrefs: 00D29955

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 7d4f2d2f345a908e9a027fdbab9161dab765a86cd8796a5e1cbe7929d84e3066
Instruction ID: 1f36eb2e35d1674888641b23d2371c4ab86bbb1da254ee7c98695758a4f76a39
Opcode Fuzzy Hash: 7d4f2d2f345a908e9a027fdbab9161dab765a86cd8796a5e1cbe7929d84e3066
Instruction Fuzzy Hash: 4C216B32D4435ABFCF11AF90DC1AEEE7735FF28305F08542AF515660A2EA319658EB20

Function 00D2209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00D220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D2214D

Strings

SHELLDLL_DefView, xrefs: 00D220CC
smallicons, xrefs: 00D22115
details, xrefs: 00D220FB
largeicons, xrefs: 00D220E1
list, xrefs: 00D2212F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 4d62c9f7b65a0caee4cc34bb25ffc83f5ab3f93f816e98f2bd77b139487de663
Instruction ID: 8e32cec0cf9257df1b6e04ed81f0f0b00cdbc076e9ffd3b9ee41b017c7781368
Opcode Fuzzy Hash: 4d62c9f7b65a0caee4cc34bb25ffc83f5ab3f93f816e98f2bd77b139487de663
Instruction Fuzzy Hash: 5D11067A688717BDF6163621FC07DF6379CDF25728B200126FB04A50E5FE61A8256638

Function 00CFCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00CFCEB7
_free.LIBCMT ref: 00CFCF22
_free.LIBCMT ref: 00CFCF48
_free.LIBCMT ref: 00CFCF71
_free.LIBCMT ref: 00CFCFA9
_free.LIBCMT ref: 00CFCFDA
_free.LIBCMT ref: 00CFD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00CFD09C
_free.LIBCMT ref: 00CFD0B5

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 656fe7c1a5c2de22b818af1285d5e2dc36681b1ee111573f7445f3118575855c
Instruction ID: ac137192632e38e2fdb92dd1fc3b9f220718addceee64adf00ead374e5b2bf1f
Opcode Fuzzy Hash: 656fe7c1a5c2de22b818af1285d5e2dc36681b1ee111573f7445f3118575855c
Instruction Fuzzy Hash: 01615871A0430DAFDBA1AFF4A9C1A7ABBA5EF01310F04416EFB11D7281DB319E019762

Function 00D550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00D55186
ShowWindow.USER32(?,00000000), ref: 00D551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00D551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00D551D1

Part of subcall function 00D56FBA: DeleteObject.GDI32(00000000), ref: 00D56FE6

GetWindowLongW.USER32(?,000000F0), ref: 00D5520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D5521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D5524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00D55287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00D55296

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 4ed73c322882c6b20402f4e87dca7fee6902aa373828aa75156ca8716ececb8b
Instruction ID: e8bc484fa37104933901f1c98a2b4213f85f1397190c1c167e59dffeb65954f8
Opcode Fuzzy Hash: 4ed73c322882c6b20402f4e87dca7fee6902aa373828aa75156ca8716ececb8b
Instruction Fuzzy Hash: 9751B530A50B09BEEF229F24EC55F983BA1EB05323F144012FE19962E4C771A988DF71

Function 00CD8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00D16890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00D168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00D168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CD8874,00000000,00000000,00000000,000000FF,00000000), ref: 00D16901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D1691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CD8874,00000000,00000000,00000000,000000FF,00000000), ref: 00D1692D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 862db06a6a76b4645a9d1e04150530d0610304e55e2cf8502fe2a5af781a7b6f
Instruction ID: 5cd57d9b7e8b1e5112882c3191f0a0678f902c83c6e4f8d2bdc56ce4f5e74d9b
Opcode Fuzzy Hash: 862db06a6a76b4645a9d1e04150530d0610304e55e2cf8502fe2a5af781a7b6f
Instruction Fuzzy Hash: 75518574600309BFDB20CF25DC91FAA7BB5EB48751F14451AFA22D62A0DB70EA90DB60

Function 00D3C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D3C182
GetLastError.KERNEL32 ref: 00D3C195
SetEvent.KERNEL32(?), ref: 00D3C1A9

Part of subcall function 00D3C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D3C272
Part of subcall function 00D3C253: GetLastError.KERNEL32 ref: 00D3C322
Part of subcall function 00D3C253: SetEvent.KERNEL32(?), ref: 00D3C336
Part of subcall function 00D3C253: InternetCloseHandle.WININET(00000000), ref: 00D3C341

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 41c1f04939d7d161542a6798b15ce8c5cf1a13bcb1ca1c28a3113b942a713a11
Instruction ID: 43ee43f34d5d25ceae4ebd471a8603201c7a148916f1bb41368a67cc9e6b50de
Opcode Fuzzy Hash: 41c1f04939d7d161542a6798b15ce8c5cf1a13bcb1ca1c28a3113b942a713a11
Instruction Fuzzy Hash: 7A316775220705AFDB219FA59C44A6BBBE8FF18341F04642DF95AE6620D730E814EBB4

Function 00D225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D23A57
Part of subcall function 00D23A3D: GetCurrentThreadId.KERNEL32 ref: 00D23A5E
Part of subcall function 00D23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D225B3), ref: 00D23A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00D225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00D225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D22601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00D22605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D2260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D22623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00D22627

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e354394d001821cfe6058ca68b2af61f0611bf11a0ce218b9f8cc56e48e790ac
Instruction ID: d2129a01a562dbb02f159f4430446e307db34e95c4195528c79385ea39958477
Opcode Fuzzy Hash: e354394d001821cfe6058ca68b2af61f0611bf11a0ce218b9f8cc56e48e790ac
Instruction Fuzzy Hash: B001D831390720BBFB1067689C8AF593F99DB5EB16F101011F754EE1E1CDE154448A79

Function 00D21803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00D21449,?,?,00000000), ref: 00D2180C
HeapAlloc.KERNEL32(00000000,?,00D21449,?,?,00000000), ref: 00D21813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D21449,?,?,00000000), ref: 00D21828
GetCurrentProcess.KERNEL32(?,00000000,?,00D21449,?,?,00000000), ref: 00D21830
DuplicateHandle.KERNEL32(00000000,?,00D21449,?,?,00000000), ref: 00D21833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D21449,?,?,00000000), ref: 00D21843
GetCurrentProcess.KERNEL32(00D21449,00000000,?,00D21449,?,?,00000000), ref: 00D2184B
DuplicateHandle.KERNEL32(00000000,?,00D21449,?,?,00000000), ref: 00D2184E
CreateThread.KERNEL32(00000000,00000000,00D21874,00000000,00000000,00000000), ref: 00D21868

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e6e38b4681e5cca433451a0513a5b14bd3a21ff5a8c6dba7bb3c9c021df6e55c
Instruction ID: 366e6d3f64a4129c4b273cb3bbaa04dfe8a9602da87085114919c71004200b4e
Opcode Fuzzy Hash: e6e38b4681e5cca433451a0513a5b14bd3a21ff5a8c6dba7bb3c9c021df6e55c
Instruction Fuzzy Hash: 3E01BBB5650708BFE710ABB5DC4DF6B7BACEB89B11F009411FA15DB2A1CA709840CB30

Function 00D4A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00D2D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00D2D501
Part of subcall function 00D2D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00D2D50F
Part of subcall function 00D2D4DC: CloseHandle.KERNEL32(00000000), ref: 00D2D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D4A16D
GetLastError.KERNEL32 ref: 00D4A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D4A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D4A268
GetLastError.KERNEL32(00000000), ref: 00D4A273
CloseHandle.KERNEL32(00000000), ref: 00D4A2C4

Strings

SeDebugPrivilege, xrefs: 00D4A18F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7fe6a2730626c9ca21ecd10aacba1dc70375a48323abe3c8f9866ae5c52e2e1e
Instruction ID: 19254fe426884796e3ef58a9d709bafca05657746383a8e569b949963d80255b
Opcode Fuzzy Hash: 7fe6a2730626c9ca21ecd10aacba1dc70375a48323abe3c8f9866ae5c52e2e1e
Instruction Fuzzy Hash: B2616C302443429FD710DF18C4D4F1ABBA1AF54318F18849CE46A8B7A2C7B2ED46DBA6

Function 00D53886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D53925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00D5393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D53954
_wcslen.LIBCMT ref: 00D53999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D539F4

Strings

SysListView32, xrefs: 00D538F7

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: c266ef1c4fd52b22f67058f7eaa5475ac42fce0304a39a05de2b454c064012f3
Instruction ID: 1c6313eab5726b38c72297ddd028ac32bc471498a725281a3581a93d7f082405
Opcode Fuzzy Hash: c266ef1c4fd52b22f67058f7eaa5475ac42fce0304a39a05de2b454c064012f3
Instruction Fuzzy Hash: 4A418471A00319ABEF219F64CC45BEA7BA9EF08391F140526FD58E7291D771DA84CFA0

Function 00D2BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D2BCFD
IsMenu.USER32(00000000), ref: 00D2BD1D
CreatePopupMenu.USER32 ref: 00D2BD53
GetMenuItemCount.USER32(019B67E0), ref: 00D2BDA4
InsertMenuItemW.USER32(019B67E0,?,00000001,00000030), ref: 00D2BDCC

Strings

0, xrefs: 00D2BCA8
2, xrefs: 00D2BD37

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 4e8b421a8e876fdecef7ce91f002a5a92fd6f1426f666902877445b139ff0ca8
Instruction ID: 02d7caf217f712ba2a836d23150bedff6e71bf2358766d0d7f383b6b8834e888
Opcode Fuzzy Hash: 4e8b421a8e876fdecef7ce91f002a5a92fd6f1426f666902877445b139ff0ca8
Instruction Fuzzy Hash: CF5190706003259BDB10DFA8E884BEEBBF4FF65328F18415AE852D7291E7B09945CB71

Function 00D2C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00D2C913

Strings

question, xrefs: 00D2C8CC
warning, xrefs: 00D2C8FC
info, xrefs: 00D2C8B4
blank, xrefs: 00D2C895
stop, xrefs: 00D2C8E4

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d6c7616dca00f2a29578bff06eed8cebcbc48a9125673e82120226de71de5d00
Instruction ID: 55784a8672b0d59b51a729fce895f4e7066416d2391dd138e1806446bca0e0ce
Opcode Fuzzy Hash: d6c7616dca00f2a29578bff06eed8cebcbc48a9125673e82120226de71de5d00
Instruction Fuzzy Hash: 08113D31699316BEE7046B55BC83CAE679CDF3537EB20103AF500A6282D7B0DE4067B8

Function 00D2ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00D2ED2A
_wcslen.LIBCMT ref: 00D2ED3B
_wcslen.LIBCMT ref: 00D2ED79
_wcslen.LIBCMT ref: 00D2EDAF
_wcslen.LIBCMT ref: 00D2EDDF
_wcslen.LIBCMT ref: 00D2EDEF
_wcslen.LIBCMT ref: 00D2EE2B
_wcslen.LIBCMT ref: 00D2EE5A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 41589b06cdb17f1d4bc58cf70ca84a02241ccca0f08030b4d60b3f01e2ba8b57
Instruction ID: 522da7ef4489ae47f6dab847601deda5c1f35a756e46739302557508ecc083d4
Opcode Fuzzy Hash: 41589b06cdb17f1d4bc58cf70ca84a02241ccca0f08030b4d60b3f01e2ba8b57
Instruction Fuzzy Hash: 6C41AE65C1026876CB11EBB5C88A9CFB7ACAF55310F508462FA18F3122FB34E645D3E6

Function 00CDF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D1682C,00000004,00000000,00000000), ref: 00CDF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00D1682C,00000004,00000000,00000000), ref: 00D1F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D1682C,00000004,00000000,00000000), ref: 00D1F454

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f6e11a59fce4ac53a83f3121a53598975f1015e7b274d191586ffc7bf631165e
Instruction ID: 5a4972f571b340f310a17f4c860637c7d02a2b0b33f874ad857eb5cc95741bcd
Opcode Fuzzy Hash: f6e11a59fce4ac53a83f3121a53598975f1015e7b274d191586ffc7bf631165e
Instruction Fuzzy Hash: 48414E30908780BEC7398B29D8A876A7B91BB46310F14403FE6A796761CB3199C2CB31

Function 00D52D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D52D1B
GetDC.USER32(00000000), ref: 00D52D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D52D2E
ReleaseDC.USER32(00000000,00000000), ref: 00D52D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D52D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D52D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D55A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00D52DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D52DE1

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: af564550222b8aa90794dbf9c85b715517ba911e96df9fdadddf879368d23dd9
Instruction ID: 6db2f4a44f15289f1939e56c8db0cd47faced31a5edb65a1de173c836322fc30
Opcode Fuzzy Hash: af564550222b8aa90794dbf9c85b715517ba911e96df9fdadddf879368d23dd9
Instruction Fuzzy Hash: D9317A72211314AFEF118F548C8AFBB3BA9EB0A752F084055FE08DA2A1C6759844CBB0

Function 00D25622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D25637
_memcmp.LIBVCRUNTIME ref: 00D25659
_memcmp.LIBVCRUNTIME ref: 00D25671
_memcmp.LIBVCRUNTIME ref: 00D25684
_memcmp.LIBVCRUNTIME ref: 00D2569E
_memcmp.LIBVCRUNTIME ref: 00D256B1
_memcmp.LIBVCRUNTIME ref: 00D256C9
_memcmp.LIBVCRUNTIME ref: 00D256E4

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c88ee7c3414eae9cf2ac052b89563e82bcecb838f93ec2c3836a04d94a03ce2d
Instruction ID: 1409fc8db022cdff4cc4c966ec297ef63615447c52fc9d26f6e842657613efca
Opcode Fuzzy Hash: c88ee7c3414eae9cf2ac052b89563e82bcecb838f93ec2c3836a04d94a03ce2d
Instruction Fuzzy Hash: 1721AA716419657BD61496117D82FBB335CAF3138AF4C0030FD055E549F731ED2891B5

Function 00D44FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00D4502E, 00D45383
Not an Object type, xrefs: 00D45007

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e6fce7235c05225ff20039cb4a47cddd951e35f74afe4afeae9c81ad114a5faf
Instruction ID: a365845344f7180acb98337fabf0be459f26e3f1a8bb0ac96f83662fb5e11e66
Opcode Fuzzy Hash: e6fce7235c05225ff20039cb4a47cddd951e35f74afe4afeae9c81ad114a5faf
Instruction Fuzzy Hash: 88D1B075A0070AAFDF10CF98D884BAEB7B5BF48344F188069E915AB286D771DD45CBB0

Function 00D01522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00D017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00D015CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00D017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D01651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00D017FB,?,00D017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D016E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00D017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D016FB

Part of subcall function 00CF3820: RtlAllocateHeap.NTDLL(00000000,?,00D91444,?,00CDFDF5,?,?,00CCA976,00000010,00D91440,00CC13FC,?,00CC13C6,?,00CC1129), ref: 00CF3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00D017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D01777
__freea.LIBCMT ref: 00D017A2
__freea.LIBCMT ref: 00D017AE

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: e15a6c9a43b5af68e9b5c61b87fa41f94fcf3ad1d62bacd2fa199160cac6ba9c
Instruction ID: c7070a5aff1f9b6a7f39c29fecbff2aa2fe565aa4b3481fab91f8131935c2f97
Opcode Fuzzy Hash: e15a6c9a43b5af68e9b5c61b87fa41f94fcf3ad1d62bacd2fa199160cac6ba9c
Instruction Fuzzy Hash: 2E91A279E102169EDB208EA4CC85BEE7BB5EF89310F584659E909EB2C1DB35DC44CB70

Function 00D44523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D44648
VariantInit.OLEAUT32(?), ref: 00D44749
VariantClear.OLEAUT32(?), ref: 00D44753
VariantClear.OLEAUT32(?), ref: 00D447B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00D4472C
Null Object assignment in FOR..IN loop, xrefs: 00D445D8, 00D44706, 00D447BE

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: f5d5766dbaa7f37e740857837eaeb5239a8e400729e9f765b1b2c79837319a0d
Instruction ID: 9f59e261393de624a30d5065c0e1b573d7a89dce0175d580ba626680ab04d80f
Opcode Fuzzy Hash: f5d5766dbaa7f37e740857837eaeb5239a8e400729e9f765b1b2c79837319a0d
Instruction Fuzzy Hash: BC917071A00219AFDF20CFA5C888FAEBBB8EF46715F148559F515AB280D7709985CFB0

Function 00D31187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00D3125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00D31284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00D312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D3135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D31430

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 58e7f3c0e069bab1bd09a2c32bbb3d684ef7667733ba438a4d23377fc55c6e1b
Instruction ID: 39aea9b5861084de7fb6ef3ae9fa88449f020981d1f540198c1724d376399188
Opcode Fuzzy Hash: 58e7f3c0e069bab1bd09a2c32bbb3d684ef7667733ba438a4d23377fc55c6e1b
Instruction Fuzzy Hash: 1D91CE79A0030AAFDB00DFA8C885BBEB7B5FF44325F144029E951EB291D774A945CBB4

Function 00CD948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 32b3a5ac066e2eafdec4ac5cbbac48dd76d3bc191e4bf0b9e23c17295fd7ed16
Instruction ID: 708668e7c3494867f16057c70936ecb61feca5f21deb067a9a7acb7e5f3f1dee
Opcode Fuzzy Hash: 32b3a5ac066e2eafdec4ac5cbbac48dd76d3bc191e4bf0b9e23c17295fd7ed16
Instruction Fuzzy Hash: BE912775D00219EFCB10CFA9DC84AEEBBB8FF49320F14415AE915B7251D774AA42DB60

