Edit tour

Windows Analysis Report
99awhy8l.exe

Overview

General Information

Sample name:	99awhy8l.exe
Analysis ID:	1577329
MD5:	4f2e93559f3ea52ac93ac22ac609fc7f
SHA1:	17b3069bd25aee930018253b0704d3cca64ab64c
SHA256:	6d50bd480bb0c65931eb297b28c4af74b966504241fca8cd03de7058a824274d
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Tries to resolve many domain names, but no domain seems valid

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Copy From or To System Directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

99awhy8l.exe (PID: 5412 cmdline: "C:\Users\user\Desktop\99awhy8l.exe" MD5: 4F2E93559F3EA52AC93AC22AC609FC7F)

cmd.exe (PID: 5424 cmdline: "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1336 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2432 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 3576 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 404 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6308 cmdline: cmd /c md 578678 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 6724 cmdline: findstr /V "PEACEFOLKSEXUALISLANDS" Hill MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 2320 cmdline: cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Cooper.pif (PID: 1584 cmdline: Cooper.pif y MD5: 78BA0653A340BAC5FF152B21A83626CC)

choice.exe (PID: 6108 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["mutterissuen.shop", "standartedby.shop", "berrylinyj.cyou", "conceszustyb.shop", "nightybinybz.shop", "bakedstusteeb.shop", "worddosofrm.shop", "respectabosiz.shop", "moutheventushz.shop"], "Build id": "HpOoIh--2a727a032c4d"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Cooper.pif y, CommandLine: Cooper.pif y, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5424, ParentProcessName: cmd.exe, ProcessCommandLine: Cooper.pif y, ProcessId: 1584, ProcessName: Cooper.pif

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\99awhy8l.exe", ParentImage: C:\Users\user\Desktop\99awhy8l.exe, ParentProcessId: 5412, ParentProcessName: 99awhy8l.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat, ProcessId: 5424, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5424, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 404, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:55:45.153733+0100	2028371	3	Unknown Traffic	192.168.2.6	49790	23.55.153.106	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bakedstusteeb .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:55:42.586147+0100	2057261	1	Domain Observed Used for C2 Detected	192.168.2.6	50456	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (conceszustyb .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:55:42.349836+0100	2057259	1	Domain Observed Used for C2 Detected	192.168.2.6	60251	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (moutheventushz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:55:43.047086+0100	2057255	1	Domain Observed Used for C2 Detected	192.168.2.6	61645	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mutterissuen .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:55:41.597135+0100	2057267	1	Domain Observed Used for C2 Detected	192.168.2.6	59331	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nightybinybz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:55:42.104865+0100	2057263	1	Domain Observed Used for C2 Detected	192.168.2.6	60668	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (respectabosiz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:55:42.818294+0100	2057257	1	Domain Observed Used for C2 Detected	192.168.2.6	49460	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (standartedby .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:55:41.822500+0100	2057265	1	Domain Observed Used for C2 Detected	192.168.2.6	54170	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (worddosofrm .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:55:41.372570+0100	2057269	1	Domain Observed Used for C2 Detected	192.168.2.6	53120	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:55:46.032230+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.6	49790	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://berrylinyj.cyou/api	Avira URL Cloud: Label: malware
Source: https://conceszustyb.shop/api	Avira URL Cloud: Label: malware
Source: https://bakedstusteeb.shop/api	Avira URL Cloud: Label: malware
Source: berrylinyj.cyou	Avira URL Cloud: Label: malware
Source: https://mutterissuen.shop/api	Avira URL Cloud: Label: malware
Source: https://standartedby.shop/api	Avira URL Cloud: Label: malware
Source: https://worddosofrm.shop/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["mutterissuen.shop", "standartedby.shop", "berrylinyj.cyou", "conceszustyb.shop", "nightybinybz.shop", "bakedstusteeb.shop", "worddosofrm.shop", "respectabosiz.shop", "moutheventushz.shop"], "Build id": "HpOoIh--2a727a032c4d"}

Multi AV Scanner detection for submitted file

Source: 99awhy8l.exe

ReversingLabs: Detection: 60%

Sample uses string decryption to hide its real strings

Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: moutheventushz.shop
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: respectabosiz.shop
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: bakedstusteeb.shop
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: conceszustyb.shop
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: nightybinybz.shop
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: standartedby.shop
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: mutterissuen.shop
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: worddosofrm.shop
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: berrylinyj.cyou
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000B.00000003.2452029370.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	String decryptor: HpOoIh--2a727a032c4d

Source: 99awhy8l.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49790 version: TLS 1.2

Source: 99awhy8l.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\99awhy8l.exe	Code function: 1_2_004062D5 FindFirstFileW,FindClose,	1_2_004062D5
Source: C:\Users\user\Desktop\99awhy8l.exe	Code function: 1_2_00402E18 FindFirstFileW,	1_2_00402E18
Source: C:\Users\user\Desktop\99awhy8l.exe	Code function: 1_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0033DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0033DB0B
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0033E334 GetFileAttributesW,FindFirstFileW,FindClose,	11_2_0033E334
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0034A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_0034A32C
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_003465AE FindFirstFileW,FindNextFileW,FindClose,	11_2_003465AE
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0030C6C2 FindFirstFileExW,	11_2_0030C6C2
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00347205 FindFirstFileW,FindClose,	11_2_00347205
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_003472A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	11_2_003472A6
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0033D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0033D7CC
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00349E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00349E43
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00349F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00349F9E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\578678	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\578678\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057267 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mutterissuen .shop) : 192.168.2.6:59331 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057257 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (respectabosiz .shop) : 192.168.2.6:49460 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057261 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bakedstusteeb .shop) : 192.168.2.6:50456 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057259 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (conceszustyb .shop) : 192.168.2.6:60251 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057263 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nightybinybz .shop) : 192.168.2.6:60668 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057255 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (moutheventushz .shop) : 192.168.2.6:61645 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057265 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (standartedby .shop) : 192.168.2.6:54170 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057269 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (worddosofrm .shop) : 192.168.2.6:53120 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49790 -> 23.55.153.106:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: mutterissuen.shop
Source: Malware configuration extractor	URLs: standartedby.shop
Source: Malware configuration extractor	URLs: berrylinyj.cyou
Source: Malware configuration extractor	URLs: conceszustyb.shop
Source: Malware configuration extractor	URLs: nightybinybz.shop
Source: Malware configuration extractor	URLs: bakedstusteeb.shop
Source: Malware configuration extractor	URLs: worddosofrm.shop
Source: Malware configuration extractor	URLs: respectabosiz.shop
Source: Malware configuration extractor	URLs: moutheventushz.shop

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: respectabosiz.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: conceszustyb.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mutterissuen.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: standartedby.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: worddosofrm.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: moutheventushz.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nightybinybz.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bakedstusteeb.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: GDinpHlLXN.GDinpHlLXN replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: berrylinyj.cyou replaycode: Name error (3)

Source: Joe Sandbox View

IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49790 -> 23.55.153.106:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_0034D672 InternetReadFile,SetEvent,GetLastError,SetEvent,

11_2_0034D672

Source: global traffic

Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=1f4c3f742201d1f26b5d977c; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 18 Dec 2024 10:55:45 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control{ equals www.youtube.com (Youtube)
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: GDinpHlLXN.GDinpHlLXN
Source: global traffic	DNS traffic detected: DNS query: berrylinyj.cyou
Source: global traffic	DNS traffic detected: DNS query: worddosofrm.shop
Source: global traffic	DNS traffic detected: DNS query: mutterissuen.shop
Source: global traffic	DNS traffic detected: DNS query: standartedby.shop
Source: global traffic	DNS traffic detected: DNS query: nightybinybz.shop
Source: global traffic	DNS traffic detected: DNS query: conceszustyb.shop
Source: global traffic	DNS traffic detected: DNS query: bakedstusteeb.shop
Source: global traffic	DNS traffic detected: DNS query: respectabosiz.shop
Source: global traffic	DNS traffic detected: DNS query: moutheventushz.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: 99awhy8l.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 99awhy8l.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 99awhy8l.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 99awhy8l.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: 99awhy8l.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 99awhy8l.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 99awhy8l.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 99awhy8l.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 99awhy8l.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 99awhy8l.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 99awhy8l.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 99awhy8l.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 99awhy8l.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 99awhy8l.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: 99awhy8l.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Cooper.pif, 0000000B.00000002.2518782354.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bakedstusteeb.shop/api
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://berrylinyj.cyou/api
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://conceszustyb.shop/api
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mutterissuen.shop/api
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://standartedby.shop/api
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/T
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Cooper.pif, 0000000B.00000002.2519360471.0000000003892000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519360471.0000000003830000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Cooper.pif, 0000000B.00000002.2518782354.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://worddosofrm.shop/api
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Cooper.pif.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443

Source: unknown

HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.6:49790 version: TLS 1.2

Source: C:\Users\user\Desktop\99awhy8l.exe

Code function: 1_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_0034F5B0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

11_2_0034F5B0

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_0034F345 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

11_2_0034F345

Source: C:\Users\user\Desktop\99awhy8l.exe

Code function: 1_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_00369B7E DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

11_2_00369B7E

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_00344635: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

11_2_00344635

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_00331A7B LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

11_2_00331A7B

Source: C:\Users\user\Desktop\99awhy8l.exe	Code function: 1_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		1_2_00403883
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0033F0CD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		11_2_0033F0CD

Source: C:\Users\user\Desktop\99awhy8l.exe	Code function: 1_2_0040497C	1_2_0040497C
Source: C:\Users\user\Desktop\99awhy8l.exe	Code function: 1_2_00406ED2	1_2_00406ED2
Source: C:\Users\user\Desktop\99awhy8l.exe	Code function: 1_2_004074BB	1_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F2097	11_2_002F2097
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F80C7	11_2_002F80C7
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002D21FD	11_2_002D21FD
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002EE2B3	11_2_002EE2B3
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0030A30E	11_2_0030A30E
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F2352	11_2_002F2352
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002EC45C	11_2_002EC45C
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0035C5C4	11_2_0035C5C4
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_003428D7	11_2_003428D7
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0030E920	11_2_0030E920
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00338AB4	11_2_00338AB4
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002ECBB2	11_2_002ECBB2
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00306B8B	11_2_00306B8B
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002EECE4	11_2_002EECE4
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002FCEC0	11_2_002FCEC0
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00364F4F	11_2_00364F4F
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002DD000	11_2_002DD000
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002DF0A4	11_2_002DF0A4
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_003071F9	11_2_003071F9
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002D9540	11_2_002D9540
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F17B4	11_2_002F17B4
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002D9A20	11_2_002D9A20
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F1B26	11_2_002F1B26
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F7C3B	11_2_002F7C3B
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F1DD0	11_2_002F1DD0
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F7E6A	11_2_002F7E6A
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002D9E80	11_2_002D9E80
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002EDF78	11_2_002EDF78

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif 05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7

Source: C:\Users\user\Desktop\99awhy8l.exe	Code function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: String function: 002F0E50 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: String function: 002EFE52 appears 39 times

Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeP vs 99awhy8l.exe

Source: 99awhy8l.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@22/13@11/1

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_003440CC GetLastError,FormatMessageW,

11_2_003440CC

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00331939 AdjustTokenPrivileges,CloseHandle,		11_2_00331939
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00331F3D LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		11_2_00331F3D

Source: C:\Users\user\Desktop\99awhy8l.exe

1_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_002F0090 CloseHandle,CreateToolhelp32Snapshot,

11_2_002F0090

Source: C:\Users\user\Desktop\99awhy8l.exe

Code function: 1_2_004024FB CoCreateInstance,

1_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_003438E0 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

11_2_003438E0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2096:120:WilError_03

Source: C:\Users\user\Desktop\99awhy8l.exe

File created: C:\Users\user\AppData\Local\Temp\nsy36E.tmp

Jump to behavior

Source: C:\Users\user\Desktop\99awhy8l.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat

Source: 99awhy8l.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\99awhy8l.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\99awhy8l.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 99awhy8l.exe

ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\99awhy8l.exe

File read: C:\Users\user\Desktop\99awhy8l.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\99awhy8l.exe "C:\Users\user\Desktop\99awhy8l.exe"
Source: C:\Users\user\Desktop\99awhy8l.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 578678
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "PEACEFOLKSEXUALISLANDS" Hill
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif Cooper.pif y
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\99awhy8l.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 578678	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "PEACEFOLKSEXUALISLANDS" Hill	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif Cooper.pif y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\99awhy8l.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 99awhy8l.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\99awhy8l.exe

Code function: 1_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0032022F push edi; retn 0031h		11_2_00320235
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F0E96 push ecx; ret		11_2_002F0EA9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0036231B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		11_2_0036231B
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002EFC88 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		11_2_002EFC88

Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\99awhy8l.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_11-107399

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

API coverage: 3.7 %

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif TID: 5424

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\99awhy8l.exe	Code function: 1_2_004062D5 FindFirstFileW,FindClose,	1_2_004062D5
Source: C:\Users\user\Desktop\99awhy8l.exe	Code function: 1_2_00402E18 FindFirstFileW,	1_2_00402E18
Source: C:\Users\user\Desktop\99awhy8l.exe	Code function: 1_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0033DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0033DB0B
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0033E334 GetFileAttributesW,FindFirstFileW,FindClose,	11_2_0033E334
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0034A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_0034A32C
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_003465AE FindFirstFileW,FindNextFileW,FindClose,	11_2_003465AE
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0030C6C2 FindFirstFileExW,	11_2_0030C6C2
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00347205 FindFirstFileW,FindClose,	11_2_00347205
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_003472A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	11_2_003472A6
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0033D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0033D7CC
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00349E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00349E43
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00349F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00349F9E

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_002D29A4 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_002D29A4

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\578678	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\578678\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: Cooper.pif, 0000000B.00000002.2518818275.000000000103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@w
Source: Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_0034F2E8 BlockInput,

11_2_0034F2E8

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_002D331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_002D331E

Source: C:\Users\user\Desktop\99awhy8l.exe

Code function: 1_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_002F5108 mov eax, dword ptr fs:[00000030h]