Function 00D43947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D4396B
CharUpperBuffW.USER32(?,?), ref: 00D43A7A
_wcslen.LIBCMT ref: 00D43A8A
VariantClear.OLEAUT32(?), ref: 00D43C1F

Part of subcall function 00D30CDF: VariantInit.OLEAUT32(00000000), ref: 00D30D1F
Part of subcall function 00D30CDF: VariantCopy.OLEAUT32(?,?), ref: 00D30D28
Part of subcall function 00D30CDF: VariantClear.OLEAUT32(?), ref: 00D30D34

Strings

Incorrect Parameter format, xrefs: 00D439A6, 00D43BA1
AUTOIT.ERROR, xrefs: 00D43A80, 00D43A85

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 04514157018e61b4157004c0dc2dc894e7c1ea0cf288ab85ec5818f96412dbb8
Instruction ID: ee1f633b6f2f31e24ab0e747e44d17ad1e780dcdfeb3c1c0a0f560b47dd37afc
Opcode Fuzzy Hash: 04514157018e61b4157004c0dc2dc894e7c1ea0cf288ab85ec5818f96412dbb8
Instruction Fuzzy Hash: E99157746083459FC704EF28C48596AB7E5FF88314F14892DF88A9B351DB31EE45CBA2

Function 00D44BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00D2000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D1FF41,80070057,?,?,?,00D2035E), ref: 00D2002B
Part of subcall function 00D2000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D1FF41,80070057,?,?), ref: 00D20046
Part of subcall function 00D2000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D1FF41,80070057,?,?), ref: 00D20054
Part of subcall function 00D2000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D1FF41,80070057,?), ref: 00D20064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00D44C51
_wcslen.LIBCMT ref: 00D44D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00D44DCF
CoTaskMemFree.OLE32(?), ref: 00D44DDA

Strings

NULL Pointer assignment, xrefs: 00D44E23, 00D44E52

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 6911ff1789b255cb841180a698a1a3356319a671366d8e94fe907f692c84f367
Instruction ID: 2c64369472007333a8d068124edbf88d985f98112b76ee63e3376158387a9e6e
Opcode Fuzzy Hash: 6911ff1789b255cb841180a698a1a3356319a671366d8e94fe907f692c84f367
Instruction Fuzzy Hash: F4910471D0021DAFDF14DFA4D891EEEBBB9FF08314F108169E915A7291EB309A449FA0

Function 00D520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D52183
GetMenuItemCount.USER32(00000000), ref: 00D521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D521DD
_wcslen.LIBCMT ref: 00D52213
GetMenuItemID.USER32(?,?), ref: 00D5224D
GetSubMenu.USER32(?,?), ref: 00D5225B

Part of subcall function 00D23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D23A57
Part of subcall function 00D23A3D: GetCurrentThreadId.KERNEL32 ref: 00D23A5E
Part of subcall function 00D23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D225B3), ref: 00D23A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D522E3

Part of subcall function 00D2E97B: Sleep.KERNEL32 ref: 00D2E9F3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: f3c9b2ed3b385d431714cc7c374f88cfd36e4c73c9607cef4aeb2d6070872446
Instruction ID: 60391ed3bf93beb8f64dbd6fb049669bd5171dda9b87802c700f07cd90262266
Opcode Fuzzy Hash: f3c9b2ed3b385d431714cc7c374f88cfd36e4c73c9607cef4aeb2d6070872446
Instruction Fuzzy Hash: 87717B75A00205AFCF14DFA8C881ABEB7F1EF49311F148459ED56EB351DB34EA498BA0

Function 00D57E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(019B68A8), ref: 00D57F37
IsWindowEnabled.USER32(019B68A8), ref: 00D57F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00D5801E
SendMessageW.USER32(019B68A8,000000B0,?,?), ref: 00D58051
IsDlgButtonChecked.USER32(?,?), ref: 00D58089
GetWindowLongW.USER32(019B68A8,000000EC), ref: 00D580AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D580C3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 6f6e6d48fe773c4b73b8fdab8ec45e809549287c1cb43e1911f60be60afffb4e
Instruction ID: 0a9f93dcc805d97e4139c404d52c12d1ba4bb8105629a9e62a06b6ef62458f4b
Opcode Fuzzy Hash: 6f6e6d48fe773c4b73b8fdab8ec45e809549287c1cb43e1911f60be60afffb4e
Instruction Fuzzy Hash: 2C717C34608304AFEF21DF64D884FAABBB5EF09342F284459ED55973A1CB31A949DB30

Function 00D2AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00D2AEF9
GetKeyboardState.USER32(?), ref: 00D2AF0E
SetKeyboardState.USER32(?), ref: 00D2AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00D2AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00D2AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00D2AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D2B020

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a8057a9963ceca52f3b1660eb866c61e44f14635e936e03332d9a322661c0f05
Instruction ID: 9cccca0eaa47e9b8561d2fad0f63c74684ba54a802ac06c6a5c11c86524ff6b7
Opcode Fuzzy Hash: a8057a9963ceca52f3b1660eb866c61e44f14635e936e03332d9a322661c0f05
Instruction Fuzzy Hash: FB51C1A06047E53EFB3642389945BBABFE99F16318F0C848AF1E5954D2C3D8AC84D771

Function 00D2ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D2AD19
GetKeyboardState.USER32(?), ref: 00D2AD2E
SetKeyboardState.USER32(?), ref: 00D2AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D2ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D2ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D2AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D2AE38

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8419ac3ad92f644db039d7a6590e5c6a9fc75b4f634d607d9457c3320523a53b
Instruction ID: 66adfd66176f6c0b911be24455bd6da640ccb0fca51aa28eab2e13c39afe1eae
Opcode Fuzzy Hash: 8419ac3ad92f644db039d7a6590e5c6a9fc75b4f634d607d9457c3320523a53b
Instruction Fuzzy Hash: 8251E3A16047F13EFB3282289C55B7ABEA8DF56308F0C8489F1D5568C2D294EC89D772

Function 00CF542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00D03CD6,?,?,?,?,?,?,?,?,00CF5BA3,?,?,00D03CD6,?,?), ref: 00CF5470
__fassign.LIBCMT ref: 00CF54EB
__fassign.LIBCMT ref: 00CF5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00D03CD6,00000005,00000000,00000000), ref: 00CF552C
WriteFile.KERNEL32(?,00D03CD6,00000000,00CF5BA3,00000000,?,?,?,?,?,?,?,?,?,00CF5BA3,?), ref: 00CF554B
WriteFile.KERNEL32(?,?,00000001,00CF5BA3,00000000,?,?,?,?,?,?,?,?,?,00CF5BA3,?), ref: 00CF5584

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bd98601249f803339d49cf46634caea652a9191393683fbcf9c8ee92bcbe9238
Instruction ID: 6d1908efc2c8b814a9d2663f485430cc0a2deee0af2a93c0153c2db489bc7c23
Opcode Fuzzy Hash: bd98601249f803339d49cf46634caea652a9191393683fbcf9c8ee92bcbe9238
Instruction Fuzzy Hash: 445190B1A00749AFDB11CFA8D885AEEBBF9EF09300F14415AFB55E7291D7309A41CB61

Function 00CE2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00CE2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00CE2D53
_ValidateLocalCookies.LIBCMT ref: 00CE2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00CE2E0C
_ValidateLocalCookies.LIBCMT ref: 00CE2E61

Strings

csm, xrefs: 00CE2DF6

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 11159bd4e92059ebadc47fbd60c5ec065ae23d199b8cb41fbc0937f9ea534106
Instruction ID: cdfc75d1cb8a5d8d490bef5d1fc4e583e5596c4dbeff3172f102a39ee82d7ff2
Opcode Fuzzy Hash: 11159bd4e92059ebadc47fbd60c5ec065ae23d199b8cb41fbc0937f9ea534106
Instruction Fuzzy Hash: 78417334A00299DBCF10DF6ACC45B9EBBA9BF45314F148155E914AB392D771AB05CBE0

Function 00D410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D4307A
Part of subcall function 00D4304E: _wcslen.LIBCMT ref: 00D4309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D41112
WSAGetLastError.WSOCK32 ref: 00D41121
WSAGetLastError.WSOCK32 ref: 00D411C9
closesocket.WSOCK32(00000000), ref: 00D411F9

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6e3745fada624a700eb6c8797158e26a373030b6effaf188e5401a853168a319
Instruction ID: 82110ae4e91c221279df731a162255f183047fa83c3f0a6dcdfd9586aeff2b4f
Opcode Fuzzy Hash: 6e3745fada624a700eb6c8797158e26a373030b6effaf188e5401a853168a319
Instruction Fuzzy Hash: 0C41DE35600304AFDB109F68C884BAABBA9EF45364F188059FD49AB391C770ED81CBB0

Function 00D2CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D2CF22,?), ref: 00D2DDFD

Part of subcall function 00D2DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D2CF22,?), ref: 00D2DE16

lstrcmpiW.KERNEL32(?,?), ref: 00D2CF45
MoveFileW.KERNEL32(?,?), ref: 00D2CF7F
_wcslen.LIBCMT ref: 00D2D005
_wcslen.LIBCMT ref: 00D2D01B
SHFileOperationW.SHELL32(?), ref: 00D2D061

Strings

\*.*, xrefs: 00D2CFF3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e6b4805b2d7274b646e9ea2d969a6120402c360b19bb02ad4ccb838cad5ceb19
Instruction ID: 7b2e065449ff3576e636198415e727b52224ce2537c0b30aba892792b32fdecf
Opcode Fuzzy Hash: e6b4805b2d7274b646e9ea2d969a6120402c360b19bb02ad4ccb838cad5ceb19
Instruction Fuzzy Hash: 5141A7718062285FDF12EFA0DA81EDDB7B9EF18344F0400E6E545EB141EB34AA44CB70

Function 00D52DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D52E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00D52E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00D52E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00D52EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00D52EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00D52EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D52F0B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 034743d2180a1f5cca834ce3df46d164cfe1e636b51e30dfa0fa827be09594ce
Instruction ID: 8f3bd1b6ed62cc6f1f60ce1d121a1b7777755344a447f31144308aeaa52e0bb5
Opcode Fuzzy Hash: 034743d2180a1f5cca834ce3df46d164cfe1e636b51e30dfa0fa827be09594ce
Instruction Fuzzy Hash: 9A31F234604351AFDF218F58EC86F6537E1EB9A712F191165FD20CB2B1CB71A8489B61

Function 00D27726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D27769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D2778F
SysAllocString.OLEAUT32(00000000), ref: 00D27792
SysAllocString.OLEAUT32(?), ref: 00D277B0
SysFreeString.OLEAUT32(?), ref: 00D277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00D277DE
SysAllocString.OLEAUT32(?), ref: 00D277EC

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b8ed73b7c270a457b4e8da32aa9bcd161d6bc8e7198ab42ace433f9a0c874399
Instruction ID: 27a8f7d99de4b961566500eab5606ac58fb87a0d7aec080a4ba813752ebdaadf
Opcode Fuzzy Hash: b8ed73b7c270a457b4e8da32aa9bcd161d6bc8e7198ab42ace433f9a0c874399
Instruction Fuzzy Hash: 11218E76604329AFDB20DFA8DC88CBB77ACFB19768B048025BE15DB250D670EC4187B0

Function 00D277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D27842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D27868
SysAllocString.OLEAUT32(00000000), ref: 00D2786B
SysAllocString.OLEAUT32 ref: 00D2788C
SysFreeString.OLEAUT32 ref: 00D27895
StringFromGUID2.OLE32(?,?,00000028), ref: 00D278AF
SysAllocString.OLEAUT32(?), ref: 00D278BD

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 233ebd5f7b74e084e2b8a5c93c50f5e88db8ae47b5a4a33ad2ccdce7c0e600cf
Instruction ID: c15b17aa0facd9ece2e0f5c4375795e9d4d457d99044ae102fa4bed53b19c22f
Opcode Fuzzy Hash: 233ebd5f7b74e084e2b8a5c93c50f5e88db8ae47b5a4a33ad2ccdce7c0e600cf
Instruction Fuzzy Hash: A9217435608324AFDB209FA9DC88DAAB7ECEB197647148125F915CB2A1D670EC41CB74

Function 00D304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D3052E

Strings

nul, xrefs: 00D30567

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ddbca40f98b05aa99fbc3f934e3034277c0e6bdf01f4d15a0bd7b386406bc580
Instruction ID: 4b239251d760adcbf1c0f68aa55edd471bc53bc5c9cfc4220dd54b6b3d85bf4d
Opcode Fuzzy Hash: ddbca40f98b05aa99fbc3f934e3034277c0e6bdf01f4d15a0bd7b386406bc580
Instruction Fuzzy Hash: A7213975600305AFDB209F69DC54A9A7BB8AF44725F244A19FCA1E62E0E770D980CF30

Function 00D305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D30601

Strings

nul, xrefs: 00D30639

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 63fea80016cb721a34e1a675a10fb9ec496948b8f101973ecb0256e3efe987b3
Instruction ID: 06a52c42835af30e7b47d218fa439ddc47e8740e27b1f1769f592bd2c8024bff
Opcode Fuzzy Hash: 63fea80016cb721a34e1a675a10fb9ec496948b8f101973ecb0256e3efe987b3
Instruction Fuzzy Hash: E72192755003059FDB209F69CC15A9A7BE8BF95B30F240A19FCA1E72E4D7709860CB34

Function 00D540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CC604C
Part of subcall function 00CC600E: GetStockObject.GDI32(00000011), ref: 00CC6060
Part of subcall function 00CC600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CC606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D54112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D5411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D5412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D54139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D54145

Strings

Msctls_Progress32, xrefs: 00D540E3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3c6663fb59a2b1d188e0c6cd45242fac8bc56ed0775bb674f5ae5c3903e92ae2
Instruction ID: b9cabe07f193b29aba8e52d86e31ee89a94e62e3bc60a059c3bb61830a83c453
Opcode Fuzzy Hash: 3c6663fb59a2b1d188e0c6cd45242fac8bc56ed0775bb674f5ae5c3903e92ae2
Instruction Fuzzy Hash: 131190B215021ABEEF119E64CC85EE77F9DEF08798F104111BA18A2190C672DC619BB4

Function 00CFD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CFD7A3: _free.LIBCMT ref: 00CFD7CC

_free.LIBCMT ref: 00CFD82D

Part of subcall function 00CF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000), ref: 00CF29DE
Part of subcall function 00CF29C8: GetLastError.KERNEL32(00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000,00000000), ref: 00CF29F0

_free.LIBCMT ref: 00CFD838
_free.LIBCMT ref: 00CFD843
_free.LIBCMT ref: 00CFD897
_free.LIBCMT ref: 00CFD8A2
_free.LIBCMT ref: 00CFD8AD
_free.LIBCMT ref: 00CFD8B8

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c400212218748222acf8afd91bc486243862bf105f8251d3bcb0054b7303f51e
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: AE115171580B0CAAD5A1BFB0CC47FEB7BDD6F00700F400826B39AEA0A2DA65B6056652

Function 00D2DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D2DA74
LoadStringW.USER32(00000000), ref: 00D2DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D2DA91
LoadStringW.USER32(00000000), ref: 00D2DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D2DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D2DAB9

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 4758bac903d442176d62c972412ba125f6b5b86358aff25cf07d9c8986272190
Instruction ID: 6a880e01339e33890e1b0b7d74c12019a59796e9d7dd26da7b442ccdce690d01
Opcode Fuzzy Hash: 4758bac903d442176d62c972412ba125f6b5b86358aff25cf07d9c8986272190
Instruction Fuzzy Hash: A50162F25103187FE710ABA49D89EEB726CE718306F405491BB46E2141EA749E848F74

Function 00D3096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(019AFFB0,019AFFB0), ref: 00D3097B
EnterCriticalSection.KERNEL32(019AFF90,00000000), ref: 00D3098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 00D3099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00D309A9
CloseHandle.KERNEL32(00000000), ref: 00D309B8
InterlockedExchange.KERNEL32(019AFFB0,000001F6), ref: 00D309C8
LeaveCriticalSection.KERNEL32(019AFF90), ref: 00D309CF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 0bc305b87454643f11019823c1916cc276c3f8ac05b7b6050be5a920e47a6b08
Instruction ID: 61b76563169fd062289229672b2db7c57e33fd153ed1d24f81555d5d20d98af5
Opcode Fuzzy Hash: 0bc305b87454643f11019823c1916cc276c3f8ac05b7b6050be5a920e47a6b08
Instruction Fuzzy Hash: 2CF01932552B02AFD7415BA4EE88BDABA29FF01702F442025F602909A0CB7494A5CFB4

Function 00D41C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00D41DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D41DE1
WSAGetLastError.WSOCK32 ref: 00D41DF2
htons.WSOCK32(?,?,?,?,?), ref: 00D41EDB
inet_ntoa.WSOCK32(?), ref: 00D41E8C

Part of subcall function 00D239E8: _strlen.LIBCMT ref: 00D239F2

Part of subcall function 00D43224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00D3EC0C), ref: 00D43240

_strlen.LIBCMT ref: 00D41F35

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: aa7715ca36f2d2bb2cdf4c83f714c498a60e35b71b1656391a86018728edd1ce
Instruction ID: bc02b41b61aa239de58ed3a7628bbb0a54480bb067cef65bb355331ea6a26011
Opcode Fuzzy Hash: aa7715ca36f2d2bb2cdf4c83f714c498a60e35b71b1656391a86018728edd1ce
Instruction Fuzzy Hash: 02B1BE35604340AFC324DF24C885F2ABBE5AF84318F58895CF5565B2E2DB31ED86CBA1

Function 00CC5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00CC5D30
GetWindowRect.USER32(?,?), ref: 00CC5D71
ScreenToClient.USER32(?,?), ref: 00CC5D99
GetClientRect.USER32(?,?), ref: 00CC5ED7
GetWindowRect.USER32(?,?), ref: 00CC5EF8

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 3812ce1ad4b0ebb782c38d09d0d42f9aaa2a0501bfd8ca1f82687490fc74d197
Instruction ID: 527bbe399809af74fb72412a10dd1f7cfc28ab0e36f1d841ffef4248455ed892
Opcode Fuzzy Hash: 3812ce1ad4b0ebb782c38d09d0d42f9aaa2a0501bfd8ca1f82687490fc74d197
Instruction Fuzzy Hash: 9BB16D74A0074ADBDB14CFA9C440BEAB7F1FF54310F14941EE8A9D7290DB34AA91DB60

Function 00CF01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00CF00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF00D6
__allrem.LIBCMT ref: 00CF00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF010B
__allrem.LIBCMT ref: 00CF0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CF0140

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 7bad521b8578de0ba09b1ac61b7d53d2d81427b63e854a32f92ce186e78e15ad
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: A6810872600B0A9BE7249F69CC42B7E73E9EF41724F24853EF625D6282EB70DE019751

Function 00CF61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CE82D9,00CE82D9,?,?,?,00CF644F,00000001,00000001,8BE85006), ref: 00CF6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CF644F,00000001,00000001,8BE85006,?,?,?), ref: 00CF62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CF63D8
__freea.LIBCMT ref: 00CF63E5

Part of subcall function 00CF3820: RtlAllocateHeap.NTDLL(00000000,?,00D91444,?,00CDFDF5,?,?,00CCA976,00000010,00D91440,00CC13FC,?,00CC13C6,?,00CC1129), ref: 00CF3852

__freea.LIBCMT ref: 00CF63EE
__freea.LIBCMT ref: 00CF6413

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fdcd968183b5fc34778143aa808e21f4373ec7920ba5e3826788925e48b2f772
Instruction ID: 7b6126d06df06e7cc0c3f6a9300190fe15f2d7be1baded83bb7fc52818554c87
Opcode Fuzzy Hash: fdcd968183b5fc34778143aa808e21f4373ec7920ba5e3826788925e48b2f772
Instruction Fuzzy Hash: 5551027260021AABEB258F64CC81EBF7BA9EB44710F154229FF15D7150DB34DD48D6A2

Function 00D4BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

Part of subcall function 00D4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D4B6AE,?,?), ref: 00D4C9B5
Part of subcall function 00D4C998: _wcslen.LIBCMT ref: 00D4C9F1
Part of subcall function 00D4C998: _wcslen.LIBCMT ref: 00D4CA68
Part of subcall function 00D4C998: _wcslen.LIBCMT ref: 00D4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D4BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D4BD25
RegCloseKey.ADVAPI32(00000000), ref: 00D4BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D4BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D4BDF3
RegCloseKey.ADVAPI32(?), ref: 00D4BDFF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 82778bab64af150fd90167f4cc27c220f57d9ad5e50dfd52d694396c19d4b7a7
Instruction ID: 9e691ca4b521270577a438e90a8f115a0609d81929eaa4ac2cc0681e4e5b2a59
Opcode Fuzzy Hash: 82778bab64af150fd90167f4cc27c220f57d9ad5e50dfd52d694396c19d4b7a7
Instruction Fuzzy Hash: 31819F30118341AFC714DF24C885E2ABBE5FF84318F14859DF5968B2A2DB31ED45DBA2

Function 00D1F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00D1F7B9
SysAllocString.OLEAUT32(00000001), ref: 00D1F860
VariantCopy.OLEAUT32(00D1FA64,00000000), ref: 00D1F889
VariantClear.OLEAUT32(00D1FA64), ref: 00D1F8AD
VariantCopy.OLEAUT32(00D1FA64,00000000), ref: 00D1F8B1
VariantClear.OLEAUT32(?), ref: 00D1F8BB

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: c5ec7b6e922230f53b3dc608484c4d2b0641827c8d7fcb25c5f2505d71de28f2
Instruction ID: 0aea15e3dd48411ef413b665e7eb8fe87d05d88742f50c7b885ef417e322cbed
Opcode Fuzzy Hash: c5ec7b6e922230f53b3dc608484c4d2b0641827c8d7fcb25c5f2505d71de28f2
Instruction Fuzzy Hash: A851B431600310BACF24AB65E895BADB3A5EF45710F24946BE906DF291DF709C80DBB6

Function 00D3910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00CC7620: _wcslen.LIBCMT ref: 00CC7625

Part of subcall function 00CC6B57: _wcslen.LIBCMT ref: 00CC6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00D394E5
_wcslen.LIBCMT ref: 00D39506
_wcslen.LIBCMT ref: 00D3952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00D39585

Strings

X, xrefs: 00D39412

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: f4a501995ad7d6c900caa9c475b47001c55523c87a65d5450ee5f26997276a59
Instruction ID: f77bc802153b7431efd682e02197299c032179fa7565a122c6abc13b405ba24b
Opcode Fuzzy Hash: f4a501995ad7d6c900caa9c475b47001c55523c87a65d5450ee5f26997276a59
Instruction Fuzzy Hash: DFE18E716083419FC714DF24C891F6AB7E4BF85314F08896DE8899B3A2DB71DD45CBA2

Function 00CD920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CD9BB2

BeginPaint.USER32(?,?,?), ref: 00CD9241
GetWindowRect.USER32(?,?), ref: 00CD92A5
ScreenToClient.USER32(?,?), ref: 00CD92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00CD92D3
EndPaint.USER32(?,?,?,?,?), ref: 00CD9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00D171EA

Part of subcall function 00CD9339: BeginPath.GDI32(00000000), ref: 00CD9357

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 23628e28a3eb49d1b42b434a1c7981f368d69438a7835b5e00ee7e8c925f4412
Instruction ID: 2265e5e65e5ed3821a0b1ab26e36291b7087c9c08327aa90f158a821e8ac90d1
Opcode Fuzzy Hash: 23628e28a3eb49d1b42b434a1c7981f368d69438a7835b5e00ee7e8c925f4412
Instruction Fuzzy Hash: C441AB74108301AFD711DF25D884FAA7BB8EB49321F04062AFAA4C73B1C7309985DB71

Function 00D307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D3080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00D30847
EnterCriticalSection.KERNEL32(?), ref: 00D30863
LeaveCriticalSection.KERNEL32(?), ref: 00D308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00D308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D30921

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 977f275c383d7b55538ba0742971604625b4e5c14823fbd535b148bdc1a8e91a
Instruction ID: 555f8cf68e4250ae1c1a28c856840deb34fc83195afa1262652c6dbcdb566f9f
Opcode Fuzzy Hash: 977f275c383d7b55538ba0742971604625b4e5c14823fbd535b148bdc1a8e91a
Instruction Fuzzy Hash: 7B414771900305AFDF14AF54DC85A6ABBB9FF04310F1440A9ED05DA296DB30DE65DBB4

Function 00D581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00D1F3AB,00000000,?,?,00000000,?,00D1682C,00000004,00000000,00000000), ref: 00D5824C
EnableWindow.USER32(00000000,00000000), ref: 00D58272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D582D1
ShowWindow.USER32(00000000,00000004), ref: 00D582E5
EnableWindow.USER32(00000000,00000001), ref: 00D5830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D5832F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b87e0fa88904462bb4c4511ddfc7a35d0e834a26446d21b227ac63ee45fc6458
Instruction ID: db645cc254412e60598b38a0782485713662c16691850b0041303b7c8032aed1
Opcode Fuzzy Hash: b87e0fa88904462bb4c4511ddfc7a35d0e834a26446d21b227ac63ee45fc6458
Instruction Fuzzy Hash: C041A134601740AFDF12CF14C899BA47BE0BB0A716F185169ED18DB262CB31A849DF74

Function 00D24C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D24C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D24CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D24CEA
_wcslen.LIBCMT ref: 00D24D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D24D10
_wcsstr.LIBVCRUNTIME ref: 00D24D1A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 7d23b6c1bdcb2c5e48855089302ca946694d94ae5a3e78c5850ed76867314a36
Instruction ID: b2c9ab511f76701a980758355daa5400a5fcc4a07eaafdffafe90e550d73e1c1
Opcode Fuzzy Hash: 7d23b6c1bdcb2c5e48855089302ca946694d94ae5a3e78c5850ed76867314a36
Instruction Fuzzy Hash: B321D7312043107BEB155B39AC49E7B7B9CDF55754F14406AFD05CA2A2DA61DD01A6B0

Function 00D3581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CC3A97,?,?,00CC2E7F,?,?,?,00000000), ref: 00CC3AC2

_wcslen.LIBCMT ref: 00D3587B
CoInitialize.OLE32(00000000), ref: 00D35995
CoCreateInstance.OLE32(00D5FCF8,00000000,00000001,00D5FB68,?), ref: 00D359AE
CoUninitialize.OLE32 ref: 00D359CC

Strings

.lnk, xrefs: 00D35876, 00D358C1, 00D35985

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: bc377cb916cede6e8a043108aad7c9b8b3ae5da6b9c610eb75deff6d7b3a3fee
Instruction ID: 79588299726b8322cf9ae998ea5d90f3762d7b91c283bc846c458d27e127b778
Opcode Fuzzy Hash: bc377cb916cede6e8a043108aad7c9b8b3ae5da6b9c610eb75deff6d7b3a3fee
Instruction Fuzzy Hash: DBD150716087019FC714DF24D484A2ABBE5EF89720F18895DF88A9B361DB31ED45CFA2

Function 00D2175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D20FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D20FCA
Part of subcall function 00D20FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D20FD6
Part of subcall function 00D20FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D20FE5
Part of subcall function 00D20FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D20FEC
Part of subcall function 00D20FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D21002

GetLengthSid.ADVAPI32(?,00000000,00D21335), ref: 00D217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D217BA
HeapAlloc.KERNEL32(00000000), ref: 00D217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00D217DA
GetProcessHeap.KERNEL32(00000000,00000000,00D21335), ref: 00D217EE
HeapFree.KERNEL32(00000000), ref: 00D217F5

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ec0702ce1572a7f7e464aa853415717579445cfd94da9e01301de02ac455a623
Instruction ID: 8a8d57ffc2e99947e054285279b795373a57243a080ff2189d7d0558532451e8
Opcode Fuzzy Hash: ec0702ce1572a7f7e464aa853415717579445cfd94da9e01301de02ac455a623
Instruction Fuzzy Hash: 2811AC35610715EFDB109FA4EC49FAE7BA9FBA535AF148018F881D7211CB35A944CBB0

Function 00D214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00D21506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D21515
CloseHandle.KERNEL32(00000004), ref: 00D21520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D2154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D21563

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 9708e93d8d230351beb16d31f1a6357a7dd4ebfe3f7bf556101ddfdc1864c1c8
Instruction ID: b0830ac5c02955a79a0fb51cae329fb8ee280dab8c6035a4580620b6bca7c8d2
Opcode Fuzzy Hash: 9708e93d8d230351beb16d31f1a6357a7dd4ebfe3f7bf556101ddfdc1864c1c8
Instruction Fuzzy Hash: 5511447650030DAFDB118FA8ED49BDE7BA9EB58749F088064FE15A21A0C371CE61DB70

Function 00CE3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CE3379,00CE2FE5), ref: 00CE3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CE339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CE33B7
SetLastError.KERNEL32(00000000,?,00CE3379,00CE2FE5), ref: 00CE3409

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e99d448fc9c82f08d871847319fce3280c3b19f78e54dc3b3c475568fdd551bc
Instruction ID: 8eebe40e994a715115e40ab8376910fe809fb62265b3292739224534eb84306d
Opcode Fuzzy Hash: e99d448fc9c82f08d871847319fce3280c3b19f78e54dc3b3c475568fdd551bc
Instruction Fuzzy Hash: AE012D322283D1BFA71527777C8DA6A1A5CE7053B67300229F520C32F0EF616F026674

Function 00CF2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CF5686,00D03CD6,?,00000000,?,00CF5B6A,?,?,?,?,?,00CEE6D1,?,00D88A48), ref: 00CF2D78
_free.LIBCMT ref: 00CF2DAB
_free.LIBCMT ref: 00CF2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00CEE6D1,?,00D88A48,00000010,00CC4F4A,?,?,00000000,00D03CD6), ref: 00CF2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00CEE6D1,?,00D88A48,00000010,00CC4F4A,?,?,00000000,00D03CD6), ref: 00CF2DEC
_abort.LIBCMT ref: 00CF2DF2

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8c66cb7b16cdbd05cebd31254e8d92193a4dd1f0e59fdc531bb824f047316e60
Instruction ID: f49cd8f718309f0825ae7d3a14a8216cbfe4aa9746f41a6ee7de1716cfaef179
Opcode Fuzzy Hash: 8c66cb7b16cdbd05cebd31254e8d92193a4dd1f0e59fdc531bb824f047316e60
Instruction Fuzzy Hash: F1F0F432645B0C6BC2922734BC0AA7A2559AFC1BA1B200018FB34D22E2EF248A01A133

Function 00D58A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CD9693
Part of subcall function 00CD9639: SelectObject.GDI32(?,00000000), ref: 00CD96A2
Part of subcall function 00CD9639: BeginPath.GDI32(?), ref: 00CD96B9
Part of subcall function 00CD9639: SelectObject.GDI32(?,00000000), ref: 00CD96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00D58A4E
LineTo.GDI32(?,00000003,00000000), ref: 00D58A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00D58A70
LineTo.GDI32(?,00000000,00000003), ref: 00D58A80
EndPath.GDI32(?), ref: 00D58A90
StrokePath.GDI32(?), ref: 00D58AA0

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9a0e52aa41ff02e549c0cce46c8393d3654c8508b1d87b381be2feb5b9a103c2
Instruction ID: b6d67d10de76f027272905b5bfc4f077c1c0832e9d5d0da8402659ed98cb0492
Opcode Fuzzy Hash: 9a0e52aa41ff02e549c0cce46c8393d3654c8508b1d87b381be2feb5b9a103c2
Instruction Fuzzy Hash: 6F11A576000349FFDB129F94DC88EAA7F6DEB08395F048012BE199A2A1C7729D559BB0

Function 00D251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D25218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D25229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D25230
ReleaseDC.USER32(00000000,00000000), ref: 00D25238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00D2524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00D25261

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 532e7ae1720ece29516bd63008cec3b3ee7cd0e460e467929b0d449038bcf905
Instruction ID: fd4a3d1a01433af7c51ede2f9d314021ccaf87c61d8043e23251da32e455fe64
Opcode Fuzzy Hash: 532e7ae1720ece29516bd63008cec3b3ee7cd0e460e467929b0d449038bcf905
Instruction Fuzzy Hash: C0014F75A40718BFEB109BA5AC49E5EBFB8EF48752F044065FA04E7391DA709900CBB0

Function 00CC1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CC1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00CC1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CC1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CC1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00CC1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CC1C22

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2aee14acb1e806f2e37c608c0f6652c737f5c9b63e0bcc3744e30c2a6380b881
Instruction ID: d4b336feaaf85c4da9e2d0a457b04984e6a0d00a877e5da8fd47e47c36f1455c
Opcode Fuzzy Hash: 2aee14acb1e806f2e37c608c0f6652c737f5c9b63e0bcc3744e30c2a6380b881
Instruction Fuzzy Hash: 22016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 00D2EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D2EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D2EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00D2EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D2EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D2EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D2EB75

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 596f3bae37716048b6c568547822a1acff380583b0d4e4df63dbc9bf7430145d
Instruction ID: 9392ebd642090b8226c7941569d4191538e85ffc6916949045ea9cda8a31526b
Opcode Fuzzy Hash: 596f3bae37716048b6c568547822a1acff380583b0d4e4df63dbc9bf7430145d
Instruction Fuzzy Hash: F8F03072250758BFE72157529C0DEEF3E7CEFCAB12F001158FA11D1291D7A05A01C6B5

Function 00D17439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00D17452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00D17469
GetWindowDC.USER32(?), ref: 00D17475
GetPixel.GDI32(00000000,?,?), ref: 00D17484
ReleaseDC.USER32(?,00000000), ref: 00D17496
GetSysColor.USER32(00000005), ref: 00D174B0

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 54bb4fdee8c89d4de3f37e34f3ff850546ea2ee8d5c696260a664c40010a37e3
Instruction ID: f026bbebc80e465c04dc6eebe3c1289303e82640f63bcef531799d19aa11d34e
Opcode Fuzzy Hash: 54bb4fdee8c89d4de3f37e34f3ff850546ea2ee8d5c696260a664c40010a37e3
Instruction Fuzzy Hash: F7011231414315FFEB515BA4EC48BAA7BB5FB04322F651164FE16A22B1CB311E91EB60

Function 00D21874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D2187F
UnloadUserProfile.USERENV(?,?), ref: 00D2188B
CloseHandle.KERNEL32(?), ref: 00D21894
CloseHandle.KERNEL32(?), ref: 00D2189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D218A5
HeapFree.KERNEL32(00000000), ref: 00D218AC