11_2_002F5108

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_0033207D GetProcessHeap,HeapAlloc,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,CreateThread,

11_2_0033207D

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_003029B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_003029B2
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F0C5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_002F0C5F
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F0DF5 SetUnhandledExceptionFilter,	11_2_002F0DF5
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_002F1041 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_002F1041

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moutheventushz.shop
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: respectabosiz.shop
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bakedstusteeb.shop
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: conceszustyb.shop
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nightybinybz.shop
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: standartedby.shop
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: mutterissuen.shop
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: worddosofrm.shop
Source: Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: berrylinyj.cyou

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

11_2_00331A7B

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_002D331E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_002D331E

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_0033BA4A SendInput,keybd_event,

11_2_0033BA4A

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_00352B20 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

11_2_00352B20

Source: C:\Users\user\Desktop\99awhy8l.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 578678	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "PEACEFOLKSEXUALISLANDS" Hill	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif Cooper.pif y	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_003313DC GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

11_2_003313DC

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_00331EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

11_2_00331EDD

Source: 99awhy8l.exe, 00000001.00000003.2207705478.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Cooper.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_002F0AB8 cpuid

11_2_002F0AB8

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_0032E3BB GetLocalTime,

11_2_0032E3BB

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_0032E419 GetUserNameW,

11_2_0032E419

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Code function: 11_2_0030BD72 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_0030BD72

Source: C:\Users\user\Desktop\99awhy8l.exe

Code function: 1_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

1_2_00406805

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Source: Cooper.pif	Binary or memory string: WIN_81
Source: Cooper.pif	Binary or memory string: WIN_XP
Source: Cooper.pif.2.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 15, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Cooper.pif	Binary or memory string: WIN_XPe
Source: Cooper.pif	Binary or memory string: WIN_VISTA
Source: Cooper.pif	Binary or memory string: WIN_7
Source: Cooper.pif	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_0035204C socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		11_2_0035204C
Source: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	Code function: 11_2_00351A4A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		11_2_00351A4A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	17 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Masquerading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
99awhy8l.exe	61%	ReversingLabs	Win32.Trojan.Znyonm

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	5%	ReversingLabs

Source	Detection	Scanner	Label
https://berrylinyj.cyou/api	100%	Avira URL Cloud	malware
https://conceszustyb.shop/api	100%	Avira URL Cloud	malware
https://bakedstusteeb.shop/api	100%	Avira URL Cloud	malware
berrylinyj.cyou	100%	Avira URL Cloud	malware
https://mutterissuen.shop/api	100%	Avira URL Cloud	malware
https://standartedby.shop/api	100%	Avira URL Cloud	malware
https://worddosofrm.shop/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.58.100	true	false	high
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
nightybinybz.shop	unknown	unknown	true	unknown
moutheventushz.shop	unknown	unknown	true	unknown
standartedby.shop	unknown	unknown	true	unknown
GDinpHlLXN.GDinpHlLXN	unknown	unknown	true	unknown
respectabosiz.shop	unknown	unknown	true	unknown
conceszustyb.shop	unknown	unknown	true	unknown
bakedstusteeb.shop	unknown	unknown	false	high
berrylinyj.cyou	unknown	unknown	true	unknown
mutterissuen.shop	unknown	unknown	true	unknown
worddosofrm.shop	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bakedstusteeb.shop	false		high
nightybinybz.shop	false		high
moutheventushz.shop	false		high
respectabosiz.shop	false		high
berrylinyj.cyou	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900	false		high
standartedby.shop	false		high
worddosofrm.shop	false		high
conceszustyb.shop	false		high
mutterissuen.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://player.vimeo.com	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Bond.1.dr, Cooper.pif.2.dr	false		high
https://recaptcha.net/recaptcha/;	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mutterissuen.shop/api	Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.valvesoftware.com/legal.htm	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://medal.tv	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steam.tv/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bakedstusteeb.shop/api	Cooper.pif, 0000000B.00000002.2518782354.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://store.steampowered.com/privacy_agreement/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199724331900	Cooper.pif, 0000000B.00000002.2518782354.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://recaptcha.net	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	99awhy8l.exe, 00000001.00000003.2207705478.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000003.2458977058.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmp, Bond.1.dr, Cooper.pif.2.dr	false		high
https://standartedby.shop/api	Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	99awhy8l.exe	false		high
https://steamcommunity.com	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	false		high
https://conceszustyb.shop/api	Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sketchfab.com	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/T	Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://berrylinyj.cyou/api	Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.com/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519175929.0000000003787000.00000004.00000800.00020000.00000000.sdmp	false		high
https://worddosofrm.shop/api	Cooper.pif, 0000000B.00000002.2519175929.0000000003730000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/mobile	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp, Cooper.pif, 0000000B.00000002.2519360471.00000000038A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l	Cooper.pif, 0000000B.00000002.2519175929.0000000003796000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577329
Start date and time:	2024-12-18 11:54:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	99awhy8l.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@22/13@11/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 85 Number of non-executed functions: 286
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.231.128.66, 20.31.169.57, 13.107.246.63, 20.12.23.50, 20.223.35.26, 2.16.158.43, 150.171.28.10, 2.16.158.75
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: 99awhy8l.exe

Simulations

Behavior and APIs

Time	Type	Description
05:55:40	API Interceptor	5x Sleep call for process: Cooper.pif modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.55.153.106	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	sNWQ2gC6if.exe	Get hash	malicious	LummaC	Browse
	66DJ2wErLz.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	LA0gY3d103.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	217.20.48.24
	YcxjdYUKIb.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	217.20.58.98
	LA0gY3d103.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	217.20.58.100
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	217.20.58.99
	#U041f#U043b#U0430#U0442i#U0436#U043d#U0430 i#U043d#U0441#U0442#U0440#U0443#U043a#U0446i#U044f.js	Get hash	malicious	SmokeLoader	Browse	217.20.58.100
	PPbimZI4LV.exe	Get hash	malicious	Unknown	Browse	217.20.58.100
	http://ngfreemessage-verifying.freewebhostmost.com/	Get hash	malicious	HTMLPhisher	Browse	217.20.58.99
	uEhN67huiV.dll	Get hash	malicious	Unknown	Browse	212.229.88.13
	JkICQ13OOY.dll	Get hash	malicious	Unknown	Browse	217.20.56.100
	V65xPrgEHH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	217.20.58.99
ax-0001.ax-msedge.net	Opdxdyeul.exe	Get hash	malicious	SystemBC	Browse	150.171.27.10
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	150.171.28.10
	PPbimZI4LV.exe	Get hash	malicious	Unknown	Browse	150.171.28.10
	pt8GJiNZDT.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	billi_e58d74e455634dc695ed8a7b8b320325.exe.dom_1.exe	Get hash	malicious	Metasploit	Browse	150.171.28.10
	https://mail.donotreply.biz/XWW04VVZpU2JyWTFmVy96T2RUOUEvcEhyMWhFSm5uZElnVUlmb2dTZEdMRFdGSU1UV2V3S3RUNGdrNmNQRFJ4WTFPRHdYYlkraDV3S1YyVVpuU3E3K2p1bWowcEt3M24ySVBLanRDUkwyYitYWExuYTB5YlhVTUhySWZKbGJCTE9oRHl2RCtjR29BbEk3ZEwxZFJaNmNoK29ESk0vTGcxSmtyK0FWTExLWTdxYlQ1Yys1bjNiTUczY0RnPT0tLTU2R0pFM1VwZFRnVndZSWktLXptU2lWOHlQdjR0eGI1K09OQVZtRnc9PQ==?cid=2315575162	Get hash	malicious	KnowBe4	Browse	150.171.27.10
	https://ce4.ajax.a8b.co/get?redir=1&id=d4vCW7zizPl1mo0GYx0ELgo+CCIybH9/c4qC7CeWEuI=&uri=//the-western-fire-chiefs-association.jimdosite.com	Get hash	malicious	Unknown	Browse	150.171.27.10
	174 Power Global_Enrollment_.docx.doc	Get hash	malicious	Unknown	Browse	150.171.27.10
	nSs9QIsTua.js	Get hash	malicious	Unknown	Browse	150.171.27.10
steamcommunity.com	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	23.55.153.106
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	sNWQ2gC6if.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	66DJ2wErLz.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Xmrig	Browse	104.102.49.254
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	104.121.10.34

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	23.55.153.106
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	23.44.201.32
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	23.218.93.195
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.43.121.120
	https://adobe.blob.core.windows.net/adobe/adobe.html?sp=r&st=2024-12-17T20:58:07Z&se=2025-01-11T04:58:07Z&spr=https&sv=2022-11-02&sr=b&sig=vDeHaevGyq9deO2tRq9D03JLZreACGon6EF%2FhhJQk7s%3D	Get hash	malicious	Unknown	Browse	104.116.245.16

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	random.exe_Y.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	23.55.153.106
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	23.55.153.106
	NativeApp_G5L1NHZZ.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	hzD92yQcTT.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	JnEZtj3vtN.exe	Get hash	malicious	PureCrypter	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	23.55.153.106

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\578678\Cooper.pif	eRApzqPkL1.exe	Get hash	malicious	RHADAMANTHYS	Browse
	eRApzqPkL1.exe	Get hash	malicious	RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	vqMMwqCFZQ.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	Remcos	Browse
	pennicle.txt.ps1	Get hash	malicious	LummaC Stealer	Browse
	SolPen.exe	Get hash	malicious	LummaC Stealer	Browse
	SolPen.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	943784
Entropy (8bit):	6.625461630496363
Encrypted:	false
SSDEEP:	24576:FJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:FC7hGOSPT/PxebaiO
MD5:	78BA0653A340BAC5FF152B21A83626CC
SHA1:	B12DA9CB5D024555405040E65AD89D16AE749502
SHA-256:	05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7
SHA-512:	EFB75E4C1E0057FFB47613FD5AAE8CE3912B1558A4B74DBF5284C942EAC78ECD9ACA98F7C1E0E96EC38E8177E58FFDF54F2EB0385E73EEF39E8A2CE611237317
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: eRApzqPkL1.exe, Detection: malicious, Browse Filename: eRApzqPkL1.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: pennicle.txt.ps1, Detection: malicious, Browse Filename: SolPen.exe, Detection: malicious, Browse Filename: SolPen.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\578678\y

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	480685
Entropy (8bit):	7.99961550517189
Encrypted:	true
SSDEEP:	12288:pa5OkXLANYHuccwEXgKO6f4VVjF0UF0daIQV6KlAHBUe:/kXLfVcfHajiUF0y6K+B3
MD5:	01AA075F055B346C3FC5734A64E3D57C
SHA1:	FDDA7FAD433D6914A669310795E0709D28EF38BF
SHA-256:	64980EB891466F0C5F8E8DF49FC8915FB81BB08DD5B0FFD17146CABECE19F2FB
SHA-512:	CDCA877A1CB68EC3E24AA8812A1174C34E7F82367E27107C67D8C18D4479BBDA50F9751C5FF16C5D8303BB5CD505949DE020CAC91A42046E2F50895DFCC31F91
Malicious:	false
Preview:	K;G.PU.0....&.ym......s(.+.W.Y.-..5U.Z....?..6..":...~..%.f.lJ.T..#^y....}.`...4m..m..s..,v..k...........:..2.>Z..........P`..5.}...P.i8.V.Cj...3..]....s.V....e...\5..\8..E".>.......!4._.^.h.F...-..%@.H.-n?.K.9.%.7O.....S7A..@C..n..._....Q ..5.. ..e.\......?....X...s... ..}A....E.$k..g"s....#%..#.O.q..h.N.....OP.R....HQ...m.d...1..I..C.....c.:.?.#..[\.......$.q.......?M...j^.%.....x.;...d..X.h'A..`.....5V).k4s.I..U.:...T.7.w..B9.i.0..7j.7.....X...NBc.a.3.....0.2.%.....rj........v...zv......Y.37.\|.D.0..Psr...m..,.VO...1....TR...EE1.O0.%.q..G.r,..... i...!W.#.(....&.[GSW....%<....d...).....(....,I..2?......mvtF.$..2.9./...X.%W.Vj.a........P,...40...T6.."........pjb:.Y#=;..[.....'.\.+...N..4n..rS.....G..#\&.%..\|b.$.>.J.y.2ypN[.H.....h.....)....I\|...8.......2.:..=.....oj..-.d...3.H$........L...v...y....W.MO...........#1.._;6.......Q..+$.H.~...32uPi.s..f?...nb.....r.:.h:.....8..w.~ E....3.E.5p..8..;....0..w;_...c......[...VA....B.<.

C:\Users\user\AppData\Local\Temp\Bond

Download File

Process:	C:\Users\user\Desktop\99awhy8l.exe
File Type:	data
Category:	dropped
Size (bytes):	930463
Entropy (8bit):	6.626263032885086
Encrypted:	false
SSDEEP:	24576:eJs7DlG83U/hcSO3UTyYPeuZtxY+8aiB8ea:eC7hGOSPT/PxebaiO
MD5:	7B40CADEF1DED67A46BD0659C6CC374D
SHA1:	3A03378D6A51FF618F713E67A684F37DEA01922D
SHA-256:	F7827E5CBEBA48532109208753A4E8DDE264B7FB21E230A963C2C3684248296C
SHA-512:	AC51DB075FCA42FA9AF601B85B3EC915B070DD6CF877994046CAA6BA16EF216C44E0624FD1663142997B087AA711C147DE68CB1B243DA8135B7FD214675E7146
Malicious:	false
Preview:	..........3..%M..M..M.K.j.^j.....P.f;.U.^t..u.j.[.^...................^...........i....$..D@.j.Xf;...<.....3.f..t..E.@.E......B.f;.P...u.......:.u.E.3...f9P........E..U..L..3.f9A........9........9........9........9........9!.......9#~h...... .................................................U...............E..E.}.t...PG......x....E.M..U..e....A.j.Yf9H...<....U.JO..t.....U.........}.....E...........t....0.....x....U..E........;.............8........E..E.}.\...PG.%.....`....K..E.......!..'....A.j.Yf9H........m...........].C.]...........u.E..u..u..u.P.E.P.u.W..................A.j.Yf9H...J....E.HO..\.....E...!.....e.....E...........\....>.....`....E..E.........;............3..3....u.3..u..u..u.RQ.u.S.a.....x...M.......M........t..........h.........M.......\........M....._..^[......I.............M..U................A.j.Yf9H...S....}.........Z....A.j.Yf9H...W....E.E.}.M.PG.\|....E..E......E..E.}.h...PG.[.....l....E......M..U.9E............................E.HO.}

C:\Users\user\AppData\Local\Temp\Exotic

Download File

Process:	C:\Users\user\Desktop\99awhy8l.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.997528162195504
Encrypted:	true
SSDEEP:	1536:+E0F2mTU5NOZtQNIlta3BFUBNqyDyz9vudb+QxQvrHxA3j6MXDBpYdCGAo8:+EaLoYzta33kqyOZOb+/vrRA3+MH2CFt
MD5:	7D0BC01BE7120C9430AEFDE09261AE99
SHA1:	F13D1476CA39FA84A3050E4FB1856C7C92861F89
SHA-256:	A4AC99467D4F925BFA62FAD61A5EBF3E150D414F56C90C034A7E35F04DDD0F28
SHA-512:	BE1F4FDA51F2B909C9B64D78A9F34FA783665A12D1E70196CA52D262E1BD470319A1900F8FFAEA04EA385D5E075A61B834091B54DBAD31EBF41830927A94D08F
Malicious:	false
Preview:	_..Z.@.B.\.n.0t.h7H.l....9.q.....}8..T..>w.u...yk...\.........H....],....tn.L.lt..V.....=.:.`^.._...6..k.YG...".lH.Z9..}).7..."..w...NJo...1......W..1.bhE...p...[.Ey.2...?.5km..n..w../.../V.e..,.8.n.c..8O..K..X68.Nr.....#..Q..:...T/..\...u(...m.g.\|..t...l..y?..X.\....PU...J..8[. GI...\|..:...!i._..S...- ^m...\|.K...........U..~....M.....r.E..{.aL.=3`.M\^@."T.w+L.3...D. ....J.c.5.L)-..tb.Z......N.@qW.M...z'..f......q..j.......:m=W.,.u.....P?....Z....,.M.n.R=U.B.....;...d%..,[.M...w}.c.4...{w_.A....m...&Q..6D..KI$/.U...^...".h...).,c-~.....,....W..Q..L........!-..%..C..E.7....lm0@E.0...L..km.B..t..J..+..knb..753.pYxM..c.........l~6..X}.Iy.F...fa.y.(..8-.[.[$DV..$.d.&...i...R._=....!7,E`./M.......K....]..p.....`..6..V..!....=0..Vr......\|kmy...x.9 .h..._.^\|g..........e2......N.\..GaY........G....=s0.....L.EM.~L.Z.......mx.....A6.I0j...i........>9.I....E..'E..$z...C}>.@"..K..._.......+.g/.a..;(...OF..z."..0.I.2.....%h.[....:.;E...%..4

C:\Users\user\AppData\Local\Temp\Hill

Download File

Process:	C:\Users\user\Desktop\99awhy8l.exe
File Type:	data
Category:	dropped
Size (bytes):	13345
Entropy (8bit):	6.3693240056054465
Encrypted:	false
SSDEEP:	384:BlFuOqohnWzR7NNilkEdpMMKAdbLPlUccucHU0f//+5:DFxfhnWz8kETRZbRUccWk+5
MD5:	2BCA8A1BCBC57478FD079C572A2DADBC
SHA1:	FD6E370BB531C34ED8F94916C09F3B96FE836D23
SHA-256:	780B30A011C2A4BE6884BCBCD69087C6660309832FACFFDD5D21DF6BB6408007
SHA-512:	AFB31A261BACD35271CD13F85CC0E9210249238485B852F2EA863747F7EBAC60B6D9278C36C1A233BBB82452B88E3CE55C31AEBE5BDF72088752ACBA2C0DD8D0
Malicious:	false
Preview:	PEACEFOLKSEXUALISLANDS..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L...!..^.........."...............................@.......................................@...@.......@........................\|....P..h............J.......0..@v...........................C..........@............................................text...%........................... ..`.rdata..............................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..@v...0...x..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Impacts

Download File

Process:	C:\Users\user\Desktop\99awhy8l.exe
File Type:	ASCII text, with very long lines (962), with CRLF line terminators
Category:	dropped
Size (bytes):	21398
Entropy (8bit):	5.096060543303146
Encrypted:	false
SSDEEP:	384:VM4rCm9Qpj5gNxMopDjxjbeU9Y1tETtte+hsn2wZGyd6wBeXVf5eZg1+PNUvg6A/:V0tpVgzd+UitET3WnxCVf4IYO46UZik
MD5:	E66BCE26CC9F5EA1C9E1D78FDB060E57
SHA1:	5A83A6454CB6384FDAAF68585D743DA3488EED28
SHA-256:	34E6B48E8A53C7F983F7944C69764CBAC28FBD0D2283E797506D0E256DEBF3D2
SHA-512:	94EF52636660FB3D7AADC10459460781D95E1D83389E3519F19D093806F273B330B4596F03AC1F9268AAD45A244E537FF6D0BA773BE33C627FE86F18128BFF7E
Malicious:	false
Preview:	Set Insulin=9..xiAthletic-..JQQty-Cuisine-Deposits-Sciences-Optimum-Assign-Marijuana-Tr-..ealPRadios-Philip-Passes-Tommy-Zip-Violence-Plc-..mqoRx-..HLCrude-Chemical-Angela-German-..HnBEvaluations-Executives-Scoop-Volvo-Impressed-Bruce-..Set Playboy=T..WEbOAirplane-Peterson-Practice-Strikes-Flux-Pub-Asthma-..dIcUtc-..tfVEmotions-Yes-Nav-..dxTSubdivision-..GYIncentive-Thinks-Meta-Provide-..OBJose-Ocean-Shock-Emerald-Captain-..jXQRAmended-Discrimination-Chocolate-Seasonal-Boutique-..afYStephanie-Softball-Roads-..fYuVictims-Beautifully-Made-Gene-..QzOkMonte-Oral-..Set Motorola=o..DoyFlexible-Tutorials-Bin-..HrNotebooks-Caroline-Pushed-Clone-Ejaculation-Workers-Another-..jeQtDuck-Styles-Actively-..IXBePart-Appears-Sean-Worlds-Isbn-Meals-..KKBook-Reputation-Wiley-Overnight-..grpHMw-Gaps-Resolutions-Banner-..XmVaProfiles-Manual-Primarily-Vernon-Know-..zfAmLogged-Fisheries-Horses-Weed-Mortgage-End-..dnRoutines-Tap-Port-Aurora-Diving-El-..Set Catalyst=C..sDKOrleans-Reserve-Airplane-Zambia-..iMl

C:\Users\user\AppData\Local\Temp\Impacts.bat

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (962), with CRLF line terminators
Category:	dropped
Size (bytes):	21398
Entropy (8bit):	5.096060543303146
Encrypted:	false
SSDEEP:	384:VM4rCm9Qpj5gNxMopDjxjbeU9Y1tETtte+hsn2wZGyd6wBeXVf5eZg1+PNUvg6A/:V0tpVgzd+UitET3WnxCVf4IYO46UZik
MD5:	E66BCE26CC9F5EA1C9E1D78FDB060E57
SHA1:	5A83A6454CB6384FDAAF68585D743DA3488EED28
SHA-256:	34E6B48E8A53C7F983F7944C69764CBAC28FBD0D2283E797506D0E256DEBF3D2
SHA-512:	94EF52636660FB3D7AADC10459460781D95E1D83389E3519F19D093806F273B330B4596F03AC1F9268AAD45A244E537FF6D0BA773BE33C627FE86F18128BFF7E
Malicious:	false
Preview:	Set Insulin=9..xiAthletic-..JQQty-Cuisine-Deposits-Sciences-Optimum-Assign-Marijuana-Tr-..ealPRadios-Philip-Passes-Tommy-Zip-Violence-Plc-..mqoRx-..HLCrude-Chemical-Angela-German-..HnBEvaluations-Executives-Scoop-Volvo-Impressed-Bruce-..Set Playboy=T..WEbOAirplane-Peterson-Practice-Strikes-Flux-Pub-Asthma-..dIcUtc-..tfVEmotions-Yes-Nav-..dxTSubdivision-..GYIncentive-Thinks-Meta-Provide-..OBJose-Ocean-Shock-Emerald-Captain-..jXQRAmended-Discrimination-Chocolate-Seasonal-Boutique-..afYStephanie-Softball-Roads-..fYuVictims-Beautifully-Made-Gene-..QzOkMonte-Oral-..Set Motorola=o..DoyFlexible-Tutorials-Bin-..HrNotebooks-Caroline-Pushed-Clone-Ejaculation-Workers-Another-..jeQtDuck-Styles-Actively-..IXBePart-Appears-Sean-Worlds-Isbn-Meals-..KKBook-Reputation-Wiley-Overnight-..grpHMw-Gaps-Resolutions-Banner-..XmVaProfiles-Manual-Primarily-Vernon-Know-..zfAmLogged-Fisheries-Horses-Weed-Mortgage-End-..dnRoutines-Tap-Port-Aurora-Diving-El-..Set Catalyst=C..sDKOrleans-Reserve-Airplane-Zambia-..iMl

C:\Users\user\AppData\Local\Temp\Myth

Download File

Process:	C:\Users\user\Desktop\99awhy8l.exe
File Type:	data
Category:	dropped
Size (bytes):	46509
Entropy (8bit):	7.9957815986189384
Encrypted:	true
SSDEEP:	768:Yn1x3F/3cHAj3fB9AaAEqgqFHZdv1Z0S+b0CrN9xAIpJA+PvgkH8AwDBabKsNvEp:Y1ZF/sgTXAHE9qFHZdv0SDCrN9x13g7x
MD5:	85DBC3D77F4DCDE7FC0C62BCE25F21F5
SHA1:	C530CA9B4FFE7D07F54EBA33FD3E313679C9ABB5
SHA-256:	2F5EAD4A5C318263671E35CD675A6D3FF1CE1F483422000DD8CCDD592BAB2ADD
SHA-512:	99FB163A5568AA83555146DBBCF30014E6E860A79C57E5FAA2F6950201C7460D48FF28A52C2236622D22D352EC9ABB676AF46746DA63B7CEC3420DA0DCB50667
Malicious:	false
Preview:	5......?......K..Dw.....oE..A...p.G7?l......d.).h..Gz.$.H..VH.6.'..2.:.....!.1."...pPP...].M..+. ...4.x...'....].]S..Yh-~...k..>B...MN..._.......amx.....h.,B2K..k...Z2 \..d.'.!.F.cF-]..:\|. (.>Oe...!....o.f..s.....c0_...9...=...a%Hy8.R+"W..E.Q}xu-,7.=.B.E5S]. ..d.`..b..>....W..!'.W.<E..a..z..q.C.Z.U.E.rC]..n..}.ix.t=2.'...j<HP.........j.(`..Y.c.g.B$.......]_bbX#.U.m.Z&.eI...0.....T3..7.....X?..WU. ..4...aA...v...5_A;...K^..x...;........HK..T}....&...<l..\|...+...'f.t..XN....{@.wG.C.}9.XE.............zH..N.8.hm....'..2"..&.....M..o.^o....RgK..3LT;.9...8.,..y.f..$.5.".S..y.-...l.~.......=~i.1c.v..}..Js.hmNLK]....v.3.R..kK....u\|.T...h..HR....N:..JQ..........F.D/...O.......s@k...F...../...b..d.p...z.^HtY..6.i"..8.GP.%...eA.O...E...}.....n.7.%../5......1...C.qX.....y..h..I/.}...}.G.9....k..b....W.........Si................h...e....`%...x..!8.Sjk..Go..7Z.]...,...a.....C...V.p@...I.`bM&.9.v=...sZ.99...Rj..8M...1..z....,.......b.*....5..

C:\Users\user\AppData\Local\Temp\Relief

Download File

Process:	C:\Users\user\Desktop\99awhy8l.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.997288250006397
Encrypted:	true
SSDEEP:	1536:jAikGcmxcFMDX0pba9x06zoKTk4M5xZeS34JSZsm/XfyTiKRDk4v5:jAf8EO9xjy4tRDYq
MD5:	EE03E70A965BAFB53B08E19F72DC0789
SHA1:	30E9322A1A61FF9E977FD8B04C1991A1CCB71A23
SHA-256:	DD1E7AF944824CFE1598EB0B917D9D9B2B62607F61A42EFABBCED5B4BACBCD8E
SHA-512:	7A330B5C06FB709E7D16B6B45C2694E98129278F5DAFE240A17870ED19226A1391F8173D34888824EFE8A0A6F7D67CB18E6DFBD16435DF6D242E58FF48A81E8D
Malicious:	false
Preview:	..........8.....~..e...k%....i..>.b[..1\|..}.@...fg..y.E.!....vb.....7...BA:%IYX..;.u/.6.fm.S).^.n.!Bv...[CK.;...+..N.:......\...]R.mi~...R.;.!.)..yM.D.@..Q...B.....4.9..(..tA.p..o].D.....O...e0.p..$HQ.+pDB ^8...n@...k?...."$.!..9ni}Z~k.B....9PkW.:.9YS..\I.-...q.]mS.Z...M...5....DS.=.o...`=.T...U..$....#.C....\.J..wi..^?..m.l.....LL...Eb..p<.D...$...Y.m...WE....Z^.........`.>.;..?...I.A.S.GH.Su.Y&...`...i ..o!#$.F.mn.....gm....%...;i;X...QJqX...+.......}....qi....&xL.un...}<...2(..5...2.t..]]....iIM.....Fn.....pZ.../G..B....+).V.H.g..H.\|Ui'....N.....0......}.....~m.a.bZJ.f.mn....&.......g:@J....c.....2.6..+v.Y......jo.WNf...".2.....D...U..G.dj.^..'eQ=X.9h.L.....'....v...]...bu..2}.q...0,.`...........c...n..h..$.P..4KEa..,.....l.J.....V\..Q..M.%.........8h....s..4.N....J}...\.Z.M...;......Kq...J].zqO[/.u..V.k...G...u..,g%<.......X...U'...8...f.'.)uU....g..P;..q.)....m...Qo_7.!OL.lKH....B...m..+?.@.P3.\.~B.....}....}.e...{.@...0.1.yk).4