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: b92ce89168434dc45cc2a91a9283663e47baf0b0108ef15101f2f2b026a92302
Instruction ID: 7b05503c53907cce02cf027a390ba37de8e52ede7b4cee0e7a7afb78e0ab10f9
Opcode Fuzzy Hash: b92ce89168434dc45cc2a91a9283663e47baf0b0108ef15101f2f2b026a92302
Instruction Fuzzy Hash: 6CE0C236114705BFEA015BA1ED0CD0ABB69FB59B22B109220FA26C1670CB32A4A0DB60

Function 00D2C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC7620: _wcslen.LIBCMT ref: 00CC7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D2C6EE
_wcslen.LIBCMT ref: 00D2C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D2C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D2C7CA

Strings

0, xrefs: 00D2C6AF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 26e3583222ded321632d8715c1cfb04eb9e6927c51723f9ba264ed3c4a4172ef
Instruction ID: 428a1f429775563ab5eb22ef780308e4f44e89f7e2abbaa50bf816a9dfb152a5
Opcode Fuzzy Hash: 26e3583222ded321632d8715c1cfb04eb9e6927c51723f9ba264ed3c4a4172ef
Instruction Fuzzy Hash: 9751F3716243219BD7149F28E844B6F77E8AF65318F082A2DF995D32A0DB70DD04DB72

Function 00D4AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00D4AEA3

Part of subcall function 00CC7620: _wcslen.LIBCMT ref: 00CC7625

GetProcessId.KERNEL32(00000000), ref: 00D4AF38
CloseHandle.KERNEL32(00000000), ref: 00D4AF67

Strings

@, xrefs: 00D4AE72
<, xrefs: 00D4AE6B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 32810cdbc3c5f7cdb6e6d8bfb0ca43756d1a80f6bb217bb171c91f628ee2638d
Instruction ID: 0e1b676630711aa9d950d00a33f21eb5e8b4eef4b200a672927cf8f016f2b938
Opcode Fuzzy Hash: 32810cdbc3c5f7cdb6e6d8bfb0ca43756d1a80f6bb217bb171c91f628ee2638d
Instruction Fuzzy Hash: E2713671A00619DFCB14DF98C484A9EBBF0EF08314F0484ADE856AB3A2C774ED45DBA1

Function 00D2719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D27206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D2723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D2724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D272CF

Strings

DllGetClassObject, xrefs: 00D27242

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 2e6d3afcdd86d616d19c5a011863732f8a2f9681495eae3b0fe61758887b3ea5
Instruction ID: fccb8bf726e7c04c6e8e22f5412ad27a6614950deb32e8604404e26a339dabc2
Opcode Fuzzy Hash: 2e6d3afcdd86d616d19c5a011863732f8a2f9681495eae3b0fe61758887b3ea5
Instruction Fuzzy Hash: 5E418AB1A04324EFDB25CF54D884A9A7BA9EF54318F2480ADFD059F20AD7B1D944CBB4

Function 00D53D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D53E35
IsMenu.USER32(?), ref: 00D53E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D53E92
DrawMenuBar.USER32 ref: 00D53EA5

Strings

0, xrefs: 00D53D89

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 9cfc339220230896c1d94e98049b8eee5efeb7fc5b05ed4772b429b7000d1458
Instruction ID: 92265fe298463ae4ca9a3040cfe1e6816e94c2b9c3891ea3436ba9d23689694c
Opcode Fuzzy Hash: 9cfc339220230896c1d94e98049b8eee5efeb7fc5b05ed4772b429b7000d1458
Instruction Fuzzy Hash: 734135B5A00249AFDF10DF90D885AAABBF9BB48395F084229FD1597250D730AE48CF60

Function 00D21DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

Part of subcall function 00D23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D23CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D21E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D21E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00D21EA9

Part of subcall function 00CC6B57: _wcslen.LIBCMT ref: 00CC6B6A

Strings

ComboBox, xrefs: 00D21DF0
ListBox, xrefs: 00D21E25

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: fdf6c25d2226eee81e4d3a9f4a9c73a200b6526707548ed7e8b5ba681f034f30
Instruction ID: 1d51a240752442f16003ed944fe1b2243bb71eb64168625916fc777a26860125
Opcode Fuzzy Hash: fdf6c25d2226eee81e4d3a9f4a9c73a200b6526707548ed7e8b5ba681f034f30
Instruction Fuzzy Hash: 6D213575A00204BEDB14AB60EC59DFFB7B8EF61354B14812DF825A32E0DB344E0AA630

Function 00D52F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D52F8D
LoadLibraryW.KERNEL32(?), ref: 00D52F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D52FA9
DestroyWindow.USER32(?), ref: 00D52FB1

Strings

SysAnimate32, xrefs: 00D52F68

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0097e09066f19cb07f3c8cf6ecde6576b1a11dd3fe633f33c856868df5d37241
Instruction ID: 5bf12047d21bebf2142ebb1cc3a2ee8f8db0262181a37e46e2456bd581441d0d
Opcode Fuzzy Hash: 0097e09066f19cb07f3c8cf6ecde6576b1a11dd3fe633f33c856868df5d37241
Instruction Fuzzy Hash: EF218872204205AFEF104F66EC80EBB37B9EF6A366F140218FE50E61A0D671DC599B70

Function 00CE4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CE4D1E,00CF28E9,?,00CE4CBE,00CF28E9,00D888B8,0000000C,00CE4E15,00CF28E9,00000002), ref: 00CE4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CE4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00CE4D1E,00CF28E9,?,00CE4CBE,00CF28E9,00D888B8,0000000C,00CE4E15,00CF28E9,00000002,00000000), ref: 00CE4DC3

Strings

CorExitProcess, xrefs: 00CE4D98
mscoree.dll, xrefs: 00CE4D86

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 382e85b947dda2b1c2f5b4b1dfa8e50d78b9855777c81370ea7dbf0947651087
Instruction ID: e116cb8e2de5d9afbc4654692c3bf6483a67fc14e9f793433171401aaf591cc1
Opcode Fuzzy Hash: 382e85b947dda2b1c2f5b4b1dfa8e50d78b9855777c81370ea7dbf0947651087
Instruction Fuzzy Hash: 84F03C34A50308AFDB159F91DC49BAEBFA5EB44752F0000A4A805E2260CB705A44DBE0

Function 00D1D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00D1D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D1D3BF
FreeLibrary.KERNEL32(00000000), ref: 00D1D3E5

Strings

X64, xrefs: 00D1D2A8
GetSystemWow64DirectoryW, xrefs: 00D1D3B9

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 3a37a012752141d9b8e13f4c1c72506ff7403d13c49848d478c2970c4565c794
Instruction ID: cbed5593b6e7e1447f5c2d696a0032cf3cbfcc52fd336efbec705bd17c86262a
Opcode Fuzzy Hash: 3a37a012752141d9b8e13f4c1c72506ff7403d13c49848d478c2970c4565c794
Instruction Fuzzy Hash: B3F05575816B21BFDB741B10AC98DE93326AF11703B58910AFC52E1200DFB0CCC486B6

Function 00CC4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CC4EDD,?,00D91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CC4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CC4EAE
FreeLibrary.KERNEL32(00000000,?,?,00CC4EDD,?,00D91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CC4EC0

Strings

kernel32.dll, xrefs: 00CC4E94
Wow64DisableWow64FsRedirection, xrefs: 00CC4EA8

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a3e08192d64589e98c55e76d8bc59dd5e3a767cc61870ba53964d47213b936bb
Instruction ID: 7275ffbd160f7dbd70f8c014f721ab7733f6f98e2c569323d607ebf54bb0258d
Opcode Fuzzy Hash: a3e08192d64589e98c55e76d8bc59dd5e3a767cc61870ba53964d47213b936bb
Instruction Fuzzy Hash: F3E08C36E12B225F92222B25AC28F6BA658AF81F63B06411DFC04E2240DB60CE0581B1

Function 00CC4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D03CDE,?,00D91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CC4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CC4E74
FreeLibrary.KERNEL32(00000000,?,?,00D03CDE,?,00D91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CC4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00CC4E6E
kernel32.dll, xrefs: 00CC4E5B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 918d6646d88124eed1284748567e00e5b50ad58495fd0f726ebe3713e71b09ce
Instruction ID: 8fa4c2a7e4f51453479290c876d6ac883dae3925cf3025ee1f7e25f866d89a0d
Opcode Fuzzy Hash: 918d6646d88124eed1284748567e00e5b50ad58495fd0f726ebe3713e71b09ce
Instruction Fuzzy Hash: F8D01235512B215F5A261B29BC28E9BAA18AF85F52306551DFD15E2215CF60CE05C5F0

Function 00D4A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00D4A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D4A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D4A468
CloseHandle.KERNEL32(?), ref: 00D4A63D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 55a95581c03c32c626955645fa36e74bc5b7b780c6e400591376c6044b7921e5
Instruction ID: b9b75549241e0ab07b6fab53229bfb8d54f0a25ea3fa9bc323fba635bdf087bb
Opcode Fuzzy Hash: 55a95581c03c32c626955645fa36e74bc5b7b780c6e400591376c6044b7921e5
Instruction Fuzzy Hash: A6A190716447019FD720DF28C886F2AB7E5AF84714F18885DF99A9B3D2D7B0EC418B92

Function 00CFBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D63700), ref: 00CFBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D9121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CFBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D91270,000000FF,?,0000003F,00000000,?), ref: 00CFBC36
_free.LIBCMT ref: 00CFBB7F

Part of subcall function 00CF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000), ref: 00CF29DE
Part of subcall function 00CF29C8: GetLastError.KERNEL32(00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000,00000000), ref: 00CF29F0

_free.LIBCMT ref: 00CFBD4B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 4854f09e0af423a1af027252f55a73981c9a5693a7bee35e0ef8f2c73aa155fa
Instruction ID: 04553e73fa8f7cdc84df8b7385a003f503d7c58507a0d43f7fe71b9dcc2b2e5d
Opcode Fuzzy Hash: 4854f09e0af423a1af027252f55a73981c9a5693a7bee35e0ef8f2c73aa155fa
Instruction Fuzzy Hash: 2451EC7590030EEFCB50EF65DC419BEB7BCEF40350B10426AE664D72A1EB709E459762

Function 00D2E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D2CF22,?), ref: 00D2DDFD

Part of subcall function 00D2DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D2CF22,?), ref: 00D2DE16

Part of subcall function 00D2E199: GetFileAttributesW.KERNEL32(?,00D2CF95), ref: 00D2E19A

lstrcmpiW.KERNEL32(?,?), ref: 00D2E473
MoveFileW.KERNEL32(?,?), ref: 00D2E4AC
_wcslen.LIBCMT ref: 00D2E5EB
_wcslen.LIBCMT ref: 00D2E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00D2E650

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 63728d54a26ee805fce7f9cc1cdcfe437305b46562f544e308c0349865a69afe
Instruction ID: 2a532da871efdf41730a1e2d82c0f13db47784fcdfd33dc5a330207a12f4b45b
Opcode Fuzzy Hash: 63728d54a26ee805fce7f9cc1cdcfe437305b46562f544e308c0349865a69afe
Instruction Fuzzy Hash: B65160B24083955BC724EB90D881ADFB3ECEF95344F04492EF689D3191EE74E6888776

Function 00D4B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

Part of subcall function 00D4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D4B6AE,?,?), ref: 00D4C9B5
Part of subcall function 00D4C998: _wcslen.LIBCMT ref: 00D4C9F1
Part of subcall function 00D4C998: _wcslen.LIBCMT ref: 00D4CA68
Part of subcall function 00D4C998: _wcslen.LIBCMT ref: 00D4CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D4BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D4BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D4BB63
RegCloseKey.ADVAPI32(?,?), ref: 00D4BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00D4BBB3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 287015c4ac23de577f2a3d85e4176757dad0865c17c6c7e788d1617657221345
Instruction ID: c59bd79e2dab6e7629920539a025afd82be262c5d12824457acbd8cc82284d66
Opcode Fuzzy Hash: 287015c4ac23de577f2a3d85e4176757dad0865c17c6c7e788d1617657221345
Instruction Fuzzy Hash: 45619131208341AFD714DF14C895E2ABBE5FF84318F18855DF4998B2A2DB31ED45DBA2

Function 00D28BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D28BCD
VariantClear.OLEAUT32 ref: 00D28C3E
VariantClear.OLEAUT32 ref: 00D28C9D
VariantClear.OLEAUT32(?), ref: 00D28D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D28D3B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 190e630fdfb31c8caaa815cee0bb062d9dc0d05942fcff5306a5c95e98aa0ef7
Instruction ID: 710f1792b5d89a1ceca7dc2facf2ba1b7dc6feb39df5e48185bcd4ec8c58e968
Opcode Fuzzy Hash: 190e630fdfb31c8caaa815cee0bb062d9dc0d05942fcff5306a5c95e98aa0ef7
Instruction Fuzzy Hash: 445169B5A01219EFDB10CF68D884EAAB7F8FF99314B158559E905DB350E730E911CFA0

Function 00D38AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D38BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00D38BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D38C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D38C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D38C5F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: e6de2ea6dec2c400e3216958407128c628df3465dcc6b6d7879d7f82f8a9d369
Instruction ID: f21cb954bb23c4ce49ea627b42ae1049fd058dd5779102467a31e8e7cc68f8a0
Opcode Fuzzy Hash: e6de2ea6dec2c400e3216958407128c628df3465dcc6b6d7879d7f82f8a9d369
Instruction Fuzzy Hash: DD512935A002159FCB05DF64C881E69BBF5FF48314F088459E849AB362DB35ED51EFA0

Function 00D48EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00D48F40
GetProcAddress.KERNEL32(00000000,?), ref: 00D48FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D48FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00D49032
FreeLibrary.KERNEL32(00000000), ref: 00D49052

Part of subcall function 00CDF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00D31043,?,7644E610), ref: 00CDF6E6
Part of subcall function 00CDF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00D1FA64,00000000,00000000,?,?,00D31043,?,7644E610,?,00D1FA64), ref: 00CDF70D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: e5cde2d5f05217d266b741939cbacd7a860d239e7d55cf777d24420c5dc3c9c9
Instruction ID: 6daf82d515899d47eb7402b4b5cad6a8cd3705174efe09e7cb13d0040e2be27c
Opcode Fuzzy Hash: e5cde2d5f05217d266b741939cbacd7a860d239e7d55cf777d24420c5dc3c9c9
Instruction Fuzzy Hash: 0F512935600205DFCB15DF68C495DADBBB1FF49354B088099E8469B362DB31ED86DBA0

Function 00D56B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00D56C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00D56C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00D56C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00D3AB79,00000000,00000000), ref: 00D56C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00D56CC7

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 39f6c7b685e70e3b1e163adafc79725649f530e7097708f13157a0e1c016e51e
Instruction ID: 50a829ae6d591e12aad55703470b598b46362d0f53dc92df7182468ae1fc3439
Opcode Fuzzy Hash: 39f6c7b685e70e3b1e163adafc79725649f530e7097708f13157a0e1c016e51e
Instruction Fuzzy Hash: 69419035604204AFDB248F28CC59BB97FA5EB09362F980268FC95E73A0C771ED45CA60

Function 00CF2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CF20C3
_free.LIBCMT ref: 00CF20E3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1f4ec459f957a8aeb78b9f2aef92f001c5759d364eb1a1020db4d182a9a25019
Instruction ID: 353b271fca53b6aac52a2060c038c0be931d882c9389655b2d658218a651106c
Opcode Fuzzy Hash: 1f4ec459f957a8aeb78b9f2aef92f001c5759d364eb1a1020db4d182a9a25019
Instruction Fuzzy Hash: 5141D532A00208DFCB24DF78C881A6DB7F5EF89314F158569E616EB395DB31AE01DB91

Function 00CD912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CD9141
ScreenToClient.USER32(00000000,?), ref: 00CD915E
GetAsyncKeyState.USER32(00000001), ref: 00CD9183
GetAsyncKeyState.USER32(00000002), ref: 00CD919D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6d2dde19e50ccb8d5c816b758aec64ad950f10e4a8d8d79c36368ede9015e452
Instruction ID: f44eb0d06ae4bbba664201b318670cc0cfe452f62eab51f2246b080c8a5e915c
Opcode Fuzzy Hash: 6d2dde19e50ccb8d5c816b758aec64ad950f10e4a8d8d79c36368ede9015e452
Instruction Fuzzy Hash: A241617590860AFBDF199F64D844BFEB774FF05320F204216E929A32E0CB346994DB61

Function 00D33874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00D338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00D33922
TranslateMessage.USER32(?), ref: 00D3394B
DispatchMessageW.USER32(?), ref: 00D33955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D33966

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d8f95164029230da23f88981ac27c7293ee4e65c7e8910123436ccf8d4e95fb2
Instruction ID: 561c2b348c720956238c091c952efb1e7fd29d99dea7a2365801c14468caa92f
Opcode Fuzzy Hash: d8f95164029230da23f88981ac27c7293ee4e65c7e8910123436ccf8d4e95fb2
Instruction Fuzzy Hash: 2331B774504342EFEB35CB759A49BB637A8EB05345F08056AE4A2C62A0E7F49685CF31

Function 00D3CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00D3C21E,00000000), ref: 00D3CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00D3CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00D3C21E,00000000), ref: 00D3CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D3C21E,00000000), ref: 00D3CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D3C21E,00000000), ref: 00D3CFF2