C:\Users\user\AppData\Local\Temp\Seo

Download File

Process:	C:\Users\user\Desktop\99awhy8l.exe
File Type:	data
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	7.997597718367495
Encrypted:	true
SSDEEP:	1536:jeS39xOyfbkvVl1AjppdmDnZQoY3abbdWkKX3e:VNxO8bkvVnUFwZLbxrh
MD5:	6F4CF6A0C8B09BF525BE59CD5684D6C8
SHA1:	56E4AC49946C614EC8E61285FB3782CA038DE7EB
SHA-256:	6516B9CE395EEBEFA884A003EDE2FEF81D68200F6C0B3EC11E70C2FC41E02AE8
SHA-512:	B733E2C78BEAABBD6221805E26CD3CC5C452C43D69AFFCA69C4693C19B9BF6438B7B28602D419A3DA660FA56DBF388C7E3C41F9C3095C9EEBCF2943C1671DFBE
Malicious:	false
Preview:	7]...cF.{.....v.........[.PO...y...E.DZ0/F2.X. ..7..m..F.].M:Nn..P....,......gTA.>#.>....i?U.,x......N.y.]y....Z.....{.D.-+.U0..E..X.......S..E..{...=".JU...c..<....s...k........%.v.......%.tA.h..)..)...H.....x@u..D..0S./.......m\".OR.AVy..#Q..../L..Z."....(. ...R....7...z...Y....Av.p..;.$.{n.@.....6p.w.e.......:...d.(..,9 .J.5.3......x.Waj.AS_.E.<...B....4DU.=....S~.....Bf~[..u..K1`.'H.......E.....6.........),@..)_.......bt..]D^.@...U.6..T...IV.a../)I@.4....{..0..Vi..KAD....2B..x...'k.../_r.:;....1.....g.....q..;...M.m...&D....w.N4.i.b.`.fUO....h@....^........b. ..W^S_.....8...7.w..7...n./..(..\|....Y&..}..V....v%m...6'...............~k..DD..tV...Ei..y.R.J.N.O.2...z...C....q.2a..4.....=1.E..K'...7..t.(.F.r......-.QG...H.%.....9.n.v...d.u.........7..h.-..........V......$...6.^..2y..b..[..04...}w..7....;.L...g..C..{.f.p.p.."..y..y....yM..;..A....=...6.yR./..Ulk...../`...+NI...l.3(...@....Yq.........A..m\|`..._04Bp.....T..l...

C:\Users\user\AppData\Local\Temp\Serious

Download File

Process:	C:\Users\user\Desktop\99awhy8l.exe
File Type:	data
Category:	dropped
Size (bytes):	71680
Entropy (8bit):	7.997564660942317
Encrypted:	true
SSDEEP:	1536:JT9wmoGm6nR2UyNiwK3Ls9bqrkEqFIQuyCQXGKcZxAiCDitMTuV9Rgs:veFNiwK3Ls92LaIQkQXGKcZxmDr6TR/
MD5:	2DA24E10CF4770B7966E05652562D615
SHA1:	66E4F5DF755F7B27EF21F416897D66865037D33F
SHA-256:	C3B15B9B25C1F22EB43C6081B20984733A5E073FAB87D50F994C631D0295EDC2
SHA-512:	0749F8FF49A59AE4143E2F2D5A29EBA83BCF92E30A720000ACBA75C5E51C669AF32511DA016FE8A73A00D3A12EBC0E8D60FC47FFD81F0CC46DB348D851BB3287
Malicious:	false
Preview:	.gj..K..]Rsv.&.x.~.AC....WfN...u..8Eg... >....r....tTD.p+:)CW.........ly..&`...J.~......$..wi.......\.........Y.H.XV...9~.Z._h.<.8W.O.U./......4.S.g....d...+..FI..X#..b..Mfr........dq.5F.N>.......S.....Z.h.\.#......\|&.D..1.e....{..#.2q.bU.\|Ue.Ow.R.'>....$.1W.u.A.%..0N..>...8;@.>...f.....-.[.8.4..._...0..G....H.(..E.....j...c&....~..W.XFX..v~.u.Q..\|B.QF.K.>...y.... zKcL.&6..8rFE..B...Uw0...[...UMW.]...h.q..7..M...c........b.=.....q.......~..q.e..K....!!C2V.]`A...:IE.I.-I....B.....*.[.v?]...x...]k..?U..P.=up..K....7T.....D...H...\....-]...B.@-.@..4.AL.f..3...A.N..y+h.i.7...d.1lS0..nk....Bv..b......$.{..}......h..;..L`.KZ...$....... uS^.h[.].FM.Z...\|.,.zOms.E...\|.../..819...k..m.b...]n..of.s.Mu6,..ou.A8...Y.oICM.p6..Z..ozIv.&.ui...wt..u....o.!.}.C.z..U$..X{....z.c!..`..wN ......p...cY.g.d....L.....Vnq5.o.D..F.]....d.a_(D.I ..&.C.<........!...O.jN..W.\|2....i~..C........[<.....H...ju...c..W6...=.....R3\|L.X.....`}...&X?TVp.....h.}.u

C:\Users\user\AppData\Local\Temp\Von

Download File

Process:	C:\Users\user\Desktop\99awhy8l.exe
File Type:	data
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	7.997028210579964
Encrypted:	true
SSDEEP:	1536:PTOvNPPbcHLENzi/VqM0RjFP4R61FHzGhS:PKvNYHL6cwFC6PyhS
MD5:	5A749362858179E1BC70FD9136A6E9A2
SHA1:	F1CC590B577E975264B0EA2FFC7F3F160F0B9D4B
SHA-256:	926245EF744666E70E2314588590360D3693EF707FAD21FD615DCEEF34ADAC79
SHA-512:	FAF1A5C47724A0BB25926A52E2F99A17CE573B929D71BC463BCE81AF83D5C9F347DD735A128FC6643E890325CF9F72739DFDF6CF15F574CA83B2BD6AF8886781
Malicious:	false
Preview:	Zn..V..h...........3..ZL[.4..}.....A..jY.-DJ6..p...h.<~.fn'i..IX..y......X.6[..4t.X.fS[x..h..M/......\|.......}_.....Wz.v...y..,.m...r..`d..6.j.N?.2...:..../`._.7..b.N<....F.^!..4..g.F...7G_.pS..b..9\._..V^.N.j.otR...oA.K..de.05!X....H#..s.iZ.)~a....-.:.r.thB][.Bn.w...Us...VI.a.Tb.W.X.d..3^...he.Q.I.^K.(.z;.BC..6...6.je.T...kY.K....~^....M....!.?..@..L...B......(......HH.MS1...,..(b..\|.ULI.I'.I>.,........K.o.?..........$.x]P.u.;J..i=...:.u...o.ajY..R...E.y.."....EnYo.o.w....."^.x..ql.X4...F....SD.D.....I..9..0..<q..6m[.."J..i..dLj...:S.#.........6..W...O.......zkh...3.F.....tA%H..ttBp..i.r...t"...t...X..U.1nWL....V.5F...:<z..M.l.T.z."/y..!.t..C.....j....}.....%~..n..<.Z$YX.\2.f.I+.d..~....NA:......=3.....Y.S........efjP<...2..hHJ..~s..9.K.\.6..(3..M..9.p....r$'f...x.?N4.c.[].:..h...9.9..........."m..R.. .V.5.M......WB.y.......I+.7/..........A....n....n.L.X.....J...q..........,A.V.....\|.......]v..8.i..Q..v..h...S..!.P.?.5...^.....3

C:\Users\user\AppData\Local\Temp\Webpage

Download File

Process:	C:\Users\user\Desktop\99awhy8l.exe
File Type:	data
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	7.997963416353012
Encrypted:	true
SSDEEP:	1536:I701TFJ6xLAR1Q4WV08RwMVfvRKdCGRp0qmUmrGRTAzFXFjiu:I7M+tyQVlRwMFkdCGRrmUmpHF
MD5:	EC148BB551BBB361764151AD22CF677C
SHA1:	66CAC1953AED306861B7F7C45E1DEE2EDBED182B
SHA-256:	AD3DDD66FEA4121607CC43FC547B18B55379345390D9E61112F51DDDDA936988
SHA-512:	ED99E7712AF09F85DF36B7DF401238BCF6EC89E8E8587E32562582C318D045A32769B435ACD3130B0331458BB826143DB15FC45B056B2369D43478D35EB24762
Malicious:	false
Preview:	K;G.PU.0....&.ym......s(.+.W.Y.-..5U.Z....?..6..":...~..%.f.lJ.T..#^y....}.`...4m..m..s..,v..k...........:..2.>Z..........P`..5.}...P.i8.V.Cj...3..]....s.V....e...\5..\8..E".>.......!4._.^.h.F...-..%@.H.-n?.K.9.%.7O.....S7A..@C..n..._....Q ..5.. ..e.\......?....X...s... ..}A....E.$k..g"s....#%..#.O.q..h.N.....OP.R....HQ...m.d...1..I..C.....c.:.?.#..[\.......$.q.......?M...j^.%.....x.;...d..X.h'A..`.....5V).k4s.I..U.:...T.7.w..B9.i.0..7j.7.....X...NBc.a.3.....0.2.%.....rj........v...zv......Y.37.\|.D.0..Psr...m..,.VO...1....TR...EE1.O0.%.q..G.r,..... i...!W.#.(....&.[GSW....%<....d...).....(....,I..2?......mvtF.$..2.9./...X.%W.Vj.a........P,...40...T6.."........pjb:.Y#=;..[.....'.\.+...N..4n..rS.....G..#\&.%..\|b.$.>.J.y.2ypN[.H.....h.....)....I\|...8.......2.:..=.....oj..-.d...3.H$........L...v...y....W.MO...........#1.._;6.......Q..+$.H.~...32uPi.s..f?...nb.....r.:.h:.....8..w.~ E....3.E.5p..8..;....0..w;_...c......[...VA....B.<.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.972177038658198
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	99awhy8l.exe
File size:	1'010'330 bytes
MD5:	4f2e93559f3ea52ac93ac22ac609fc7f
SHA1:	17b3069bd25aee930018253b0704d3cca64ab64c
SHA256:	6d50bd480bb0c65931eb297b28c4af74b966504241fca8cd03de7058a824274d
SHA512:	20c95b9ee479bf6c0bc9c83116c46e7cc2a11597b760fd8dcd45cd6f6b0e48c78713564f6d54aa861498c24142fde7d3eb9bd1307f4f227604dd2ee2a0142dbe
SSDEEP:	24576:dzzQ6EO7NXtAj50dzB1l1MSNo3X0QRqSGcx7D:FQ6EO7NXWjSzB7qSyX7XFD
TLSH:	50252304EEA5E46EDEE30AF432F1C6901871BD7418F1E01F4374B68A7A736CA886D657
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...t...B...8.....

File Icon


Icon Hash:	cc9ae444653392cc

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007FDAF91E6CCBh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007FDAF91E69ADh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007FDAF91E699Bh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007FDAF91E429Ah
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007FDAF91E6671h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007FDAF91E4323h
push 00000020h
pop ebx
cmp ax, bx
jne 00007FDAF91E429Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0xae0e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe9c32	0x2868	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0xae0e	0xb000	f09ea21a9398da829bd1e272ad3e2e35	False	0.8280362215909091	data	7.365382295285779	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xff000	0xf32	0x1000	081257ebbd386a9d639b8d6742b52f2e	False	0.600341796875	data	5.521292783994108	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf4220	0x6a64	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.9994125422235277
RT_ICON	0xfac84	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.5283767290480065
RT_ICON	0xfd2ec	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.6293260473588342
RT_ICON	0xfe414	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8049645390070922
RT_DIALOG	0xfe87c	0x100	data	English	United States	0.5234375
RT_DIALOG	0xfe97c	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xfea98	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xfeaf8	0x3e	data	English	United States	0.8225806451612904
RT_MANIFEST	0xfeb38	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T11:55:41.372570+0100	2057269	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (worddosofrm .shop)	1	192.168.2.6	53120	1.1.1.1	53	UDP
2024-12-18T11:55:41.597135+0100	2057267	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mutterissuen .shop)	1	192.168.2.6	59331	1.1.1.1	53	UDP
2024-12-18T11:55:41.822500+0100	2057265	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (standartedby .shop)	1	192.168.2.6	54170	1.1.1.1	53	UDP
2024-12-18T11:55:42.104865+0100	2057263	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nightybinybz .shop)	1	192.168.2.6	60668	1.1.1.1	53	UDP
2024-12-18T11:55:42.349836+0100	2057259	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (conceszustyb .shop)	1	192.168.2.6	60251	1.1.1.1	53	UDP
2024-12-18T11:55:42.586147+0100	2057261	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bakedstusteeb .shop)	1	192.168.2.6	50456	1.1.1.1	53	UDP
2024-12-18T11:55:42.818294+0100	2057257	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (respectabosiz .shop)	1	192.168.2.6	49460	1.1.1.1	53	UDP
2024-12-18T11:55:43.047086+0100	2057255	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (moutheventushz .shop)	1	192.168.2.6	61645	1.1.1.1	53	UDP
2024-12-18T11:55:45.153733+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49790	23.55.153.106	443	TCP
2024-12-18T11:55:46.032230+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.6	49790	23.55.153.106	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:55:43.539526939 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:43.539580107 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:43.539697886 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:43.762068987 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:43.762105942 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:45.153665066 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:45.153733015 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:45.155735970 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:45.155759096 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:45.156045914 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:45.361471891 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:45.394387007 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:45.435338974 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.032299042 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.032325983 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.032334089 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.032346964 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.032354116 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.032397985 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:46.032424927 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.032435894 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:46.032475948 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:46.209455013 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.209470987 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.209520102 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.209537983 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.209582090 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:46.209659100 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:46.209666014 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.209791899 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:46.217396975 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.217489958 CET	443	49790	23.55.153.106	192.168.2.6
Dec 18, 2024 11:55:46.217612028 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:46.242979050 CET	49790	443	192.168.2.6	23.55.153.106
Dec 18, 2024 11:55:46.243006945 CET	443	49790	23.55.153.106	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:55:20.194094896 CET	49497	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:55:20.426309109 CET	53	49497	1.1.1.1	192.168.2.6
Dec 18, 2024 11:55:41.124128103 CET	63673	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:55:41.342755079 CET	53	63673	1.1.1.1	192.168.2.6
Dec 18, 2024 11:55:41.372570038 CET	53120	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:55:41.594760895 CET	53	53120	1.1.1.1	192.168.2.6
Dec 18, 2024 11:55:41.597135067 CET	59331	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:55:41.820348978 CET	53	59331	1.1.1.1	192.168.2.6
Dec 18, 2024 11:55:41.822499990 CET	54170	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:55:42.102555037 CET	53	54170	1.1.1.1	192.168.2.6
Dec 18, 2024 11:55:42.104865074 CET	60668	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:55:42.331916094 CET	53	60668	1.1.1.1	192.168.2.6
Dec 18, 2024 11:55:42.349836111 CET	60251	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:55:42.571026087 CET	53	60251	1.1.1.1	192.168.2.6
Dec 18, 2024 11:55:42.586147070 CET	50456	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:55:42.814534903 CET	53	50456	1.1.1.1	192.168.2.6
Dec 18, 2024 11:55:42.818294048 CET	49460	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:55:43.043601990 CET	53	49460	1.1.1.1	192.168.2.6
Dec 18, 2024 11:55:43.047086000 CET	61645	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:55:43.281750917 CET	53	61645	1.1.1.1	192.168.2.6
Dec 18, 2024 11:55:43.302037954 CET	50529	53	192.168.2.6	1.1.1.1
Dec 18, 2024 11:55:43.439737082 CET	53	50529	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 11:55:20.194094896 CET	192.168.2.6	1.1.1.1	0xf47	Standard query (0)	GDinpHlLXN.GDinpHlLXN	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:41.124128103 CET	192.168.2.6	1.1.1.1	0x2a51	Standard query (0)	berrylinyj.cyou	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:41.372570038 CET	192.168.2.6	1.1.1.1	0xff7a	Standard query (0)	worddosofrm.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:41.597135067 CET	192.168.2.6	1.1.1.1	0xe7bd	Standard query (0)	mutterissuen.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:41.822499990 CET	192.168.2.6	1.1.1.1	0x4df9	Standard query (0)	standartedby.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:42.104865074 CET	192.168.2.6	1.1.1.1	0x78cf	Standard query (0)	nightybinybz.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:42.349836111 CET	192.168.2.6	1.1.1.1	0xb844	Standard query (0)	conceszustyb.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:42.586147070 CET	192.168.2.6	1.1.1.1	0x81bc	Standard query (0)	bakedstusteeb.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:42.818294048 CET	192.168.2.6	1.1.1.1	0x36f7	Standard query (0)	respectabosiz.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:43.047086000 CET	192.168.2.6	1.1.1.1	0x6b14	Standard query (0)	moutheventushz.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:43.302037954 CET	192.168.2.6	1.1.1.1	0x4138	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 11:55:20.426309109 CET	1.1.1.1	192.168.2.6	0xf47	Name error (3)	GDinpHlLXN.GDinpHlLXN	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:41.342755079 CET	1.1.1.1	192.168.2.6	0x2a51	Name error (3)	berrylinyj.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:41.594760895 CET	1.1.1.1	192.168.2.6	0xff7a	Name error (3)	worddosofrm.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:41.820348978 CET	1.1.1.1	192.168.2.6	0xe7bd	Name error (3)	mutterissuen.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:42.102555037 CET	1.1.1.1	192.168.2.6	0x4df9	Name error (3)	standartedby.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:42.331916094 CET	1.1.1.1	192.168.2.6	0x78cf	Name error (3)	nightybinybz.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:42.571026087 CET	1.1.1.1	192.168.2.6	0xb844	Name error (3)	conceszustyb.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:42.814534903 CET	1.1.1.1	192.168.2.6	0x81bc	Name error (3)	bakedstusteeb.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:43.043601990 CET	1.1.1.1	192.168.2.6	0x36f7	Name error (3)	respectabosiz.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:43.281750917 CET	1.1.1.1	192.168.2.6	0x6b14	Name error (3)	moutheventushz.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:55:43.439737082 CET	1.1.1.1	192.168.2.6	0x4138	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:56:02.442996979 CET	1.1.1.1	192.168.2.6	0x6ad7	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 11:56:02.442996979 CET	1.1.1.1	192.168.2.6	0x6ad7	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.100	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:56:02.442996979 CET	1.1.1.1	192.168.2.6	0x6ad7	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.99	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:56:02.442996979 CET	1.1.1.1	192.168.2.6	0x6ad7	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.101	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:56:02.442996979 CET	1.1.1.1	192.168.2.6	0x6ad7	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.98	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:56:12.089227915 CET	1.1.1.1	192.168.2.6	0xa4f4	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 11:56:12.089227915 CET	1.1.1.1	192.168.2.6	0xa4f4	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:56:12.089227915 CET	1.1.1.1	192.168.2.6	0xa4f4	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49790	23.55.153.106	443	1584	C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:55:45 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-18 10:55:46 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 18 Dec 2024 10:55:45 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=1f4c3f742201d1f26b5d977c; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-18 10:55:46 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-18 10:55:46 UTC	10097	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>
2024-12-18 10:55:46 UTC	1089	IN	Data Raw: 68 65 69 72 20 72 65 73 70 65 63 74 69 76 65 20 6f 77 6e 65 72 73 20 69 6e 20 74 68 65 20 55 53 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 75 6e 74 72 69 65 73 2e 3c 62 72 2f 3e 53 6f 6d 65 20 67 65 6f 73 70 61 74 69 61 6c 20 64 61 74 61 20 6f 6e 20 74 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 70 72 6f 76 69 64 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0a 09 09 09 09 09 Data Ascii: heir respective owners in the US and other countries.<br/>Some geospatial data on this website is provided by <a href="https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br>

Target ID:	1
Start time:	05:55:13
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\99awhy8l.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\99awhy8l.exe"
Imagebase:	0x400000
File size:	1'010'330 bytes
MD5 hash:	4F2E93559F3EA52AC93AC22AC609FC7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:55:15
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:55:15
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:55:17
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xa60000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:55:17
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x220000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:55:17
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xa60000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:55:17
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0x220000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:55:18
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 578678
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:55:18
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "PEACEFOLKSEXUALISLANDS" Hill
Imagebase:	0x220000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:55:18
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:55:18
Start date:	18/12/2024
Path:	C:\Users\user\AppData\Local\Temp\578678\Cooper.pif
Wow64 process (32bit):	true
Commandline:	Cooper.pif y
Imagebase:	0x2d0000
File size:	943'784 bytes
MD5 hash:	78BA0653A340BAC5FF152B21A83626CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:55:18
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xfb0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1526
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

{, xrefs: 00405352
@rD, xrefs: 004053D7
New install of "%s" to "%s", xrefs: 00405182

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

NSIS Error, xrefs: 004038E2
1C, xrefs: 00403B56
~nsu.tmp, xrefs: 00403AF7
_?=, xrefs: 00403A64
NCRC, xrefs: 0040397C
\Temp, xrefs: 00403A1B
/D=, xrefs: 004039A6
Error launching installer, xrefs: 00403A7D
SeShutdownPrivilege, xrefs: 00403C16

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

detailprint: %s, xrefs: 00401679
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Sleep(%d), xrefs: 0040169D
Jump: %d, xrefs: 00401602
Rename: %s, xrefs: 004018F8
Call: %d, xrefs: 0040165A
Aborting: "%s", xrefs: 0040161D
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
BringToFront, xrefs: 004016BD
Rename failed: %s, xrefs: 0040194B
CreateDirectory: "%s" (%d), xrefs: 004017BF
Rename on reboot: %s, xrefs: 00401943
CreateDirectory: "%s" created, xrefs: 00401849
SetFileAttributes: "%s":%08X, xrefs: 0040177B
SetFileAttributes failed., xrefs: 004017A1
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

@rD, xrefs: 00405965
B%F, xrefs: 00405A1F
RichEdit20A, xrefs: 00405BB6, 00405BBB
RichEd20, xrefs: 00405B9D
.exe, xrefs: 00405A3D
RichEdit, xrefs: 00405BC4
RichEd32, xrefs: 00405BA8
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
_Nb, xrefs: 00405AD1
@%F, xrefs: 004059F6
.DEFAULT\Control Panel\International, xrefs: 00405999

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,%FixedDrill%,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,%FixedDrill%,%FixedDrill%,00000000,00000000,%FixedDrill%,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: wrote %d to "%s", xrefs: 00401BD0
File: error creating "%s", xrefs: 00401AF0
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user cancel, xrefs: 00401B93
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user retry, xrefs: 00401B40
%FixedDrill%, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user abort, xrefs: 00401B53

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: %FixedDrill%$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-1347946153
Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Null, xrefs: 0040367E
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
soft, xrefs: 00403675
Inst, xrefs: 0040366C
Error launching installer, xrefs: 004035D7

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

... %d%%, xrefs: 0040349E
X1C, xrefs: 004033ED
P1B, xrefs: 004033A9
X1C, xrefs: 0040343C

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(006189F0), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
%FixedDrill%, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: %FixedDrill%$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-388092322
Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(006189F0), ref: 00402387

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
%FixedDrill%, xrefs: 00402770

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: %FixedDrill%$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-2094939348
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

M, xrefs: 00404B43
N, xrefs: 00404C06
@, xrefs: 00404B90
, xrefs: 00404F39

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

A, xrefs: 00404636
@%F, xrefs: 00404674
82D, xrefs: 004046DB
@rD, xrefs: 00404610

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

GetTTFNameString, xrefs: 00406F07
%s: failed opening file "%s", xrefs: 00406F0C
name, xrefs: 00406FBF

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
Delete: DeleteFile("%s"), xrefs: 00406DBC

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 0040682C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
@%F, xrefs: 00406A53

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

Module32NextW, xrefs: 004065DE
Process32FirstW, xrefs: 004065BD
EnumProcessModules, xrefs: 0040648A
Kernel32.DLL, xrefs: 0040659B
GetModuleBaseNameW, xrefs: 00406494
Unknown, xrefs: 004064FC
PSAPI.DLL, xrefs: 00406464
Module32FirstW, xrefs: 004065D3
Process32NextW, xrefs: 004065C8
CreateToolhelp32Snapshot, xrefs: 004065B5
EnumProcesses, xrefs: 00406482

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

N, xrefs: 0040426C
@%F, xrefs: 004042A7
open, xrefs: 004042DF

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

NUL, xrefs: 00406A9E
F, xrefs: 00406AE8
[Rename], xrefs: 00406BC8, 00406BD7
%s=%s, xrefs: 00406B43

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00016000,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

@rD, xrefs: 00404402
%u.%u%s%s, xrefs: 00404444

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

@rD, xrefs: 00404934
, xrefs: 004048DA

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Section: "%s", xrefs: 00405079
Skipping section: "%s", xrefs: 004050B5

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000001.00000002.2271868437.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2271848136.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271889183.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2271909814.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2272039151.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_99awhy8l.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Cooper.pifPID: 1584, Parent PID: 5424COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	59

Executed Functions

Function 002D331E Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,002D292D,?), ref: 002D334E
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,002D292D,?), ref: 002D3361
GetFullPathNameW.KERNEL32(00007FFF,?,?,003A2408,003A23F0,?,?,?,?,?,?,002D292D,?), ref: 002D33CD

Part of subcall function 002DB0DB: _wcslen.LIBCMT ref: 002DB0EE

Part of subcall function 002D45A6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002D33F5,003A2408,?,?,?,?,?,?,?,002D292D,?), ref: 002D45E7

SetCurrentDirectoryW.KERNEL32(?,00000001,003A2408,?,?,?,?,?,?,?,002D292D,?), ref: 002D344E
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse user this program.,AutoIt,00000010), ref: 00313E23
SetCurrentDirectoryW.KERNEL32(?,003A2408,?,?,?,?,?,?,?,002D292D,?), ref: 00313E64
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003931F4,003A2408,?,?,?,?,?,?,?,002D292D), ref: 00313EED
ShellExecuteW.SHELL32(00000000,?,?), ref: 00313EF4

Part of subcall function 002D3466: GetSysColorBrush.USER32(0000000F), ref: 002D3471
Part of subcall function 002D3466: LoadCursorW.USER32(00000000,00007F00), ref: 002D3480
Part of subcall function 002D3466: LoadIconW.USER32(00000063), ref: 002D3496
Part of subcall function 002D3466: LoadIconW.USER32(000000A4), ref: 002D34A8
Part of subcall function 002D3466: LoadIconW.USER32(000000A2), ref: 002D34BA
Part of subcall function 002D3466: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002D34D2
Part of subcall function 002D3466: RegisterClassExW.USER32(?), ref: 002D3523

Part of subcall function 002D3546: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002D3574
Part of subcall function 002D3546: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002D3595
Part of subcall function 002D3546: ShowWindow.USER32(00000000,?,?,?,?,?,?,002D292D,?), ref: 002D35A9
Part of subcall function 002D3546: ShowWindow.USER32(00000000,?,?,?,?,?,?,002D292D,?), ref: 002D35B2

Part of subcall function 002D3DF8: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D3EC9

Strings

AutoIt, xrefs: 00313E18
#:, xrefs: 002D33D7
$:, xrefs: 002D3428
It is a violation of the AutoIt EULA to attempt to reverse user this program., xrefs: 00313E1D
runas, xrefs: 00313EE8