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 878e82fbf04ea4940087497c63134bc178f3353ada0ec1c58af450ddc3cf8c86
Instruction ID: c343871d17f8d7d5d83eb6cdd71cf47497dba96ca785a16998a72a89b17adb0c
Opcode Fuzzy Hash: 878e82fbf04ea4940087497c63134bc178f3353ada0ec1c58af450ddc3cf8c86
Instruction Fuzzy Hash: F1315871625305AFDB20DFA5C884AAABBFAEF14351F14542EE506E2200EB30EE419B70

Function 00D21901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D21915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00D219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00D219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00D219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00D219E2

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3dae1d73361abc423082e8c9f6c4fa6e1360ea0e158f9a8d3b1842282147f0d0
Instruction ID: 37aebf66d45cdb5020318ffa7dee56f253ddb464ccb4f48bba266b1a398befc0
Opcode Fuzzy Hash: 3dae1d73361abc423082e8c9f6c4fa6e1360ea0e158f9a8d3b1842282147f0d0
Instruction Fuzzy Hash: D3319075A00329EFCB00CFA8D959A9E7BB5EB24319F148225F961E72D1C7709944CFA0

Function 00D55706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D55745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D5579D
_wcslen.LIBCMT ref: 00D557AF
_wcslen.LIBCMT ref: 00D557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D55816

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 2502fb6bab647844a8a698f8cd02071b64110f6319038125afa11a039f097b5a
Instruction ID: 162480c20ac096a579e19dd106b418688f6a51d56bea5a7434a01209dc16d8fa
Opcode Fuzzy Hash: 2502fb6bab647844a8a698f8cd02071b64110f6319038125afa11a039f097b5a
Instruction Fuzzy Hash: 9321A531904618DADF219FA0EC84AED77BCFF05322F148216ED19EA184D770CA89CF60

Function 00D40930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D40951
GetForegroundWindow.USER32 ref: 00D40968
GetDC.USER32(00000000), ref: 00D409A4
GetPixel.GDI32(00000000,?,00000003), ref: 00D409B0
ReleaseDC.USER32(00000000,00000003), ref: 00D409E8

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 29abf7a8cd9c755ddac3fb0bdbc0f7f05d348727fb145995a8d8c8e2e53e9ede
Instruction ID: 084f9a6fb677993ce1cf1ae2fbe2b08f82fa004b65842b816297e04b2ca09b58
Opcode Fuzzy Hash: 29abf7a8cd9c755ddac3fb0bdbc0f7f05d348727fb145995a8d8c8e2e53e9ede
Instruction Fuzzy Hash: 91215E35600314AFD704EF69C885AAEBBE5EF48741F04846CE84AE7762CA70AD04DB60

Function 00CFCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CFCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CFCDE9

Part of subcall function 00CF3820: RtlAllocateHeap.NTDLL(00000000,?,00D91444,?,00CDFDF5,?,?,00CCA976,00000010,00D91440,00CC13FC,?,00CC13C6,?,00CC1129), ref: 00CF3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CFCE0F
_free.LIBCMT ref: 00CFCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CFCE31

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ba2b0674c3d125dd55ed78496ac185ab44591e49e5af2f95ab385f55c3cec60e
Instruction ID: 9a81fcc7a0b3943cf8ef9a8a7ba18834b282ea41241d035481a19f2c6d74f034
Opcode Fuzzy Hash: ba2b0674c3d125dd55ed78496ac185ab44591e49e5af2f95ab385f55c3cec60e
Instruction Fuzzy Hash: 4001D472B0171D7F236116B66DC8CBB696DDEC6BA13150129FE05C7201EA618E0191F2

Function 00CD9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CD9693
SelectObject.GDI32(?,00000000), ref: 00CD96A2
BeginPath.GDI32(?), ref: 00CD96B9
SelectObject.GDI32(?,00000000), ref: 00CD96E2

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 31d9f6727cd8e8da37ef255686658465f460d4ec9502850be74a2bdf5579ace0
Instruction ID: 17b99fbd01917812717c08eaa3fa6cbe28e986dc6a611ae49edc692cead2213d
Opcode Fuzzy Hash: 31d9f6727cd8e8da37ef255686658465f460d4ec9502850be74a2bdf5579ace0
Instruction Fuzzy Hash: D6211938812306EBDB119F65EC14BA97BA8FB50356F104217F931E63A0D3709992CFA4

Function 00D25711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D25726
_memcmp.LIBVCRUNTIME ref: 00D25744
_memcmp.LIBVCRUNTIME ref: 00D25757
_memcmp.LIBVCRUNTIME ref: 00D2576F
_memcmp.LIBVCRUNTIME ref: 00D25787

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: dd8c5b0993f85c3af1dd78f0e7698cabe281f4e92eb81303e3291d43d3a853d4
Instruction ID: e2fb08febdc42fde8ee077131073a4dacf3af0c10b879ccdf06fd03a6f36a438
Opcode Fuzzy Hash: dd8c5b0993f85c3af1dd78f0e7698cabe281f4e92eb81303e3291d43d3a853d4
Instruction Fuzzy Hash: 57019271681669BE96089611BE82EBB635C9B313A9B184030FD049F249F670ED2892B0

Function 00CF2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00CEF2DE,00CF3863,00D91444,?,00CDFDF5,?,?,00CCA976,00000010,00D91440,00CC13FC,?,00CC13C6), ref: 00CF2DFD
_free.LIBCMT ref: 00CF2E32
_free.LIBCMT ref: 00CF2E59
SetLastError.KERNEL32(00000000,00CC1129), ref: 00CF2E66
SetLastError.KERNEL32(00000000,00CC1129), ref: 00CF2E6F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9fdc7df847968b642deb5d65733762c2dd6951201641f1ae8207d2fe31920cec
Instruction ID: 45884cc33442c5a97ea39d4f210814465cfe8df166dfb4f76e908958b6008507
Opcode Fuzzy Hash: 9fdc7df847968b642deb5d65733762c2dd6951201641f1ae8207d2fe31920cec
Instruction Fuzzy Hash: D501F43225570C6BD69227756C89D3B2A69ABC17A3B311029FB31E23A3EF748E015133

Function 00D2000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D1FF41,80070057,?,?,?,00D2035E), ref: 00D2002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D1FF41,80070057,?,?), ref: 00D20046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D1FF41,80070057,?,?), ref: 00D20054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D1FF41,80070057,?), ref: 00D20064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D1FF41,80070057,?,?), ref: 00D20070

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 78fbb15837331af8cde62afc82dc12d761119f081e595b9f49ce1ae26d327bbd
Instruction ID: 67bc9a67bde6d33b4b5a5d5166758d35e5b0aa10f4340f840dc6dcbbf2bd5a88
Opcode Fuzzy Hash: 78fbb15837331af8cde62afc82dc12d761119f081e595b9f49ce1ae26d327bbd
Instruction Fuzzy Hash: 90018B72610324BFEB104F68ED44BAA7EADEB5879AF145124FD05D2321E771DD408BB0

Function 00D2E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00D2E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00D2E9A5
Sleep.KERNEL32(00000000), ref: 00D2E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00D2E9B7
Sleep.KERNEL32 ref: 00D2E9F3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b21f3fdcd7c02428a4d7f8bacb03e8a71db653b8fad3cfd8dd1954fb6b9c359e
Instruction ID: 349f1e56db7a357bf9173572f1dd5a95ccd07a5f31b8986747ccbebb3cbc6c70
Opcode Fuzzy Hash: b21f3fdcd7c02428a4d7f8bacb03e8a71db653b8fad3cfd8dd1954fb6b9c359e
Instruction Fuzzy Hash: 91010531D01B39DBCF00ABE5E859AEDBBB8BB29705F000556E942B2241DB3495948BB1

Function 00D210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D21114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00D20B9B,?,?,?), ref: 00D21120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D20B9B,?,?,?), ref: 00D2112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D20B9B,?,?,?), ref: 00D21136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D2114D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a03fc80e738794ff1425a392ec68fa22fe6fb69232010e959d64f0b1a7ba33fb
Instruction ID: c1089ad020ebb6d69e7c8914e10f973ab95e27f012fc2532c8b0a3c18a90d423
Opcode Fuzzy Hash: a03fc80e738794ff1425a392ec68fa22fe6fb69232010e959d64f0b1a7ba33fb
Instruction Fuzzy Hash: 2D014B79200315BFDB124B64EC49E6A3F6EEF992A6B144414FE45D2360DA31DC10CA70

Function 00D20FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D20FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D20FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D20FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D20FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D21002

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a0ddbab78f8d9400b42c2e0afe1c482fb00cc7d55cb483b46fa5256b09deea6f
Instruction ID: 2218453a2df56b7b45919618a9578bd64b97997631611bb7676c2f4f300233e7
Opcode Fuzzy Hash: a0ddbab78f8d9400b42c2e0afe1c482fb00cc7d55cb483b46fa5256b09deea6f
Instruction Fuzzy Hash: 10F04F39210315AFDB214FA5AD49F5A3BADEF99762F144414FD45C6391CA70DC408A70

Function 00D21014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D2102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D21036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D21045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D2104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D21062

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 63b2244ac60033cd7f70dd448bd18df86e9ac14fac80a6d3df0067fda54a65f6
Instruction ID: 478d17d302580e68ec34d7fc4ab440fa37181c070e020fb16912eedc08a2f9df
Opcode Fuzzy Hash: 63b2244ac60033cd7f70dd448bd18df86e9ac14fac80a6d3df0067fda54a65f6
Instruction Fuzzy Hash: 61F04939210355AFDB215FA9ED4AF5A3BADEFA9762F144414FE46C6390CA70D8808A70

Function 00D3030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00D3017D,?,00D332FC,?,00000001,00D02592,?), ref: 00D30324
CloseHandle.KERNEL32(?,?,?,?,00D3017D,?,00D332FC,?,00000001,00D02592,?), ref: 00D30331
CloseHandle.KERNEL32(?,?,?,?,00D3017D,?,00D332FC,?,00000001,00D02592,?), ref: 00D3033E
CloseHandle.KERNEL32(?,?,?,?,00D3017D,?,00D332FC,?,00000001,00D02592,?), ref: 00D3034B
CloseHandle.KERNEL32(?,?,?,?,00D3017D,?,00D332FC,?,00000001,00D02592,?), ref: 00D30358
CloseHandle.KERNEL32(?,?,?,?,00D3017D,?,00D332FC,?,00000001,00D02592,?), ref: 00D30365

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d19438612461995e85d5d48585ed7f4ac5984ecdb86edd2b97ad7b81f3623167
Instruction ID: 378678c0f4f436e4c46f3adfa8a6d8f24131a04a6f00ee6e7b3b3aaae5ba73c4
Opcode Fuzzy Hash: d19438612461995e85d5d48585ed7f4ac5984ecdb86edd2b97ad7b81f3623167
Instruction Fuzzy Hash: 0701A272800B159FC7309F66D890412FBF9FF503153198A3FD19652931C371A954CF90

Function 00CFD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CFD752

Part of subcall function 00CF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000), ref: 00CF29DE
Part of subcall function 00CF29C8: GetLastError.KERNEL32(00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000,00000000), ref: 00CF29F0

_free.LIBCMT ref: 00CFD764
_free.LIBCMT ref: 00CFD776
_free.LIBCMT ref: 00CFD788
_free.LIBCMT ref: 00CFD79A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 79548f7d065476b0cf367f5299348185334f01dc2618c4cef5700e8b31a6554d
Instruction ID: 5585db85c17437cb5cc89e372348744fabaedad951225ce36b64f0cf65968326
Opcode Fuzzy Hash: 79548f7d065476b0cf367f5299348185334f01dc2618c4cef5700e8b31a6554d
Instruction Fuzzy Hash: 11F044325A030DAB8695FB54F9C1C2677EEBB043107941806F255DB515C730FD805B72

Function 00D25C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D25C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D25C6F
MessageBeep.USER32(00000000), ref: 00D25C87
KillTimer.USER32(?,0000040A), ref: 00D25CA3
EndDialog.USER32(?,00000001), ref: 00D25CBD

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 621343637397862522a2e6063c5c9fb29fa609c61a0e5e8c520557f63cbcb579
Instruction ID: 599cd1b3bb1c970207c99e7d4a5b4d051a79263e85eeba1f47c3cb343e2af209
Opcode Fuzzy Hash: 621343637397862522a2e6063c5c9fb29fa609c61a0e5e8c520557f63cbcb579
Instruction Fuzzy Hash: 63018630510B14AFEB215B10FD4EFA677B8BB14B06F041559A583A15E1EBF0AA849AB0

Function 00CF22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CF22BE

Part of subcall function 00CF29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000), ref: 00CF29DE
Part of subcall function 00CF29C8: GetLastError.KERNEL32(00000000,?,00CFD7D1,00000000,00000000,00000000,00000000,?,00CFD7F8,00000000,00000007,00000000,?,00CFDBF5,00000000,00000000), ref: 00CF29F0

_free.LIBCMT ref: 00CF22D0
_free.LIBCMT ref: 00CF22E3
_free.LIBCMT ref: 00CF22F4
_free.LIBCMT ref: 00CF2305

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b98bd97cd445288e6682e57dfd63c86740decb05136f85a2ee012de59e4de6ff
Instruction ID: 3f778ca98a4be14b274bee6e2360a5d39acbaf2f2b5152cbe7309f3198d2e854
Opcode Fuzzy Hash: b98bd97cd445288e6682e57dfd63c86740decb05136f85a2ee012de59e4de6ff
Instruction Fuzzy Hash: 48F03A758A0326DB8652BF54BC028283F64BB18760700150BF624D73B1C7700A11ABBA

Function 00CD95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00CD95D4
StrokeAndFillPath.GDI32(?,?,00D171F7,00000000,?,?,?), ref: 00CD95F0
SelectObject.GDI32(?,00000000), ref: 00CD9603
DeleteObject.GDI32 ref: 00CD9616
StrokePath.GDI32(?), ref: 00CD9631

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 10336ccda01b0ca1f09052c9606f526c974d673eefbabef6f67b54bc189309a8
Instruction ID: 1af8aded5e8577d7de0ef09492b0064dd61c06625c5690b288064c38256c7117
Opcode Fuzzy Hash: 10336ccda01b0ca1f09052c9606f526c974d673eefbabef6f67b54bc189309a8
Instruction Fuzzy Hash: 76F0F638005705EFDB125F69ED18BA53B61EB00362F048216F935952F0D7318A91DF30

Function 00CF0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00CF10F9
__freea.LIBCMT ref: 00CF1117

Part of subcall function 00CF1537: _free.LIBCMT ref: 00CF154F

Strings

a/p, xrefs: 00CF11DE
am/pm, xrefs: 00CF117A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 18ece62ecc745fe30df5941823d03e00e61a60d4c52810997f81a20971c5dd41
Instruction ID: b09694c7199cd97d62e870c5d0058570285e3c76e0aa4ad87b5b251748714221
Opcode Fuzzy Hash: 18ece62ecc745fe30df5941823d03e00e61a60d4c52810997f81a20971c5dd41
Instruction Fuzzy Hash: C9D1F23190024EDACBA88F69C845BBEB7B1EF05300F2C4119EF219B661D7359E84DB93

Function 00D47B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00CE0242: EnterCriticalSection.KERNEL32(00D9070C,00D91884,?,?,00CD198B,00D92518,?,?,?,00CC12F9,00000000), ref: 00CE024D
Part of subcall function 00CE0242: LeaveCriticalSection.KERNEL32(00D9070C,?,00CD198B,00D92518,?,?,?,00CC12F9,00000000), ref: 00CE028A

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

Part of subcall function 00CE00A3: __onexit.LIBCMT ref: 00CE00A9

__Init_thread_footer.LIBCMT ref: 00D47BFB

Part of subcall function 00CE01F8: EnterCriticalSection.KERNEL32(00D9070C,?,?,00CD8747,00D92514), ref: 00CE0202
Part of subcall function 00CE01F8: LeaveCriticalSection.KERNEL32(00D9070C,?,00CD8747,00D92514), ref: 00CE0235

Strings

G, xrefs: 00D47C7F
Variable must be of type 'Object'., xrefs: 00D47C3A
5, xrefs: 00D47C78

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 6429ba5c0833000a80e0855d4129d593feb12812f928ac87ae71f6b8edfd83b3
Instruction ID: c30103a3cb6110835b937eb7e2b2af9339814e9d5ec99fe41127f678241e65ac
Opcode Fuzzy Hash: 6429ba5c0833000a80e0855d4129d593feb12812f928ac87ae71f6b8edfd83b3
Instruction Fuzzy Hash: 38916774A04209EFCB14EF94D891DBDB7B1FF48304F148059F846AB292DB71AE45DB61

Function 00D22716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D2B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D221D0,?,?,00000034,00000800,?,00000034), ref: 00D2B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D22760

Part of subcall function 00D2B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D2B3F8

Part of subcall function 00D2B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00D2B355
Part of subcall function 00D2B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D22194,00000034,?,?,00001004,00000000,00000000), ref: 00D2B365
Part of subcall function 00D2B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D22194,00000034,?,?,00001004,00000000,00000000), ref: 00D2B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D2281A

Strings

@, xrefs: 00D22832

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d45d1c10c33c53bac201da4eaa9d790cb6240b7b789d75f5359fc579d6487b50
Instruction ID: 7c05c0ad4c7a95f943666ece9d45a3cec44d3d7bcdd1d79bf09632aed601a2ca
Opcode Fuzzy Hash: d45d1c10c33c53bac201da4eaa9d790cb6240b7b789d75f5359fc579d6487b50
Instruction Fuzzy Hash: 59413D72900228BFDB10DBA4DD81AEEBBB8EF15314F044095FA55B7191DB706E45CBB0

Function 00CF172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\RFQ_#24429725,pdf.exe,00000104), ref: 00CF1769
_free.LIBCMT ref: 00CF1834
_free.LIBCMT ref: 00CF183E

Strings

C:\Users\user\Desktop\RFQ_#24429725,pdf.exe, xrefs: 00CF1760, 00CF1767, 00CF1796, 00CF17CE

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\RFQ_#24429725,pdf.exe
API String ID: 2506810119-1506164443
Opcode ID: c9a7b16aaa0f853ef9153efe1032266db56c17e8881f62b2e88491541e2bed8e
Instruction ID: 1b4aad8c40ef76fa77a56c952467a9fa127caf4b2a96185ec1419971b0b226df
Opcode Fuzzy Hash: c9a7b16aaa0f853ef9153efe1032266db56c17e8881f62b2e88491541e2bed8e
Instruction Fuzzy Hash: F7319175A0034CEFCB61EF9A9981DAEBBBCEB85350F184167EA14D7311D6704A40DBA1

Function 00D2C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D2C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00D2C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D91990,019B67E0), ref: 00D2C395

Strings

0, xrefs: 00D2C2DF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: ecf310f7d978f7f47f0e70ccbb39abd37bf8f40682d179e38de9accb32e67610
Instruction ID: a6793e2b7a7f435b55dfebc511db757532ec886899a2813745d1816c74e86514
Opcode Fuzzy Hash: ecf310f7d978f7f47f0e70ccbb39abd37bf8f40682d179e38de9accb32e67610
Instruction Fuzzy Hash: 2D418B312143519FD720DF25E884B5EBBA8EFA5328F049A1DE8A597291D770AD04CB72

Function 00D54416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D5CC08,00000000,?,?,?,?), ref: 00D544AA
GetWindowLongW.USER32 ref: 00D544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D544D7

Strings

SysTreeView32, xrefs: 00D5447C

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3885123968c9c0ca1f413da2349a395b03f93a57f2eec80f64cb5d9f1523872e
Instruction ID: 798a24b8f7e6184bb45af7a6e5bf714a2301e6010106160c2ab969129c3b5c89
Opcode Fuzzy Hash: 3885123968c9c0ca1f413da2349a395b03f93a57f2eec80f64cb5d9f1523872e
Instruction Fuzzy Hash: B8319C31250205AFDF208E38DC45BEA77A9EB0833AF244715FD79A22E0D770EC959760

Function 00D4304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00D43077,?,?), ref: 00D43378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D4307A
_wcslen.LIBCMT ref: 00D4309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00D43106

Strings

255.255.255.255, xrefs: 00D43095, 00D4309A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 2cd105f90414e0bdf4fd56668f99d2bbf40f72cdfb20a3ba9a03833a7b9e28a0
Instruction ID: 3b2550fbf5c6635f91dbc956dd3d44540b26b54d5aae17eda8526a68476e2806
Opcode Fuzzy Hash: 2cd105f90414e0bdf4fd56668f99d2bbf40f72cdfb20a3ba9a03833a7b9e28a0
Instruction Fuzzy Hash: 1131C1352043019FDB14CF6CC485EAA77E0EF14318F288199E9159B392DB72EE41CB70

Function 00D54653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D54705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D54713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D5471A

Strings

msctls_updown32, xrefs: 00D54684

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 852cb1a60b3ebaa9e1b5de98bb513f8d40af1673b54a3d7ae0d167c71d692bc0
Instruction ID: 4a6c2ce4e433aba97889e225d69fd7c694a1ff386e4142180f289b8b9209e97b
Opcode Fuzzy Hash: 852cb1a60b3ebaa9e1b5de98bb513f8d40af1673b54a3d7ae0d167c71d692bc0
Instruction Fuzzy Hash: 1F214AB5600209AFDB11DF64DCC1EA637ADEB4A3A9B040459FE109B3A1CB30EC55DAB1

Function 00D295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D2961D

Strings

#OnAutoItStartRegister, xrefs: 00D295F3
#notrayicon, xrefs: 00D295B7
#requireadmin, xrefs: 00D295D9

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 22e6bc8660376ad2ea9a540de99537a1b3d155314a76bc30d1a898eaf7a67d88
Instruction ID: 3a75731ba08fcc444bb09452a2d5e8408b8de051b854e2b5636c820ad239bec6
Opcode Fuzzy Hash: 22e6bc8660376ad2ea9a540de99537a1b3d155314a76bc30d1a898eaf7a67d88
Instruction Fuzzy Hash: 8321383220416066D731AB25EC22FB7F3D8DF71319F18402AF9899B141EB51DD49D2B5

Function 00D537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D53840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D53850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D53876

Strings

Listbox, xrefs: 00D5380F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 59e0dd7dbce2c4c076ab8d8487baa3937395cca6d0ecb48be0eaa075839d2ac7
Instruction ID: c82a660f68ff219421df416ccb7c3ecb6125d0b27f37c95b3855c1a2278a794c
Opcode Fuzzy Hash: 59e0dd7dbce2c4c076ab8d8487baa3937395cca6d0ecb48be0eaa075839d2ac7
Instruction Fuzzy Hash: 2721B072610218BBEF118F64CC41FAB3B6AEF89791F108114FD109B190C671DC569BB0

Function 00D349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D34A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D34A5C
SetErrorMode.KERNEL32(00000000,?,?,00D5CC08), ref: 00D34AD0

Strings

%lu, xrefs: 00D34A6F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 5a068dee12483f940b08f81bc87ec816d6c03737b6d4737d35e7fa29f8ef8456
Instruction ID: 7621405a539b4182cca87208b176e0a6b8dad263ff6ea7abf106f9eb6159c220
Opcode Fuzzy Hash: 5a068dee12483f940b08f81bc87ec816d6c03737b6d4737d35e7fa29f8ef8456
Instruction Fuzzy Hash: D3312B75A00209AFDB10DF54C985EAA7BB8EF08308F1480A9F909DB252D775ED45DB71

Function 00D541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D5424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D54264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D54271

Strings

msctls_trackbar32, xrefs: 00D54226

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 16fb9b618165bfafc0924e5ae268aef026e6ee6e7286de3a05242e13af8e6048
Instruction ID: 12f92e6215fe2adc97fa39087906cac06610f95104f3d53ec2ecce4dfc0a1baa
Opcode Fuzzy Hash: 16fb9b618165bfafc0924e5ae268aef026e6ee6e7286de3a05242e13af8e6048
Instruction Fuzzy Hash: 6311E031240308BEEF205E29CC06FAB3BACEF85B69F114124FE55E20A0D671D8529B34

Function 00D22F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC6B57: _wcslen.LIBCMT ref: 00CC6B6A

Part of subcall function 00D22DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D22DC5
Part of subcall function 00D22DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D22DD6
Part of subcall function 00D22DA7: GetCurrentThreadId.KERNEL32 ref: 00D22DDD
Part of subcall function 00D22DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D22DE4

GetFocus.USER32 ref: 00D22F78

Part of subcall function 00D22DEE: GetParent.USER32(00000000), ref: 00D22DF9

GetClassNameW.USER32(?,?,00000100), ref: 00D22FC3
EnumChildWindows.USER32(?,00D2303B), ref: 00D22FEB

Strings

%s%d, xrefs: 00D22FFF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 52fe7f3f01eb3d1fae3c02055e29b4c0f0573d1d28826e5e016ce0e056f400cb
Instruction ID: a630505c813eb0fab4812f08ac50cf4567f2c5a59eff8c0e426b7ec3d23ba8b8
Opcode Fuzzy Hash: 52fe7f3f01eb3d1fae3c02055e29b4c0f0573d1d28826e5e016ce0e056f400cb
Instruction Fuzzy Hash: 2511CD712003156BCF14BF60AD95EEE37AAEFA4309F044079FD099B292DE349A499B70

Function 00D55882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D558EE
DrawMenuBar.USER32(?), ref: 00D558FD

Strings

0, xrefs: 00D5588F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: b8db673abeb1c9c03877343078e7ff4da36d9173ee5a2d75ce92b7da7586d1a9
Instruction ID: 9fa47df1f24ad474ac916f8ba33bdbc65876292792c9b9d07b4b14239e030b13
Opcode Fuzzy Hash: b8db673abeb1c9c03877343078e7ff4da36d9173ee5a2d75ce92b7da7586d1a9
Instruction Fuzzy Hash: 0F013C31500218EFDB119F51E844BAABBB4BB45362F14809AED49D6265EB348A84EF71

Function 00D2007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0f7f476013411a903e743a7d6115bd2e01167fbfb03ad32734f3694f7ef06c
Instruction ID: 29e44153aea4c1a225e5256543477353e0090f1e9d501a3ffa041b3e1ce13d81
Opcode Fuzzy Hash: 9a0f7f476013411a903e743a7d6115bd2e01167fbfb03ad32734f3694f7ef06c
Instruction Fuzzy Hash: C6C17D75A0021AEFDB04CF94D894EAEBBB5FF58308F148598E405EB252C731ED41CBA0

Function 00D4342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D43459
CoUninitialize.OLE32 ref: 00D43463
VariantInit.OLEAUT32(?), ref: 00D4346E
VariantClear.OLEAUT32(?), ref: 00D4371B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 053a98ff7528396190c1f571313ee882ef219b25119146a54633d5452978a7dd
Instruction ID: b33aff05a2202f4bf14761e00ce1195d03b392d95f4d99bf0ab41c82b3ad90db
Opcode Fuzzy Hash: 053a98ff7528396190c1f571313ee882ef219b25119146a54633d5452978a7dd
Instruction Fuzzy Hash: A0A105756043019FCB10DF28C585A2AB7E5FF88714F09895DF98A9B362DB30EE41DBA1

Function 00D20436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D5FC08,?), ref: 00D205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D5FC08,?), ref: 00D20608
CLSIDFromProgID.OLE32(?,?,00000000,00D5CC40,000000FF,?,00000000,00000800,00000000,?,00D5FC08,?), ref: 00D2062D
_memcmp.LIBVCRUNTIME ref: 00D2064E

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f69b66a33d08f35aff33f4be547b6bbf86149f006adc9a8e8a5041106734acb2
Instruction ID: 6c2cc086ad33c51844f6c3d7c96db0fe97ca793624e4aaab0a745f1051b29b6c
Opcode Fuzzy Hash: f69b66a33d08f35aff33f4be547b6bbf86149f006adc9a8e8a5041106734acb2
Instruction Fuzzy Hash: 43814C71A00219EFCB04DF94C984EEEBBB9FF99315F244158E506EB251DB71AE06CB60

Function 00D01391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D014C0

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ab5f58b796563745a73203eb127a8a14a5b1a1576f37278d350c8b5cb7e6c424
Instruction ID: 97f63394dce7d5db7f3410aeb52f3d9b60fb164e81b515b1ca652c739ab860b8
Opcode Fuzzy Hash: ab5f58b796563745a73203eb127a8a14a5b1a1576f37278d350c8b5cb7e6c424
Instruction Fuzzy Hash: 86413B39A00614ABDB256FFD9C45BBE3AA4EF41370F184229F61DD71E2E774C8416272

Function 00D56278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(019C13D0,?), ref: 00D562E2
ScreenToClient.USER32(?,?), ref: 00D56315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00D56382

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 2257f8b6524ada5363638db01141e20c58a779aa0690f490ed0928ee580844a1
Instruction ID: e80193170c5e66e9e506e369007aefaf52e79575e4a66dc73771965a756ee7bf
Opcode Fuzzy Hash: 2257f8b6524ada5363638db01141e20c58a779aa0690f490ed0928ee580844a1
Instruction Fuzzy Hash: 9E510A74A00209EFDF10DF68D881AAE7BB5EB45361F588169FC25DB2A0D730ED85CB60

Function 00D41AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D41AFD
WSAGetLastError.WSOCK32 ref: 00D41B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D41B8A
WSAGetLastError.WSOCK32 ref: 00D41B94

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f387f42797044b4b8b715bd745a222ce418edeea4f9a93b5ffaec66a866342e0
Instruction ID: 71a15fc8381538ec3e2b31a79824c30d9e6255a7b0edece97e05a9ce3a0b0c62
Opcode Fuzzy Hash: f387f42797044b4b8b715bd745a222ce418edeea4f9a93b5ffaec66a866342e0
Instruction Fuzzy Hash: 95417038640300AFE720AF24C886F2977E5EB45718F54845CFA5A9F7D2D772DD819BA0

Function 00CFB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea050feaec64e9e1fbbd1e25cf463aec36d3a34bb38b16975c8d2917cf8ac666
Instruction ID: 6f10e504210d3b2ef51aabdbc971e1105bb869585ff47806e94d40fa31cd5d71
Opcode Fuzzy Hash: ea050feaec64e9e1fbbd1e25cf463aec36d3a34bb38b16975c8d2917cf8ac666
Instruction Fuzzy Hash: D1410675A00708AFD724AF38CC41BBABBA9EB88710F10452EF655DB682D771AD018B91

Function 00D356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D35783
GetLastError.KERNEL32(?,00000000), ref: 00D357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D357FA

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 67e7a2343c5280ad3a3428d03f7e5a738e255bfef6769fed926a0a72dceff2d3
Instruction ID: 6b5417b5e5bfa485d4db930186596d93317d7ac8a4428eeed8edec85b4488317
Opcode Fuzzy Hash: 67e7a2343c5280ad3a3428d03f7e5a738e255bfef6769fed926a0a72dceff2d3
Instruction Fuzzy Hash: 4D411C35600610DFCB11DF55C545A5EBBE2EF89720F198488E84AAB366CB34FD41EFA1

Function 00CFD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00CE6D71,00000000,00000000,00CE82D9,?,00CE82D9,?,00000001,00CE6D71,8BE85006,00000001,00CE82D9,00CE82D9), ref: 00CFD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CFD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CFD9AB
__freea.LIBCMT ref: 00CFD9B4

Part of subcall function 00CF3820: RtlAllocateHeap.NTDLL(00000000,?,00D91444,?,00CDFDF5,?,?,00CCA976,00000010,00D91440,00CC13FC,?,00CC13C6,?,00CC1129), ref: 00CF3852

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4acc57f64aa894f273db508fec1658d4b556a2736abf537b6333ed28822f665e
Instruction ID: 18caea3b634ebf0f1a46d776e1a7a90a602365ce3a5a0496c04b24ccc3630cca
Opcode Fuzzy Hash: 4acc57f64aa894f273db508fec1658d4b556a2736abf537b6333ed28822f665e
Instruction Fuzzy Hash: 6D31FC72A1030AABDF249FA5DC41EBE7BA6EB40310F050168FD15D7290EB75CE50CBA1

Function 00D552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00D55352
GetWindowLongW.USER32(?,000000F0), ref: 00D55375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D55382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D553A8

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: a1a8c16b18d21c4f93ef567c09820e55e528a22c6e84121c7704fea91282a4a1
Instruction ID: 667bab2aead9802bab07459b8b6824c34e0726a5c570466f5e269a38227e0d8c
Opcode Fuzzy Hash: a1a8c16b18d21c4f93ef567c09820e55e528a22c6e84121c7704fea91282a4a1
Instruction Fuzzy Hash: 0531F434A55B08EFFF329F54EC25BE83761AB04392F5C4002FE59962E4C7B099489B71

Function 00D2AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00D2ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00D2AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00D2AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00D2ACC6

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cdc2411d7518492a458e88cfb833836d9f731f0f860e6c0b431dd831522687a6
Instruction ID: 4d24e7aaae3ac6b4e4593d684414f63d3bfa7f9b82a71ec4c9a9e6069e5d9c52
Opcode Fuzzy Hash: cdc2411d7518492a458e88cfb833836d9f731f0f860e6c0b431dd831522687a6
Instruction Fuzzy Hash: C3312C34904328AFFF34CB68EC047FE7765EFA5318F08421AE481921D1C3748985A772

Function 00D57674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D5769A
GetWindowRect.USER32(?,?), ref: 00D57710
PtInRect.USER32(?,?,00D58B89), ref: 00D57720
MessageBeep.USER32(00000000), ref: 00D5778C

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: dbd99c677ef10c3b3e681a24d3566184e84153ed15297d95d6a168dc2c9e070f
Instruction ID: 7ef094086fa81e36a5ba9112e0b34d0fd1d60f932032c40fd8802899882cb89d
Opcode Fuzzy Hash: dbd99c677ef10c3b3e681a24d3566184e84153ed15297d95d6a168dc2c9e070f
Instruction Fuzzy Hash: 1A415A38605215AFCF01CF58E894AA977B5FB49316F2940A9EC25DB361D730A94ACFA0

Function 00D516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D516EB

Part of subcall function 00D23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D23A57
Part of subcall function 00D23A3D: GetCurrentThreadId.KERNEL32 ref: 00D23A5E
Part of subcall function 00D23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D225B3), ref: 00D23A65

GetCaretPos.USER32(?), ref: 00D516FF
ClientToScreen.USER32(00000000,?), ref: 00D5174C
GetForegroundWindow.USER32 ref: 00D51752