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: $:$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse user this program.$runas$#:
API String ID: 683915450-3532650829
Opcode ID: d33f63e8b7124c5ba7162fe9680a5df608ba0ba1e21322ad2bf76aadfc0adffc
Instruction ID: 046775b084dcf0eae758f8f31b066ebfba350fc6a5b1696d61e71781d08873cd
Opcode Fuzzy Hash: d33f63e8b7124c5ba7162fe9680a5df608ba0ba1e21322ad2bf76aadfc0adffc
Instruction Fuzzy Hash: A551F93561C341AACB07EF64EC519AF7BA8DB9A740F00041EF581462A2DB788E59DB23

Function 002D29A4 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002D29D3

Part of subcall function 002DB0DB: _wcslen.LIBCMT ref: 002DB0EE

GetCurrentProcess.KERNEL32(?,0036D958,00000000,?,?), ref: 002D2AEA
IsWow64Process.KERNEL32(00000000,?,?), ref: 002D2AF1
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 002D2B1C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002D2B2E
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 002D2B3C
FreeLibrary.KERNEL32(00000000,?,?), ref: 002D2B43
GetSystemInfo.KERNEL32(?,?,?), ref: 002D2B68

Strings

kernel32.dll, xrefs: 002D2B17
GetNativeSystemInfo, xrefs: 002D2B28

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3290436268-192647395
Opcode ID: 31333b47701801fe78cad7c079f947e0ba9571f97ff49e3022f5cf32885d3aee
Instruction ID: 23e8010a4686b92838905265a74bde8f2f3755cb535b282ada71c77b790ec3b4
Opcode Fuzzy Hash: 31333b47701801fe78cad7c079f947e0ba9571f97ff49e3022f5cf32885d3aee
Instruction Fuzzy Hash: 4291916AA1E2C0DFCF17CB6D7C441AB7F6CAB3B300F05489AE085973E5C2684949CB21

Function 0033DB0B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002D50F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D5035,?,?,00314641,?,?,00000100,00000000,00000000,CMDLINE), ref: 002D5117

Part of subcall function 0033E970: GetFileAttributesW.KERNEL32(?,0033D6EB), ref: 0033E971

FindFirstFileW.KERNEL32(?,?), ref: 0033DB82
DeleteFileW.KERNEL32(?,?,?,?), ref: 0033DBD2
FindNextFileW.KERNELBASE(00000000,00000010), ref: 0033DBE3
FindClose.KERNEL32(00000000), ref: 0033DBFA
FindClose.KERNEL32(00000000), ref: 0033DC03

Strings

\*.*, xrefs: 0033DB54

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d0400d3a1e0b4ddb4f497669c358bbd90420897dc81ec0d2e33db9c7c298f44f
Instruction ID: ad8076b2c1346b99afc432ba55710222f770d48340bd175966362c1e395b751a
Opcode Fuzzy Hash: d0400d3a1e0b4ddb4f497669c358bbd90420897dc81ec0d2e33db9c7c298f44f
Instruction Fuzzy Hash: 193160314283859FC302EF64E8958AFB7ECAE95304F444E1EF4D582291EB64DE19CB63

Function 002F0090 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 002F012D
CreateToolhelp32Snapshot.KERNEL32 ref: 002F013F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CloseCreateHandleSnapshotToolhelp32
String ID:
API String ID: 3280610774-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b1473ce8c076f800164df4eff9e31356e69e0d5a33e2c8364845cae132724141
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7031E674A1010ADFC718CF48D8C0A7AF7A5FB49380B2486A9E50ACB252DB71EDD1CB90

Function 002EB1EB Relevance: 25.2, APIs: 1, Strings: 13, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d1b, xrefs: 002EB302, 002EB43B
d1r0,2, xrefs: 002EB256
(:, xrefs: 002EB34D
d5m0, xrefs: 002EB422
d0b, xrefs: 002EB243, 002EB2BD, 002EB454
d10m0, xrefs: 002EB29D
U#:, xrefs: 002EB556
i, xrefs: 002EB650
$6, xrefs: 002EB30A
\6, xrefs: 002EB2EA
P*:, xrefs: 002EB5A6
(:, xrefs: 002EB32C
@6, xrefs: 002EB2F2

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID: $6$@6$P*:$U#:$\6$d0b$d10m0$d1b$d1r0,2$d5m0$i$(:$(:
API String ID: 0-1325261611
Opcode ID: b7463e2ba3d4569aeb5a3eac4066f547330b233cbc504b47dd38a7fda0734430
Instruction ID: d09d9af3308f5066b7ce4df3819113ec7964dabeaa2a01e2d4073ab518cd718c
Opcode Fuzzy Hash: b7463e2ba3d4569aeb5a3eac4066f547330b233cbc504b47dd38a7fda0734430
Instruction Fuzzy Hash: 49626874619381CFC72ADF15D084AAAFBE0BF89304F10895EE8998B351DB70D949CF82

Function 002DDC90 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002DDD67
timeGetTime.WINMM ref: 002DDF67
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002DE088
TranslateMessage.USER32(?), ref: 002DE0DB
DispatchMessageW.USER32(?), ref: 002DE0E9
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002DE0FF
Sleep.KERNEL32(0000000A), ref: 002DE111

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 4f542e8d8cfe6325c8f99e691e9f4c8ce022b99bc92ce623ebcebd0dbcc2c246
Instruction ID: a85028513dcdb819e69620a5002c1fc1a93c675b8f05578361e7547aa68a2f7d
Opcode Fuzzy Hash: 4f542e8d8cfe6325c8f99e691e9f4c8ce022b99bc92ce623ebcebd0dbcc2c246
Instruction Fuzzy Hash: 9A421470618742AFDB26DF24D884B6AB7E5BF42300F15451EF45A8B391C7B4EDA4CB82

Function 002D4E52 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002D4FF8: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00314641,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 002D5016

Part of subcall function 002D4B95: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002D4BB7

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002D4F6F
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003148D8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00314919
RegCloseKey.ADVAPI32(?), ref: 0031495B
_wcslen.LIBCMT ref: 003149C2
_wcslen.LIBCMT ref: 003149D1

Strings

Include, xrefs: 003148CF, 00314910
3:, xrefs: 002D4F3E
\, xrefs: 003149D7
3:, xrefs: 00314A02
\Include\, xrefs: 002D4F2C
Software\AutoIt v3\AutoIt, xrefs: 002D4F65

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$3:$3:
API String ID: 98802146-248190793
Opcode ID: 272a43568df1cd277cd507007eb18648a569033c8e536c2ef56a273c9a3f7813
Instruction ID: b6ef1f41d34c3a8314e2e615922c95d73217b2083d804aba39ba02e2962788b6
Opcode Fuzzy Hash: 272a43568df1cd277cd507007eb18648a569033c8e536c2ef56a273c9a3f7813
Instruction Fuzzy Hash: A1717C755183019EC706EF65E8858ABFBECFF5A340F40492EF445872A0EB709A59CB62

Function 002D3C00 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,002D3BFA,?,?), ref: 002D3C68
KillTimer.USER32(?,00000001,?,?,?,?,?,002D3BFA,?,?), ref: 002D3C94
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002D3CB7
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,002D3BFA,?,?), ref: 002D3CC2
CreatePopupMenu.USER32 ref: 002D3CD6
PostQuitMessage.USER32(00000000), ref: 002D3CF7

Strings

TaskbarCreated, xrefs: 002D3CBD
$:, xrefs: 00313F63
$:, xrefs: 00313FB1

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: $:$ $:$TaskbarCreated
API String ID: 129472671-2647369897
Opcode ID: 2a51fc28b861ec8c037120db6bfeb3253485c454b1d1b145c5ec8822522fb0e8
Instruction ID: ee6aabe38c22bd2d61b1967edd46c3c9a6ec07e61c72c7659f66e373ef25120b
Opcode Fuzzy Hash: 2a51fc28b861ec8c037120db6bfeb3253485c454b1d1b145c5ec8822522fb0e8
Instruction Fuzzy Hash: A3412734638249ABDB1B9F3CDD4ABBA3B19E70A700F04812BF501A53E0C7A59F609753

Function 002D35B7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002D35EA
RegisterClassExW.USER32(00000030), ref: 002D3614
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D3625
InitCommonControlsEx.COMCTL32(?), ref: 002D3642
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002D3652
LoadIconW.USER32(000000A9), ref: 002D3668
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002D3677

Strings

AutoIt v3 GUI, xrefs: 002D3606
TaskbarCreated, xrefs: 002D361A
+, xrefs: 002D35D3
0, xrefs: 002D35CC

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 30f9ce1dada8a9ed021088edaf8db893f5f44d80327b5cdafa28211234b2a112
Instruction ID: 9ce95cc16ac6b342c1feb992ece25929c336f5ac8e4a452307a75b9026aca6a0
Opcode Fuzzy Hash: 30f9ce1dada8a9ed021088edaf8db893f5f44d80327b5cdafa28211234b2a112
Instruction Fuzzy Hash: 4621C5B5E01218AFDB029FA8EC49A9EBBB8FB09714F00811AF911A62A0D7B545548F95

Function 00309165 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N/, xrefs: 0030945A, 003093F0, 00309412

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID: N/
API String ID: 0-2604995802
Opcode ID: 2964f157dc8f247a1725c37dd938842bded60c097cf97c89c07e66633ae3f7dc
Instruction ID: 2432951c02a09380df767c8857b3c3ecbca8b681d3d12cb77ee81586dd6752e9
Opcode Fuzzy Hash: 2964f157dc8f247a1725c37dd938842bded60c097cf97c89c07e66633ae3f7dc
Instruction Fuzzy Hash: 1DC1F574E062499FDB13DFA9C865BAEBBB4AF0A300F154196F414AB3D3C7308942CB60

Function 00310A7C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003107BB: CreateFileW.KERNEL32(00000000,00000000,?,00310B25,?,?,00000000,?,00310B25,00000000,0000000C), ref: 003107D8

GetLastError.KERNEL32 ref: 00310B90
__dosmaperr.LIBCMT ref: 00310B97
GetFileType.KERNEL32(00000000), ref: 00310BA3
GetLastError.KERNEL32 ref: 00310BAD
__dosmaperr.LIBCMT ref: 00310BB6
CloseHandle.KERNEL32(00000000), ref: 00310BD6
CloseHandle.KERNEL32(?), ref: 00310D20
GetLastError.KERNEL32 ref: 00310D52
__dosmaperr.LIBCMT ref: 00310D59

Strings

H, xrefs: 00310CDE

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 5268b7b2ed1c9164e7e90d5ae51c1bcb86d9e97b4e4a67468e0af1f9890f77ca
Instruction ID: 3918851ceadf43ca4a8b7dd5780714a4b92796d0f34a450ed8f470fe06a8a452
Opcode Fuzzy Hash: 5268b7b2ed1c9164e7e90d5ae51c1bcb86d9e97b4e4a67468e0af1f9890f77ca
Instruction Fuzzy Hash: 69A14832A142588FDF1EDF68D891BEE7BA4AB0A324F144259F8019F3D1CB709C92CB51

Function 002D3466 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002D3471
LoadCursorW.USER32(00000000,00007F00), ref: 002D3480
LoadIconW.USER32(00000063), ref: 002D3496
LoadIconW.USER32(000000A4), ref: 002D34A8
LoadIconW.USER32(000000A2), ref: 002D34BA
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002D34D2
RegisterClassExW.USER32(?), ref: 002D3523

Part of subcall function 002D35B7: GetSysColorBrush.USER32(0000000F), ref: 002D35EA
Part of subcall function 002D35B7: RegisterClassExW.USER32(00000030), ref: 002D3614
Part of subcall function 002D35B7: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002D3625
Part of subcall function 002D35B7: InitCommonControlsEx.COMCTL32(?), ref: 002D3642
Part of subcall function 002D35B7: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002D3652
Part of subcall function 002D35B7: LoadIconW.USER32(000000A9), ref: 002D3668
Part of subcall function 002D35B7: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002D3677

Strings

AutoIt v3, xrefs: 002D3512
0, xrefs: 002D34F2
#, xrefs: 002D34F9

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 933925583a4182693984ab3b4959c7a0cc4160af0c1eb29b0bef4a30622b27bb
Instruction ID: 4fc479ac0f3ab90d12df4f7dd259418833a5621b5a079748ae99ad8f6f380d09
Opcode Fuzzy Hash: 933925583a4182693984ab3b4959c7a0cc4160af0c1eb29b0bef4a30622b27bb
Instruction Fuzzy Hash: 0A212C78E10314AFDF129FA9EC45B9ABFB8FB0AB50F00451AE604A62A0D7F94540CF95

Function 00350DA1 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00350E02
inet_addr.WSOCK32(?), ref: 00350E62
gethostbyname.WS2_32(?), ref: 00350E6E
IcmpCreateFile.IPHLPAPI ref: 00350E7C
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00350F0C
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00350F2B
IcmpCloseHandle.IPHLPAPI(?), ref: 00350FFF
WSACleanup.WSOCK32 ref: 00351005

Strings

Ping, xrefs: 00350EBC

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 5db16ca8001098a9b40736aca51bfb5f87843007f68c4f090c52c6913e0206de
Instruction ID: ea117e6190bcc521b60d766fb542964b8056e1eb6734eb85547b4fdb8d053656
Opcode Fuzzy Hash: 5db16ca8001098a9b40736aca51bfb5f87843007f68c4f090c52c6913e0206de
Instruction Fuzzy Hash: 3991C0716086419FD326CF15C489F1ABBE4AF48318F1589A9F8698B7B2C771EC49CF81

Function 002DF220 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

d5:, xrefs: 002DF701
d5:, xrefs: 00324B0B
d5:, xrefs: 00324AB8
d5:d5:, xrefs: 002DF4CE
d5:, xrefs: 002DF430
Variable must be of type 'Object'., xrefs: 00324D95

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$d5:$d5:$d5:$d5:$d5:d5:
API String ID: 0-2881267297
Opcode ID: 130d41c7660cca83e102aba0803f9012eacbab522d076454755446273b613521
Instruction ID: e6155769307b030f0ed10cf79e8bf4c8d737e69b6fd7c594ffb242c829f1e8a4
Opcode Fuzzy Hash: 130d41c7660cca83e102aba0803f9012eacbab522d076454755446273b613521
Instruction Fuzzy Hash: 95C29B75E10219DFCB60CF58D980AADB7B5FF09300F24816AE916AB3A1D371ED61CB94