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6ecb0e09c36a91dcc6b6928b4a1e750f5363e57023f294f4428bffc37e340b7c
Instruction ID: bd6fedd39755c6d9b1e91982d42aaec384c4eded1c2f54b03758de6605d0c82f
Opcode Fuzzy Hash: 6ecb0e09c36a91dcc6b6928b4a1e750f5363e57023f294f4428bffc37e340b7c
Instruction Fuzzy Hash: 20311075D00249AFCB04EFA9C881DAEBBF9EF48304B5480AEE815E7251D735DE45CBA0

Function 00D2D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D2D501
Process32FirstW.KERNEL32(00000000,?), ref: 00D2D50F
Process32NextW.KERNEL32(00000000,?), ref: 00D2D52F
CloseHandle.KERNEL32(00000000), ref: 00D2D5DC

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 16f5bfe5b44384cf8dd8ef445b439dc2a8e3f4a1a929a1a4db0b8f847fad6889
Instruction ID: 4bad87e37f6df22c435fab04a28b4da37d8bfc8c9532907d1ae583a79fc3769f
Opcode Fuzzy Hash: 16f5bfe5b44384cf8dd8ef445b439dc2a8e3f4a1a929a1a4db0b8f847fad6889
Instruction Fuzzy Hash: 50317E711083009FD300EF54D885EAFBBE8EF9A358F14092DF581862A1EB719944DBA2

Function 00D58FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CD9BB2

GetCursorPos.USER32(?), ref: 00D59001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D17711,?,?,?,?,?), ref: 00D59016
GetCursorPos.USER32(?), ref: 00D5905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D17711,?,?,?), ref: 00D59094

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 66a49d821fe110bdfe49adc18a30727fa19f801b4e0836fc3134624d670ce7ec
Instruction ID: 3f160fb0f4d72b6531bfa20afa252d8d7696eb453f5022b87799313ffedfc28a
Opcode Fuzzy Hash: 66a49d821fe110bdfe49adc18a30727fa19f801b4e0836fc3134624d670ce7ec
Instruction Fuzzy Hash: 7A215C35600218FFDF258F98C868EEABBB9EB49352F144455FD05872A1D7319950EB70

Function 00D2D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00D5CB68), ref: 00D2D2FB
GetLastError.KERNEL32 ref: 00D2D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D2D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D5CB68), ref: 00D2D376

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: bcfa4b532475f6d6b7daae1cf1cb2951927863c82437280ff8efb11af5c0fdee
Instruction ID: 5f366a1ab4052d569671750e14fb89aa6da7111c73842bc8012ace4683c91b8e
Opcode Fuzzy Hash: bcfa4b532475f6d6b7daae1cf1cb2951927863c82437280ff8efb11af5c0fdee
Instruction Fuzzy Hash: 8421A1705083119F8700DF28D8859AE77E4EE66369F544A1DF899C32A1D730D949CBA7

Function 00D21571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D21014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D2102A
Part of subcall function 00D21014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D21036
Part of subcall function 00D21014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D21045
Part of subcall function 00D21014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D2104C
Part of subcall function 00D21014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D21062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D215BE
_memcmp.LIBVCRUNTIME ref: 00D215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D21617
HeapFree.KERNEL32(00000000), ref: 00D2161E

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 1d837dc382b6a9abd475fc51acbd7445ce16a015a44d10411bba054a6c40c47a
Instruction ID: 959c7fe5f5837fd424cf5c89c1d4f5d362c711f4523d953bab1561003a83e5e9
Opcode Fuzzy Hash: 1d837dc382b6a9abd475fc51acbd7445ce16a015a44d10411bba054a6c40c47a
Instruction Fuzzy Hash: FC219031E00218EFDF10DFA4D945BEEB7F8EFA4359F188459E441A7241D730AA05CB60

Function 00D52782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00D5280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D52824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D52832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D52840

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 899a14f5f1bb10af569c0d60bd28893d93e9ded6ec5965566b4a8656e2bfe529
Instruction ID: bd9032ad4ea7e6492f16563aaabeb8f8049835108d897cff770ebcadfd1a2e0e
Opcode Fuzzy Hash: 899a14f5f1bb10af569c0d60bd28893d93e9ded6ec5965566b4a8656e2bfe529
Instruction Fuzzy Hash: 19219231204611AFDB14DB64C845F7A7B95EF4A326F148158FC26CB6A2C771ED8AC7E0

Function 00D278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D28D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00D2790A,?,000000FF,?,00D28754,00000000,?,0000001C,?,?), ref: 00D28D8C
Part of subcall function 00D28D7D: lstrcpyW.KERNEL32(00000000,?,?,00D2790A,?,000000FF,?,00D28754,00000000,?,0000001C,?,?,00000000), ref: 00D28DB2
Part of subcall function 00D28D7D: lstrcmpiW.KERNEL32(00000000,?,00D2790A,?,000000FF,?,00D28754,00000000,?,0000001C,?,?), ref: 00D28DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00D28754,00000000,?,0000001C,?,?,00000000), ref: 00D27923
lstrcpyW.KERNEL32(00000000,?,?,00D28754,00000000,?,0000001C,?,?,00000000), ref: 00D27949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D28754,00000000,?,0000001C,?,?,00000000), ref: 00D27984

Strings

cdecl, xrefs: 00D2797B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 97c8ad09d5abc7e08c61ed8ca3fd94b706535f17a46b575af331230a034a9c54
Instruction ID: b8101be214f5ca6fca825a8c880f1ee2ee59a582dd3660728b9e5a2538ed1b53
Opcode Fuzzy Hash: 97c8ad09d5abc7e08c61ed8ca3fd94b706535f17a46b575af331230a034a9c54
Instruction Fuzzy Hash: A911293A200311AFCB255F34E844E7A77A5FF65354B00402AF946C73A4EB31D841DB71

Function 00D57CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D57D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00D57D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D57D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D3B7AD,00000000), ref: 00D57D6B

Part of subcall function 00CD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CD9BB2

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 26710c12df0e87bc7bfb5a4e5eba3421038802c62ee40daf504958af59c07e1c
Instruction ID: ace90ede7eded125a67f72f857209363be149c84923a0aaffce7ce44a2181819
Opcode Fuzzy Hash: 26710c12df0e87bc7bfb5a4e5eba3421038802c62ee40daf504958af59c07e1c
Instruction Fuzzy Hash: 6511AC35214715AFCF108F28EC04AAA3BA5AF45362B294326FC39D72F0EB319955CB60

Function 00D55660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00D556BB
_wcslen.LIBCMT ref: 00D556CD
_wcslen.LIBCMT ref: 00D556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D55816

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 92dfc92c464594ff63f3fea08e1aa49f89a04561b6b29f338652ec089c7645b5
Instruction ID: d744b4129189a1f7f4a8b0459a3ed21923bf47c517ac9a83a4056c9e5be2624e
Opcode Fuzzy Hash: 92dfc92c464594ff63f3fea08e1aa49f89a04561b6b29f338652ec089c7645b5
Instruction Fuzzy Hash: 27110335600608AADF219FA1EC81AEE37BCEF01362B144026FD05D6085EB70CA88CF70

Function 00CF1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8392602b3ea4a425368f70e095c309156ab333a3e55ee4dd5ec72868c37488
Instruction ID: 696abc3943060666b9bd4f8871df4ade810fe762984b4a510ce79397852559df
Opcode Fuzzy Hash: bf8392602b3ea4a425368f70e095c309156ab333a3e55ee4dd5ec72868c37488
Instruction Fuzzy Hash: 8F014FB2205B1EBEF69216796CC1F77662DDF413B8B391325FB31A12D2DB608D005172

Function 00D21A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D21A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D21A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D21A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D21A8A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a7e6674c1aa565e5f5f78b97eeb9ca17053b8753277306f77bef616f6398b4b5
Instruction ID: 14b197056d56892ed506cbfb7ff30189b81fd4c22d2fe9c8616ba0f9b57c1f25
Opcode Fuzzy Hash: a7e6674c1aa565e5f5f78b97eeb9ca17053b8753277306f77bef616f6398b4b5
Instruction Fuzzy Hash: 29113C3AD01229FFEB10DBA4CD85FADBB78FB18754F204091EA00B7290D6716E51DBA4

Function 00D2E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D2E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00D2E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D2E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D2E24D

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 836bbb460af0b5283da9a919db01a59bd68d01685b9827879a47323c78071491
Instruction ID: 3017c74d04d4ac6f64955b15fd5f7c11a702ff0e280513e2c66c4641f30f4846
Opcode Fuzzy Hash: 836bbb460af0b5283da9a919db01a59bd68d01685b9827879a47323c78071491
Instruction Fuzzy Hash: 1611C476904369FFD7019BA8AC09A9E7FACEF45325F14425AF925E3391D6B0CD0487B0

Function 00CED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00CECFF9,00000000,00000004,00000000), ref: 00CED218
GetLastError.KERNEL32 ref: 00CED224
__dosmaperr.LIBCMT ref: 00CED22B
ResumeThread.KERNEL32(00000000), ref: 00CED249

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f552547e2558c019a34d0bc343d65fcd411377bb80f609d49e45c93bcfa4ba05
Instruction ID: 0b7d5ac7697893d2f470270df0dcfe3c65515fbd28fe8fcf3c94afd726147069
Opcode Fuzzy Hash: f552547e2558c019a34d0bc343d65fcd411377bb80f609d49e45c93bcfa4ba05
Instruction Fuzzy Hash: 5B012236805388BFDB106BA7DC09BAE3A69EF81331F100219FA26921D0CB708D01D6A0

Function 00D59EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CD9BB2

GetClientRect.USER32(?,?), ref: 00D59F31
GetCursorPos.USER32(?), ref: 00D59F3B
ScreenToClient.USER32(?,?), ref: 00D59F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00D59F7A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 859071985227067ca3fde10c38e1da57c3447b4b4904eaa28c19e1fb6924e750
Instruction ID: 4d5830fc315d8370fd552d245caa2ae2fb758f675b398d801fc611c19f775303
Opcode Fuzzy Hash: 859071985227067ca3fde10c38e1da57c3447b4b4904eaa28c19e1fb6924e750
Instruction Fuzzy Hash: 0D11223690021AEBDF109FA8D8999EEB7B8EF05312F040451FD11E3250D730BA89CBB1

Function 00CC600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CC604C
GetStockObject.GDI32(00000011), ref: 00CC6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CC606A

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b97f62bb39cdbda6b8cebbb748d474f5e2e440733ba0af6c97958c6fd5b8c0af
Instruction ID: 839f39975cda51a78adae4a174d105012b73ce227ff487915f30c244517cf018
Opcode Fuzzy Hash: b97f62bb39cdbda6b8cebbb748d474f5e2e440733ba0af6c97958c6fd5b8c0af
Instruction Fuzzy Hash: FF115E72501709BFEF124F94DD44FEABF69EF08395F050119FE14A2110D7329D609BA4

Function 00CE3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00CE3B56

Part of subcall function 00CE3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00CE3AD2
Part of subcall function 00CE3AA3: ___AdjustPointer.LIBCMT ref: 00CE3AED

_UnwindNestedFrames.LIBCMT ref: 00CE3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00CE3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00CE3BA4

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: e8bcef6bcbf7bf933a239084494b69b0d25979c66b55407d3ee0a8a8c0bec63d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D7010C321001C9BBDF126E96CC46EEB7F6EEF98754F044054FE5896121C732E961EBA0

Function 00CF3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00CC13C6,00000000,00000000,?,00CF301A,00CC13C6,00000000,00000000,00000000,?,00CF328B,00000006,FlsSetValue), ref: 00CF30A5
GetLastError.KERNEL32(?,00CF301A,00CC13C6,00000000,00000000,00000000,?,00CF328B,00000006,FlsSetValue,00D62290,FlsSetValue,00000000,00000364,?,00CF2E46), ref: 00CF30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CF301A,00CC13C6,00000000,00000000,00000000,?,00CF328B,00000006,FlsSetValue,00D62290,FlsSetValue,00000000), ref: 00CF30BF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 648a78fe94a1dba6cbb5871393862a4278568d977232d5efbf64a81532cd6b2e
Instruction ID: 2852446bc877dee4416e234e7a7dd70c9956dc56461717bbba06781f82ceebd8
Opcode Fuzzy Hash: 648a78fe94a1dba6cbb5871393862a4278568d977232d5efbf64a81532cd6b2e
Instruction Fuzzy Hash: 8301B13231136ABBCB614A69AC44A667B98AF45BA1B110621EE15E3280CF21DA41C6E1

Function 00D27464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00D2747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D27497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00D274CA

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: a0d1bc49f707d2d81847fba9e6ca96548094234e154224196d3109e446e6cd5b
Instruction ID: 2065a06935cdff0ecc1628c9e1db2520e275ac1dd57733920b10e316412e196e
Opcode Fuzzy Hash: a0d1bc49f707d2d81847fba9e6ca96548094234e154224196d3109e446e6cd5b
Instruction Fuzzy Hash: 7A11C4B12053249FE7309F14EC08F927FFCEB00B08F108569AA66D6151D770E905DB71

Function 00D2B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D2ACD3,?,00008000), ref: 00D2B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D2ACD3,?,00008000), ref: 00D2B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D2ACD3,?,00008000), ref: 00D2B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D2ACD3,?,00008000), ref: 00D2B126

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 0fb00bff933e2e6a8c3251dc26a1d3299d45ab3c5f0071abef0877487a687e97
Instruction ID: 23610930d5576eb476d3edd62b1f8fa6b2df5df205d8dac5a0e6ad8404b59ba3
Opcode Fuzzy Hash: 0fb00bff933e2e6a8c3251dc26a1d3299d45ab3c5f0071abef0877487a687e97
Instruction Fuzzy Hash: 8C113C31D01B39EBCF01AFA4E968AEEBB78FF2A725F104086D941B2241CB7095508B61

Function 00D22DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D22DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D22DD6
GetCurrentThreadId.KERNEL32 ref: 00D22DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D22DE4

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b4462bde7d7b7686c03478e6379fd2ff7519280de5356cd204e16db7dc8301e7
Instruction ID: 39e144200f42fbb3bb070a494d11cf98fc64018591efa0ce2a1ca906b2056be3
Opcode Fuzzy Hash: b4462bde7d7b7686c03478e6379fd2ff7519280de5356cd204e16db7dc8301e7
Instruction Fuzzy Hash: 75E06D722113347BD7201B72AC0DEFB3E6CEB52BA6F041015B905D11909AA5C940C6F0

Function 00D58863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00CD9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CD9693
Part of subcall function 00CD9639: SelectObject.GDI32(?,00000000), ref: 00CD96A2
Part of subcall function 00CD9639: BeginPath.GDI32(?), ref: 00CD96B9
Part of subcall function 00CD9639: SelectObject.GDI32(?,00000000), ref: 00CD96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00D58887
LineTo.GDI32(?,?,?), ref: 00D58894
EndPath.GDI32(?), ref: 00D588A4
StrokePath.GDI32(?), ref: 00D588B2

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7d1b6368635b1c27d96234b8697a84d68989465249b69b246cd17914bc63c769
Instruction ID: 00a3e3c68edebeb63d3f970a522058b67264d0ceb434540201eb65bb9f608dc9
Opcode Fuzzy Hash: 7d1b6368635b1c27d96234b8697a84d68989465249b69b246cd17914bc63c769
Instruction Fuzzy Hash: 41F03A3A041359BADB126F98AC09FCA3F59AF16352F048001FE21A52E1C7755511DFF5

Function 00CD98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00CD98CC
SetTextColor.GDI32(?,?), ref: 00CD98D6
SetBkMode.GDI32(?,00000001), ref: 00CD98E9
GetStockObject.GDI32(00000005), ref: 00CD98F1

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: fc6e3643e7f923d87b634669f39cd9abfafccae0599aa57a755f772a2f2a26a8
Instruction ID: e893214c004cf887e1df699762fac127451e1f37cf3736c74fc98c18f4fa891f
Opcode Fuzzy Hash: fc6e3643e7f923d87b634669f39cd9abfafccae0599aa57a755f772a2f2a26a8
Instruction Fuzzy Hash: 78E06531254740AEDB215B74FC09BD83F21EB11376F048219FAF9941E1C77146409B30

Function 00D2162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D21634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D211D9), ref: 00D2163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D211D9), ref: 00D21648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D211D9), ref: 00D2164F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: e924e3cae3f133c59aa5241b9af088f11b0f4396717c6c3d89cbfd5100c71453
Instruction ID: 84fd7956e857ecd99cc4f51eb2c94f11120a12c95f200a5c2cf21726ef79fc01
Opcode Fuzzy Hash: e924e3cae3f133c59aa5241b9af088f11b0f4396717c6c3d89cbfd5100c71453
Instruction Fuzzy Hash: 8CE04F75612321AFD7301BA4AD0DB4A3B68AF64B97F188808FA45C9080D6244440C774

Function 00D1D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D1D858
GetDC.USER32(00000000), ref: 00D1D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D1D882
ReleaseDC.USER32(?), ref: 00D1D8A3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e3d17cb93b107a1be48002ed3b3e8a1303d8022cc44690f5433af91ebbd58e4a
Instruction ID: 3eda56d0b28f4ea7819a3996976dbf7246f827199809569025a09c4354a45a5a
Opcode Fuzzy Hash: e3d17cb93b107a1be48002ed3b3e8a1303d8022cc44690f5433af91ebbd58e4a
Instruction Fuzzy Hash: 97E0E5B0810304EFCB419FA4D808A6DBBB2EB08312B109009E84AE7360CB389A41EF60