Function 002DFE90 Relevance: 15.3, APIs: 3, Strings: 5, Instructions: 1254COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002E1616

Strings

d5:, xrefs: 002E02E9
d5:, xrefs: 00326679
d5:, xrefs: 002E0626
d5:, xrefs: 00326625
d5:, xrefs: 002E022F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Init_thread_footer
String ID: d5:$d5:$d5:$d5:$d5:
API String ID: 1385522511-2862444021
Opcode ID: 09bd4fc28ab563ef64268dc7945d070961d7d2575055edadd422efbb5502097e
Instruction ID: b2d6edb96820d20e2ba7298c178be35500d195fc0c7fba77c24563ca1ce329e6
Opcode Fuzzy Hash: 09bd4fc28ab563ef64268dc7945d070961d7d2575055edadd422efbb5502097e
Instruction Fuzzy Hash: 7DB26B74968381CFC725CF1AC480A2AB7E1BF85304F54896DE9899B351D7B1EDA1CF82

Function 002D38E2 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 152
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002D3700: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002D3731
Part of subcall function 002D3700: MapVirtualKeyW.USER32(00000010,00000000), ref: 002D3739
Part of subcall function 002D3700: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002D3744
Part of subcall function 002D3700: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002D374F
Part of subcall function 002D3700: MapVirtualKeyW.USER32(00000011,00000000), ref: 002D3757
Part of subcall function 002D3700: MapVirtualKeyW.USER32(00000012,00000000), ref: 002D375F

Part of subcall function 002D3768: RegisterWindowMessageW.USER32(00000004,?,002D3AB3), ref: 002D37C0

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002D3B54
OleInitialize.OLE32 ref: 002D3B72
CloseHandle.KERNEL32(00000000,00000000), ref: 00313F42

Strings

T(:, xrefs: 002D3AB3
$:, xrefs: 002D3963
p%:, xrefs: 002D3979
$':, xrefs: 002D3A97
$:, xrefs: 002D3B78

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: $:$$':$T(:$p%:$$:
API String ID: 1986988660-3413956345
Opcode ID: 78dd4f1461a1073c3849af021df2df024e6a74404504a04f70ecbf9dabeb4bad
Instruction ID: bba17528b340cc84625fbb28dee6a51fa00cbf133d8033287b59bd2462fc7c41
Opcode Fuzzy Hash: 78dd4f1461a1073c3849af021df2df024e6a74404504a04f70ecbf9dabeb4bad
Instruction Fuzzy Hash: CA719BB4E112408EC38BEF3EA869617BBEDFB5B304B14812AE808C7765EB7449458F51

Function 002D3546 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002D3574
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002D3595
ShowWindow.USER32(00000000,?,?,?,?,?,?,002D292D,?), ref: 002D35A9
ShowWindow.USER32(00000000,?,?,?,?,?,?,002D292D,?), ref: 002D35B2

Strings

AutoIt v3, xrefs: 002D356C, 002D3571, 002D3572
edit, xrefs: 002D358F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 5f45edcff8e92117a11c7993aad6ea51272be8972fabfa65170f9b73c3cdbc0f
Instruction ID: a42cecb29af488192e10912164d9dd3f593d901ab833e03271e47c0ecd0ad24b
Opcode Fuzzy Hash: 5f45edcff8e92117a11c7993aad6ea51272be8972fabfa65170f9b73c3cdbc0f
Instruction Fuzzy Hash: F8F0DA79A402907AEF325B2B6C08E772EBDD7CBF50F00401EB914A21A0C6A95850DEB0

Function 002D4C04 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003146C0

Part of subcall function 002DB0DB: _wcslen.LIBCMT ref: 002DB0EE

Shell_NotifyIconW.SHELL32(00000001,?), ref: 002D4CF4

Strings

#:, xrefs: 00314761, 0031471C, 00314708, 00314711, 0031472A
AutoIt - , xrefs: 002D4C68
Line %d: , xrefs: 0031473E

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt - $#:
API String ID: 2289894680-3320934163
Opcode ID: fe2c8132596479c4036371ef9232722808098be360b83c21c7d8c65f9c00e77d
Instruction ID: f2ceae425d06f30a593d640f295819582a056bbd7430415fb1443e1313a20b7e
Opcode Fuzzy Hash: fe2c8132596479c4036371ef9232722808098be360b83c21c7d8c65f9c00e77d
Instruction Fuzzy Hash: 0D41B571428304AFC716FB20DC45EEF77DC9F45314F004A2BF585921A1EB749A69CB92

Function 0033DC3E Relevance: 7.6, APIs: 5, Instructions: 89
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0033DC63
Process32FirstW.KERNEL32(00000000,?), ref: 0033DC71
Process32NextW.KERNEL32(00000000,?), ref: 0033DC91
CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?), ref: 0033DD09
CloseHandle.KERNEL32(00000000), ref: 0033DD49

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32
String ID:
API String ID: 2000298826-0
Opcode ID: 99da1f22f9167dcfa715aaa9b7119fe7fdbd50b650e02df7c0c478a12a8ed03f
Instruction ID: fee464c6ac76e1c71829a474a4e2eeb76ddbf136e325295fbaee6b36f3dfb31e
Opcode Fuzzy Hash: 99da1f22f9167dcfa715aaa9b7119fe7fdbd50b650e02df7c0c478a12a8ed03f
Instruction Fuzzy Hash: 663193715083019FD302DF60DC85AAFBBE8EF99354F04092EF581872A1EBB1D949CB92

Function 00308ACE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,M;1,003089EC,?,00399C30,0000000C,00308A4B,?,M;1,?,00313B4D), ref: 00308B24
GetLastError.KERNEL32 ref: 00308B2E
__dosmaperr.LIBCMT ref: 00308B59

Strings

M;1, xrefs: 00308AD0

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: M;1
API String ID: 2583163307-3933153411
Opcode ID: aeceb39bedae0a9df56d0bd4e2c1f1ef457bdff1b2c9abbcd2d922e78b6fcec4
Instruction ID: 9e5f71df0bd4c026a603006a692f886c381ad6e21a2877296d05d1bb2dae03bc
Opcode Fuzzy Hash: aeceb39bedae0a9df56d0bd4e2c1f1ef457bdff1b2c9abbcd2d922e78b6fcec4
Instruction Fuzzy Hash: D8018E32B076605BCA23173458A573F374D4F86B34F3A021AF8448F1C2DE608C819251

Function 002D529A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002D528D,SwapMouseButtons,00000004,?), ref: 002D52BE
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002D528D,SwapMouseButtons,00000004,?), ref: 002D52DF
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,002D528D,SwapMouseButtons,00000004,?), ref: 002D5301

Strings

Control Panel\Mouse, xrefs: 002D52BC

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8d65532506834a6831bc7f5fae659d71a38a3bbefefb1366a0e793195790fc8a
Instruction ID: a1e84a3dbd641341e170227330beb61bd7c09aeb13e349d4b928c05821d8991d
Opcode Fuzzy Hash: 8d65532506834a6831bc7f5fae659d71a38a3bbefefb1366a0e793195790fc8a
Instruction Fuzzy Hash: 34117071620618BFDB218FA8DC44DEEBBBCEF00744F10845AF801D7210E6B1DE559B60

Function 002D2950 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 003136EF

Part of subcall function 002D50F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D5035,?,?,00314641,?,?,00000100,00000000,00000000,CMDLINE), ref: 002D5117

Part of subcall function 002D32E0: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002D32FF

Strings

`u9, xrefs: 003136E8
X, xrefs: 003136BD

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`u9
API String ID: 779396738-2760607205
Opcode ID: 5323f06b5d9fc4b962b4c2a3ad445245ae9e3e571da75b719e76269b92322180
Instruction ID: 987e0eea894101572d30800c2954224955b9745dcdd834e665c043a147f09d61
Opcode Fuzzy Hash: 5323f06b5d9fc4b962b4c2a3ad445245ae9e3e571da75b719e76269b92322180
Instruction Fuzzy Hash: 54218471A142589BCF069F94C805BEE7BF89F49314F10405AE405A7381DBF49A998FA5

Function 002F01FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 002F0A88

Part of subcall function 002F36C4: RaiseException.KERNEL32(?,?,?,002F0AAA,?,?,?,?,?,?,?,?,002F0AAA,?,003996A0), ref: 002F3724

__CxxThrowException@8.LIBVCRUNTIME ref: 002F0AA5

Strings

Unknown exception, xrefs: 002F0AB2

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 8f52b622bda618740d9db673fa0141c7319f3c7e40adecda53b2a8e857c37a20
Instruction ID: 73e151ccb8e18e34797e6e550c45105b365907a953562be80a4d8be401044964
Opcode Fuzzy Hash: 8f52b622bda618740d9db673fa0141c7319f3c7e40adecda53b2a8e857c37a20
Instruction Fuzzy Hash: 21F0F93452030DB78F01FAA8DC85DBDF76C49007E0BA04135BB1491093EBB0DA3589D0

Function 003586CB Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00358A67
TerminateProcess.KERNEL32(00000000), ref: 00358A6E
FreeLibrary.KERNEL32(?,?,?,?), ref: 00358C4F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 541aa3fb98a194ae0fdea04a20914be011c7f797be19975d3321b9a1a6b07aca
Instruction ID: 2c4e364fa132b8f428ca1e5d6af8ffa1d40de29ec01674fc75457c0d06451b28
Opcode Fuzzy Hash: 541aa3fb98a194ae0fdea04a20914be011c7f797be19975d3321b9a1a6b07aca
Instruction Fuzzy Hash: 28126A71A083419FC715DF28C484B2ABBE5BF88315F15895DE8899B362DB30ED49CF92

Function 00359808 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0035989C
_strcat.LIBCMT ref: 003598DB
_wcslen.LIBCMT ref: 00359929

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: b96b0046d86ec4fda0b6daaf5e68547761df7dc8f002eb1859194d350d939d63
Instruction ID: 974de0a171d3e3b0331ed5b7a55d20e2a69e101ea248662ffc82affafca52314
Opcode Fuzzy Hash: b96b0046d86ec4fda0b6daaf5e68547761df7dc8f002eb1859194d350d939d63
Instruction Fuzzy Hash: ECA18930204205DFCB19DF18C5D1A69BBA5FF45319B2584AEE80A8F7A2DB31ED56CF80

Function 002EFD8B Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D4C04: Shell_NotifyIconW.SHELL32(00000001,?), ref: 002D4CF4

KillTimer.USER32(?,00000001,?,?), ref: 002EFE14
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002EFE23
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0032FD62

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 52a41a0413adf2375015b7e656c7a3b91e7ff8eda6b383a2d231928caf1eada5
Instruction ID: d2b7022d136d2163ee6b5dfe4b91b16ac84f5890ba7eb598af88fc2f4ec915e0
Opcode Fuzzy Hash: 52a41a0413adf2375015b7e656c7a3b91e7ff8eda6b383a2d231928caf1eada5
Instruction Fuzzy Hash: 22319370904394AFEB63CF249855BE7BBFCAB02708F1444AED59D97241C7742A85CF51

Function 003097AB Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,0030985A,FF8BC369,00000000,00000002,00000000), ref: 003097E4
GetLastError.KERNEL32(?,0030985A,FF8BC369,00000000,00000002,00000000,?,00305F81,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,002F6FF1), ref: 003097EE
__dosmaperr.LIBCMT ref: 003097F5

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: acea34711eeb4ae6d9406cad1eeb5b3f7c80a67cf81116a7d7b249bd70b5b828
Instruction ID: aea910048c9773f30812d1a6fe09d9ae98442eb1cba77e12df7644ab497cdba7
Opcode Fuzzy Hash: acea34711eeb4ae6d9406cad1eeb5b3f7c80a67cf81116a7d7b249bd70b5b828
Instruction Fuzzy Hash: DD012833622118ABCB079F99DC55D6E3B2EEB85730F25020AF8109B2D1EA709D418790

Function 002DE098 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 002DE0DB
DispatchMessageW.USER32(?), ref: 002DE0E9
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002DE0FF
Sleep.KERNEL32(0000000A), ref: 002DE111
TranslateAcceleratorW.USER32(?,?,?), ref: 00322B6F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 3d2c070b512c41ff19669027e79ba042502144efe50bef0311259a8d44ba5dd5
Instruction ID: 908951230196efa546a9409308c54dcd9e81fbb7ca3fa6d7b818963b277cca39
Opcode Fuzzy Hash: 3d2c070b512c41ff19669027e79ba042502144efe50bef0311259a8d44ba5dd5
Instruction Fuzzy Hash: E5F08231624385ABEB359F60DC49FDB73ACEB85301F408A29F64AD70D0DBB49458DB16

Function 002E0AB6 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

CALL, xrefs: 00325B5D

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 5bf3d2168c72b74bd8f65fb9fa093cf346cf282cf785eaec4fd7c168c672a5db
Instruction ID: a8f44e85752efa47d49f45f91fc46bac99d98bedf01dd33758a9d3f898f41b76
Opcode Fuzzy Hash: 5bf3d2168c72b74bd8f65fb9fa093cf346cf282cf785eaec4fd7c168c672a5db
Instruction Fuzzy Hash: 0812BB705182818FC721DF15C481B6AB7E1FF84304F65886DE89A8B362D771EDA2CF82

Function 002E3A70 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002E3D44

Strings

CALL, xrefs: 002E3D14

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: afeb54075c2684f126f102db3fbfa97823fe8f4e25493d7fc9540edac48b83b4
Instruction ID: 9e4b4c618ae8282d301c74434e6b30535a554d5d27bf37be9957f0f0e8341ab0
Opcode Fuzzy Hash: afeb54075c2684f126f102db3fbfa97823fe8f4e25493d7fc9540edac48b83b4
Instruction Fuzzy Hash: 2191EF70514242DFCB01DF25C884B1ABBE1FF85314F14895DE89A5B3A2CB71EA65CF92

Function 002D3DF8 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D3EC9

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 0db71b811dcd72fb601bc4e70f86609aec5692d9ad7d632ad0a59c8642d587aa
Instruction ID: 4c343bcc716639ae9d8184ea2bb9590173ab9b50175d32871bd59d875ffdcece
Opcode Fuzzy Hash: 0db71b811dcd72fb601bc4e70f86609aec5692d9ad7d632ad0a59c8642d587aa
Instruction Fuzzy Hash: 53314C706147018FD722DF29D884797BBE8FF4A708F00092EF59A87280E7B5AD94CB52

Function 002D28E0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 002D2902

Part of subcall function 002D28AB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002D28C0
Part of subcall function 002D28AB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002D28D7

Part of subcall function 002D331E: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,002D292D,?), ref: 002D334E
Part of subcall function 002D331E: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,002D292D,?), ref: 002D3361
Part of subcall function 002D331E: GetFullPathNameW.KERNEL32(00007FFF,?,?,003A2408,003A23F0,?,?,?,?,?,?,002D292D,?), ref: 002D33CD
Part of subcall function 002D331E: SetCurrentDirectoryW.KERNEL32(?,00000001,003A2408,?,?,?,?,?,?,?,002D292D,?), ref: 002D344E

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 002D293C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 8c1cd3899183687b3b205eb5992d33348676096fe7731e676d237f67a74f5a9e
Instruction ID: 621646794215901991c5fc6d43ea8f84996172d30d76ea7ea7f1e288287149c3
Opcode Fuzzy Hash: 8c1cd3899183687b3b205eb5992d33348676096fe7731e676d237f67a74f5a9e
Instruction Fuzzy Hash: 55F0E9355207049FDB12AF68EC4AB56379CA713312F004856F201461F2CBF9C4649F40

Function 002E3150 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002E358E

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: bbf9c399b743693be9d20fce2db3193874fad21eb9c38e181986b2c32ad7a22a
Instruction ID: 776087ed2c9bbf4fcb86d587a03a33f4c56c823d0b9253440e948ba009695e09
Opcode Fuzzy Hash: bbf9c399b743693be9d20fce2db3193874fad21eb9c38e181986b2c32ad7a22a
Instruction Fuzzy Hash: 6632DC34A14296AFDF11CF59C888EBAB7B9FF45300F558059E905AB391CB70AE61CB90

Function 0035785D Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: e396bb9b7f4fa288717221fc053362c741df619c8d235a06888a519ccb4560ee
Instruction ID: 9a53592f7cdce238b33b26d81681e6491ac0a6a1916a62a3ff27cb1f2ce2d915
Opcode Fuzzy Hash: e396bb9b7f4fa288717221fc053362c741df619c8d235a06888a519ccb4560ee
Instruction Fuzzy Hash: 5AD15B74A0420ADFCB15EF98D881DADBBB5FF48310F14405AE915AB3A1DB30AE95CF90

Function 002FF1B6 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5054201fc2d2e16db301204ae028c8a287864dd57b2e67b059b71a1dbaa8d8f2
Instruction ID: c58b72e81519bf2cfd515f6d6d88f38ff78eb5945020d7436ee088bc7d8e49ee
Opcode Fuzzy Hash: 5054201fc2d2e16db301204ae028c8a287864dd57b2e67b059b71a1dbaa8d8f2
Instruction Fuzzy Hash: B051F631A1014CAFDB51CF68CA40ABDBBA5EF853A4F1981B9ED089B391C771ED52CB50

Function 0033FB75 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0033FB8E

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: ff8d56a86f2162ae6c3697a1723f06863210bfa9d421e7c356192f30697c6f00
Instruction ID: 5a2e381fa8e1e91a6036ea50646f360e6a7f4324dcc1a9167ad780470af0ba3d
Opcode Fuzzy Hash: ff8d56a86f2162ae6c3697a1723f06863210bfa9d421e7c356192f30697c6f00
Instruction Fuzzy Hash: 7741B2B6900209AFDB16EFA4C8818AEB7B8EF44310F11453EE917DB241EB70DE05CB50

Function 002D2BE0 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D320E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002D2BF2,?,?,002D2B95,?,00000001,?,?,00000000), ref: 002D321A
Part of subcall function 002D320E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002D322C
Part of subcall function 002D320E: FreeLibrary.KERNEL32(00000000,?,?,002D2BF2,?,?,002D2B95,?,00000001,?,?,00000000), ref: 002D323E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002D2B95,?,00000001,?,?,00000000), ref: 002D2C12

Part of subcall function 002D31D7: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00313B55,?,?,002D2B95,?,00000001,?,?,00000000), ref: 002D31E0
Part of subcall function 002D31D7: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002D31F2
Part of subcall function 002D31D7: FreeLibrary.KERNEL32(00000000,?,?,00313B55,?,?,002D2B95,?,00000001,?,?,00000000), ref: 002D3205

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 3a5aa60f1e05881dc3cd6eb273fe5d3aaa2be0b27877c40c39a4ad66cea96254
Instruction ID: c92162e89931654c1fc06f356b047bc14fdb64c6c1ef57b9870583bc41c955e9
Opcode Fuzzy Hash: 3a5aa60f1e05881dc3cd6eb273fe5d3aaa2be0b27877c40c39a4ad66cea96254
Instruction Fuzzy Hash: 97110831620205EACB25AF20CC02BAD77A59F60710F11842FF542A62D1DA709E199B50

Function 00308822 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00308860

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d831cf52a9f02dd8f4cad6cb1f65b2ba9556bcb6212ce1d635b21ccaac6972dc
Instruction ID: e0206127b1b0e4c7468c6f285389420e2f47c7d326dc03fd335cf4327e2099b2
Opcode Fuzzy Hash: d831cf52a9f02dd8f4cad6cb1f65b2ba9556bcb6212ce1d635b21ccaac6972dc
Instruction Fuzzy Hash: 6C11187190420AAFCF1ADF98E9419DA7BF8EF49310F114069F809AB351DA31EA118B65

Function 00305420 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0030509D: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00303249,00000001,00000364,?,00000000,?,00302C3D,00303C83,?,?,002F0215,00000000), ref: 003050DE

_free.LIBCMT ref: 0030548C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: d3a79c8707e0e13ca0e62e8e62d61fa158a662e1ed4178267a8163df69b3609d
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 54014E721057045FE322CF65D855A9BFBDCEB85370F25091DE194872C0EA306945CB74

Function 002FEA22 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9f836960ab58fccbfac0efb01fc85afbfff16d2c470218f1775939f83e5553
Instruction ID: 8943d8022826e71be87c1dc513e7afc67ff8d8448a85e095b539f7324cfe639f
Opcode Fuzzy Hash: 0b9f836960ab58fccbfac0efb01fc85afbfff16d2c470218f1775939f83e5553
Instruction Fuzzy Hash: 7FF0F932522A1C5ADE233E658C16B7B7798AF413B0F114735F6349A1E1CF7099118691

Function 002DC110 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002DC11A

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 089d3e1551e62be85cfc57acfccdec3cd106e9a1e6022592ea5c817a06ed77ae
Instruction ID: 93c38964ee2cc8d3ba5138c9fc90d3bdfd26081059ed0125fe6e8be6296b3713
Opcode Fuzzy Hash: 089d3e1551e62be85cfc57acfccdec3cd106e9a1e6022592ea5c817a06ed77ae
Instruction Fuzzy Hash: B9F02D72220615AED7105F28D806F76FB94EB443A0F10813AFB1DCB1D1DB71E420CBA0

Function 0030509D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00303249,00000001,00000364,?,00000000,?,00302C3D,00303C83,?,?,002F0215,00000000), ref: 003050DE

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dcad3d536d9c9646dd67f2567403b5c96ed97eec8bf388e7f3c5e22f1135c4f4
Instruction ID: 801a82e196b67f48c16f1f06d80bc7f43b90013f2c8a3b4fdd9ae628be7d1383
Opcode Fuzzy Hash: dcad3d536d9c9646dd67f2567403b5c96ed97eec8bf388e7f3c5e22f1135c4f4
Instruction Fuzzy Hash: 01F0BE31642A2467EB236B268C29F6F774CAB427B0B268121AD04AA1D1CA60DC018FE0

Function 00303C40 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,002F0215,00000000,?,002D8E5F,00000004,?,00314C6B,?,?,002D10E8,0036DBF4), ref: 00303C72

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3fe3d768f196a83d95046bb373e1776fead51aa4f6934dc2528385a802063cc9
Instruction ID: 24a0e54a59ca3f290382ee155c0fea4a014a01bb5881822a1ff2a261f405edeb
Opcode Fuzzy Hash: 3fe3d768f196a83d95046bb373e1776fead51aa4f6934dc2528385a802063cc9
Instruction Fuzzy Hash: 7DE0E53220222456F623A7BA8C18F5B765C9F023B0F160160AD01F60D0DB70CE0046E0

Function 002D2C4E Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0c6187ec3aeef06ddfb610d972f7242b39f520ef032c365f95d8f0857a618
Instruction ID: 5dc7437c49f1d6568c42c6540029956532c06639cbcb08e97e151bae306da790
Opcode Fuzzy Hash: d7c0c6187ec3aeef06ddfb610d972f7242b39f520ef032c365f95d8f0857a618
Instruction Fuzzy Hash: 24F015B1525712CFCB399F64D49486ABBE4BF24326322C97FE1D686620C7729C94DF00

Function 002D2DAA Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002D2DC8

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 6f20ebd9b2a2bf586509a237b68e363968dd7dbffc5f75a367978f3cc06a5eeb
Instruction ID: 0f8e6ed73d2f7a48d47f1609854eda4b310a371bddebddf98a9c0a73e2f15a0e
Opcode Fuzzy Hash: 6f20ebd9b2a2bf586509a237b68e363968dd7dbffc5f75a367978f3cc06a5eeb
Instruction Fuzzy Hash: E5F0F87151020DFFDF05DF90C941EAEBB79FF18318F208445F9159A251C376DA61ABA1

Function 002D3B82 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 002D3BDE

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 9da4e13447da3bd40b12215ef16f28cd03595ba81e6b84bd2dccf7d0f1ba75ac
Instruction ID: e58fe4f0f98b2d3320d4ea3833dffc4845aba988b65e293df9be1bbe972564b4
Opcode Fuzzy Hash: 9da4e13447da3bd40b12215ef16f28cd03595ba81e6b84bd2dccf7d0f1ba75ac
Instruction Fuzzy Hash: 27F037749143589FDF53DF28DC45796BBFCA70370CF0400A6A68896185DBB45B89CF51

Function 002D32E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 002D32FF

Part of subcall function 002DB0DB: _wcslen.LIBCMT ref: 002DB0EE

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 7f29d546a79bed828d758830f6e6a12d7d595c804a5fcf8ac4c1193e62a0276a
Instruction ID: cbe71357bb26935d025b87362e7156d847aa4fb3cb67e2345724b8226ba5478e
Opcode Fuzzy Hash: 7f29d546a79bed828d758830f6e6a12d7d595c804a5fcf8ac4c1193e62a0276a
Instruction Fuzzy Hash: 16E0CD76A0012457CB1192589C05FDB77DDDFC8790F054071FC05D7344D964DDC0C950

Function 003107BB Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00310B25,?,?,00000000,?,00310B25,00000000,0000000C), ref: 003107D8

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 61244a992cd8f05ddfe00d28425a3c2cf44ad9cac7f11039a207780a5c0fec78
Instruction ID: 752b8f3b30ed61f06531acb909488c8d639cc24e52bb52b5793b6f8f2ff422b1
Opcode Fuzzy Hash: 61244a992cd8f05ddfe00d28425a3c2cf44ad9cac7f11039a207780a5c0fec78
Instruction Fuzzy Hash: 43D06C3210010DBBDF028F84DD06EDA3BAAFB4C714F018000FE1856020C772E821AB90

Function 0033E970 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0033D6EB), ref: 0033E971

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c24802ef37dbbe6f407ef8b31801083138bfab769a926a91f79a2d06715a8dc9
Instruction ID: 71a59e524065627900cc499fdfbb6fe474b0b201f80f122a970ffec72a76a7a6
Opcode Fuzzy Hash: c24802ef37dbbe6f407ef8b31801083138bfab769a926a91f79a2d06715a8dc9
Instruction Fuzzy Hash: 67B0922440060005AD6A4E386A9829E630568463E6FDD1F80E4BD850F1837EA80BE650

Function 0034651E Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0033DB0B: FindFirstFileW.KERNEL32(?,?), ref: 0033DB82
Part of subcall function 0033DB0B: DeleteFileW.KERNEL32(?,?,?,?), ref: 0033DBD2
Part of subcall function 0033DB0B: FindNextFileW.KERNELBASE(00000000,00000010), ref: 0033DBE3
Part of subcall function 0033DB0B: FindClose.KERNEL32(00000000), ref: 0033DBFA

GetLastError.KERNEL32 ref: 00346540

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 67000b6257ce18f19431c51dcfe8b49e02293ffbae5308e500c37aacd9864e7b
Instruction ID: 1ed9c6d4f30960b9457217c7988924ad7bcd22018b656d9da11ac23732eac3b5
Opcode Fuzzy Hash: 67000b6257ce18f19431c51dcfe8b49e02293ffbae5308e500c37aacd9864e7b
Instruction Fuzzy Hash: 9EF08C322102109FCB11EF59D955B6AB7E8AF49720F09844AF9499B352CB74BC11CB95

Non-executed Functions

Function 00369B7E Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 002D23E1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D23F2

DefDlgProcW.USER32(?,0000004E,?,?,?,?), ref: 00369C22
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00369C63
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00369CA7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00369CD1
SendMessageW.USER32 ref: 00369CFA
GetKeyState.USER32(00000011), ref: 00369D93
GetKeyState.USER32(00000009), ref: 00369DA0
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00369DB6
GetKeyState.USER32(00000010), ref: 00369DC0
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00369DF1
SendMessageW.USER32 ref: 00369E18
SendMessageW.USER32(?,00001030,?,Function_0009849D), ref: 00369F20
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?), ref: 00369F36
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00369F49
SetCapture.USER32(?), ref: 00369F52
ClientToScreen