Function 00D1D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D1D86C
GetDC.USER32(00000000), ref: 00D1D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D1D882
ReleaseDC.USER32(?), ref: 00D1D8A3

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: febc21f114ff6bd266481bd812840e9a2fd2aedc4a088ffd387920107316aa57
Instruction ID: 933dbc8aaf1ab1cc77f132afff2dd36447c0238a23a958adda7d3ab16f99e551
Opcode Fuzzy Hash: febc21f114ff6bd266481bd812840e9a2fd2aedc4a088ffd387920107316aa57
Instruction Fuzzy Hash: 96E01A70C10300DFCF409FA4D80866DBBB1FB08312B109009F90AE7360C7385A01EF60

Function 00D34D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC7620: _wcslen.LIBCMT ref: 00CC7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00D34ED4

Strings

LPT, xrefs: 00D34DFB
*, xrefs: 00D34E10

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: f4872af5890439bcdf82bfde4d490624da8a651b5489290c786eaf0311be2322
Instruction ID: b24833fc8ce7110fe559b5fca7f6979505ab69449b1194f5ad62474189ebdbc3
Opcode Fuzzy Hash: f4872af5890439bcdf82bfde4d490624da8a651b5489290c786eaf0311be2322
Instruction Fuzzy Hash: FD914D75A002049FCB14DF58C484EAABBF1BF45304F1D8099E84A9F362D735EE85CBA1

Function 00CDE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00CDE1B1

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fc7f9f0c33e20bfffaa82eab6a5f060f4b661aa8010f72afdbb1e3da6868f4bc
Instruction ID: 6660de017c24e7c1d5c4691808898b3dea420a5f7cf8763764bb791692e7bc41
Opcode Fuzzy Hash: fc7f9f0c33e20bfffaa82eab6a5f060f4b661aa8010f72afdbb1e3da6868f4bc
Instruction Fuzzy Hash: 7B511775500346EFEB15EF68D481AFA7BA4EF55310F28405AED919F2D0DB309E82D7A0

Function 00CDF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00CDF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00CDF2BB

Strings

@, xrefs: 00CDF2AF

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2d7223f390622e82b6bfb1ff01b8bb28f445f87159ee3a4745c8c2cc24dd9647
Instruction ID: b79794a2ed9d4efb50b66fab3f8f64980e2fd03b65cbe29ab04b82857fc793e6
Opcode Fuzzy Hash: 2d7223f390622e82b6bfb1ff01b8bb28f445f87159ee3a4745c8c2cc24dd9647
Instruction Fuzzy Hash: 5B5134724187449BD320AF54DC86BABBBF8FB84300F81895DF1D9811A5EB708569CB66

Function 00D45745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00D457E0
_wcslen.LIBCMT ref: 00D457EC

Strings

CALLARGARRAY, xrefs: 00D457E6, 00D457EB

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 262acf7ee2c30fe400e64a8baaf26b19364b372190e9a9c3b9ace83d591cf911
Instruction ID: 576e4862a1e2387fda4beb139afec030e769052ce161bffa8e6e8b19a5d6f466
Opcode Fuzzy Hash: 262acf7ee2c30fe400e64a8baaf26b19364b372190e9a9c3b9ace83d591cf911
Instruction Fuzzy Hash: 8E419F31E002099FCF14EFA8D8859AEBBB5EF59324F144169E505A7396EB309D81DBB0

Function 00D3D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D3D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D3D13A

Strings

|, xrefs: 00D3D10B

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: aedb38df0d028c80da50399984e7f7d65af2cf9ada757166b3fe007f70a35e0c
Instruction ID: ee2efa931d8e2916e6b1b4172e53e06bf3e5e3a90dac38539f82761abb77a7dd
Opcode Fuzzy Hash: aedb38df0d028c80da50399984e7f7d65af2cf9ada757166b3fe007f70a35e0c
Instruction Fuzzy Hash: 9B31F871D00219ABCF15EFA5DD85EEEBFBAFF04340F100019E815A6166E731AA56DB60

Function 00D5356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D53621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D5365C

Strings

static, xrefs: 00D535BC

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b8dd0a3ff95e6af4c317ba0ae8f22be6332cf1c6342776caa8a10f62c3500a2f
Instruction ID: 51cb524a886ef1b0392cdffd917fff92cd2b4754034f9afb0c48e0db508067cd
Opcode Fuzzy Hash: b8dd0a3ff95e6af4c317ba0ae8f22be6332cf1c6342776caa8a10f62c3500a2f
Instruction Fuzzy Hash: 0C317871110604AEDB109F68D880EBB73A9EF887A1F10961DFDA5D7290DA30A9969B70

Function 00D54537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00D5461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D54634

Strings

', xrefs: 00D5458E

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f9aa8236f7db66a2ce786674255e0c27a24ef25334f567075ed8fed3a1b13113
Instruction ID: 2fe0634f9fb16fc4f3ead22ede699bcf095a89015f8b9594b636c741c2c9e171
Opcode Fuzzy Hash: f9aa8236f7db66a2ce786674255e0c27a24ef25334f567075ed8fed3a1b13113
Instruction Fuzzy Hash: F1310674A0130AAFDF14CF69C990BDA7BB5FB09305F14406AED04AB391E770A985CFA1

Function 00CC3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D033A2

Part of subcall function 00CC6B57: _wcslen.LIBCMT ref: 00CC6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CC3A04

Strings

Line: , xrefs: 00D033EB

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 262aa289d5dbc12f68548c14462a7f4dedfb22e81e965d4f760692cec7bf6ed6
Instruction ID: d3605e8d34d7af6b987e354796fab1d5757022f80b66249af49d33a1e0e9b7e0
Opcode Fuzzy Hash: 262aa289d5dbc12f68548c14462a7f4dedfb22e81e965d4f760692cec7bf6ed6
Instruction Fuzzy Hash: 9831C371508381AED725EB60EC45FEBB7ECAB40710F04892EF599931D1DB709A48D7E2

Function 00D531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D5327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D53287

Strings

Combobox, xrefs: 00D53249

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: f218fec20bffa42597039d388c57cd036b895e090d82f0a80eb62a9a7762ac1b
Instruction ID: af99ad48273633980cdf1c9cd5ed13b0c395d7913fbdaf8dcc2d2072b6258dbf
Opcode Fuzzy Hash: f218fec20bffa42597039d388c57cd036b895e090d82f0a80eb62a9a7762ac1b
Instruction Fuzzy Hash: 4311EF713006087FEF219E94DC80EBB3B6AEB983A5F144128FD18EB290D631DD6597B4

Function 00D53710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00CC600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CC604C
Part of subcall function 00CC600E: GetStockObject.GDI32(00000011), ref: 00CC6060
Part of subcall function 00CC600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CC606A

GetWindowRect.USER32(00000000,?), ref: 00D5377A
GetSysColor.USER32(00000012), ref: 00D53794

Strings

static, xrefs: 00D53757

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 4a5460514e3e03fca154904f4e2e0e2f1b576eb1a64e647d30fc4c8380f04277
Instruction ID: b778abc3fa083ed91c66fc01c901dc43fb2ea5ad616e3b855aa932cbc4c949ac
Opcode Fuzzy Hash: 4a5460514e3e03fca154904f4e2e0e2f1b576eb1a64e647d30fc4c8380f04277
Instruction Fuzzy Hash: 9B1167B2A1020AAFDF00DFA8CC46EEA7BB8FB08345F004914FD95E2250E734E855DB60

Function 00D3CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D3CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D3CDA6

Strings

<local>, xrefs: 00D3CD66

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b7e6bc78a474c7c4f515b3e4e2a0cdb79538b1f88104dd22ff5d7db17c07f5f8
Instruction ID: 9d5118e1125fd51bde308158ad432897b4ac8f1948e5faf884eb7e638e0f978f
Opcode Fuzzy Hash: b7e6bc78a474c7c4f515b3e4e2a0cdb79538b1f88104dd22ff5d7db17c07f5f8
Instruction Fuzzy Hash: E111C275225731BED7384B66AC49EF7BEACEF127A4F00522AB549A3180D7709841D7F0

Function 00D53429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D534BA

Strings

edit, xrefs: 00D5348F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 3278ac9c15d26a82208d688955bd14314ad249dd321a701be0ed98d513d6088c
Instruction ID: 6c43e89f9de77e4a30ed614e50988ce7e334afd0ab815b27ddcd4d7bc465a58d
Opcode Fuzzy Hash: 3278ac9c15d26a82208d688955bd14314ad249dd321a701be0ed98d513d6088c
Instruction Fuzzy Hash: 9C116A71100208AFEF128E64DC44AAB376AEB053B6F544724FD61D32E0C771DD9AAB70

Function 00D26C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00D26CB6
_wcslen.LIBCMT ref: 00D26CC2

Strings

STOP, xrefs: 00D26CBC, 00D26CC1

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 5181660dbc0433c5c236081d655522b85e18c5764479594952ebb3ff75a13afd
Instruction ID: 00a4003fd8f3aa5f13da014c3b9ff924f71a19432b6377a4a197d65ba3629a8e
Opcode Fuzzy Hash: 5181660dbc0433c5c236081d655522b85e18c5764479594952ebb3ff75a13afd
Instruction Fuzzy Hash: 39010432A0063A8BCB20AFBDEC809BF37A4EB717187040528E86293190EA31D940D660

Function 00D21CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

Part of subcall function 00D23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D23CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D21D4C

Strings

ComboBox, xrefs: 00D21CEB
ListBox, xrefs: 00D21D16

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e7f3939b372a730702ab9d8d55f960575962910c732968c0c133bdb1b28d3aa5
Instruction ID: 2e173620109fbcc187abd9af0ce5a726dca86b59808dc952e25880f67130fbee
Opcode Fuzzy Hash: e7f3939b372a730702ab9d8d55f960575962910c732968c0c133bdb1b28d3aa5
Instruction Fuzzy Hash: 4A01D875601224ABCB04EFA4EC55EFE7768EB76354F044619F872573D1EA3059089770

Function 00D21BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

Part of subcall function 00D23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D23CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D21C46

Strings

ComboBox, xrefs: 00D21BE5
ListBox, xrefs: 00D21C10

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9aba860fe9ab519a96eb558f8f912dd2e566894978ae7014f795a930e29b1b68
Instruction ID: b292a9921ac3b102d868a5745c4147bbb0c8b4d8159719b0bce35faf78461c47
Opcode Fuzzy Hash: 9aba860fe9ab519a96eb558f8f912dd2e566894978ae7014f795a930e29b1b68
Instruction Fuzzy Hash: F301A7797812186ACB04FB90E955EFFB7A8DB32344F140019E816772C1EA349F1CA7B1

Function 00D21C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

Part of subcall function 00D23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D23CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D21CC8

Strings

ComboBox, xrefs: 00D21C69
ListBox, xrefs: 00D21C94

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 57ccfb85889a61ce39808c469f461e44bce9df0f30baf63cea3140b3b86db1b2
Instruction ID: a0650941888529f1f77192dbbd7310c92b2b37f96977ddc78bf9da93a5731523
Opcode Fuzzy Hash: 57ccfb85889a61ce39808c469f461e44bce9df0f30baf63cea3140b3b86db1b2
Instruction Fuzzy Hash: 7A01DB797402246BCB04FB91DA15FFEB7ACDB31344F140019B80173281EA319F18E671

Function 00D21D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9CB3: _wcslen.LIBCMT ref: 00CC9CBD

Part of subcall function 00D23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D23CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00D21DD3

Strings

ComboBox, xrefs: 00D21D75
ListBox, xrefs: 00D21DA0

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bfbdad3948dc63bfb75e3e0324ad520046d684542a739af8266fc5df98335773
Instruction ID: 0f8e3600691c0eb41fc43cc5acb4bd83ddc9d681bb2bf5dbc28404a1269fc8c0
Opcode Fuzzy Hash: bfbdad3948dc63bfb75e3e0324ad520046d684542a739af8266fc5df98335773
Instruction Fuzzy Hash: 0DF0A475B41228AADB14FBA4EC56FFE7768EB22354F040919F862632C1DA719A0C9270

Function 00D4747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D47493
_wcslen.LIBCMT ref: 00D474B9

Strings

3, 3, 16, 1, xrefs: 00D47483

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b96b5b183ccd8268a9cd3c9986f4399c9d1e448aaf5ec5ba1adbc851283fbc4b
Instruction ID: 297275771a3faf96d482e881e2d04318efd4f2a11c146a9a43a5edeecabd8d06
Opcode Fuzzy Hash: b96b5b183ccd8268a9cd3c9986f4399c9d1e448aaf5ec5ba1adbc851283fbc4b
Instruction Fuzzy Hash: 9FE06102304360159335227BDCC197F578DCFC9750714182BF989D2267EB94CD91A3F1

Function 00D20B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D20B23

Strings

AutoIt, xrefs: 00D20B17
Error allocating memory., xrefs: 00D20B1C

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 74cde0b70b6438cda7b84ab996d1f5a1309f92e718f469d7ec9963326759f3e7
Instruction ID: c91d81da9a3030f8535ca62bfbff792657c93c1ceb626dcd4bbd399e94879566
Opcode Fuzzy Hash: 74cde0b70b6438cda7b84ab996d1f5a1309f92e718f469d7ec9963326759f3e7
Instruction Fuzzy Hash: 8CE0D8312443182ED21436957C03F897F84DF09F52F10042BFF48956C38AD124545AB9

Function 00CE0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CDF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00CE0D71,?,?,?,00CC100A), ref: 00CDF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00CC100A), ref: 00CE0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00CC100A), ref: 00CE0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CE0D7F

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 9e624df3c104cc89b3e7999e776d0aac88db15c417dc4e0da030c152da6d52e1
Instruction ID: 69e5ad44c4a70ceaa6db4cbd47dd62c3b0277fe8aac6f11a862afb2c5ad51226
Opcode Fuzzy Hash: 9e624df3c104cc89b3e7999e776d0aac88db15c417dc4e0da030c152da6d52e1
Instruction Fuzzy Hash: 30E06D742007518FD7209FB9D8087467BE0BB00745F11492DE882C6751DBF4E5888BF1

Function 00D1D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D1D220

Strings

%.3d, xrefs: 00D1D22B
X64, xrefs: 00D1D2A8

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 5c9c4b2cb879bd34f6aac54a08212971b667c30a317c2fce73bc11afd93e0d78
Instruction ID: a17747c7564fa69c90d91c281f9d7f25845a4dba4e10936e7df15e6e8b8a262d
Opcode Fuzzy Hash: 5c9c4b2cb879bd34f6aac54a08212971b667c30a317c2fce73bc11afd93e0d78
Instruction Fuzzy Hash: 76D01261C08218FACB5096D0EC859FAB37DFB19301F608453F967D1140DB34D5886775

Function 00D52356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D5236C
PostMessageW.USER32(00000000), ref: 00D52373

Part of subcall function 00D2E97B: Sleep.KERNEL32 ref: 00D2E9F3

Strings

Shell_TrayWnd, xrefs: 00D52365

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1b8c0c5c97828663abad15a0e66ba6b6be59e215af8d358512afcfaf18e23f53
Instruction ID: 6cb498f55d01e486bf65cf6f33b6c61b076bb1c5f094cf5c08c4fa26db940d12
Opcode Fuzzy Hash: 1b8c0c5c97828663abad15a0e66ba6b6be59e215af8d358512afcfaf18e23f53
Instruction Fuzzy Hash: 5AD0A9323903207EE264B370AC0FFC666049B00B11F0009027A01EA2E0C8A0A8008A74

Function 00D52322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D5232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D5233F

Part of subcall function 00D2E97B: Sleep.KERNEL32 ref: 00D2E9F3

Strings

Shell_TrayWnd, xrefs: 00D52325

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 66c67596f6242d571dba87eb7fc3fe9fa2b06f0c6bebbb59ef192adedb34b1d9
Instruction ID: 2117448fb4b2ac0933de215778ebb6ac0bb69fe2f2d20acd939b001288f14191
Opcode Fuzzy Hash: 66c67596f6242d571dba87eb7fc3fe9fa2b06f0c6bebbb59ef192adedb34b1d9
Instruction Fuzzy Hash: F6D0C9763A4320BAE664B770AC1FFC66A149B10B15F1059167A45EA2E0D9A0A8458A74

Function 00CFBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00CFBE93
GetLastError.KERNEL32 ref: 00CFBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CFBEFC

Memory Dump Source

Source File: 00000000.00000002.2178260456.0000000000CC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.2178233392.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178333146.0000000000D82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178390305.0000000000D8C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178412055.0000000000D94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_RFQ_#24429725,pdf.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ccd7953dd70baefb924fe42e12e3018d44d5c5fabb031d13c6cac2d15a58e6a1
Instruction ID: 8f2cb6bdb249a4bde271d8a057455b3193ddf95eed13b5b5d9855685f1ee49be
Opcode Fuzzy Hash: ccd7953dd70baefb924fe42e12e3018d44d5c5fabb031d13c6cac2d15a58e6a1
Instruction Fuzzy Hash: 1141E93860034AAFCF61CFA5CC44ABA7BB5EF41310F154169FA69972A1DB308E01DB62

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ_#24429725,pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Clinton

C:\Users\user\AppData\Local\Temp\autFCDA.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
RFQ_#24429725,pdf.exe

Function 00CC42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00CC42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00D02BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00CC2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00D0065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00CC344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00CC2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00CC3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00CF8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 01B2ADC8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00CC2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01B2AB88 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Function 00D32947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00CC3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre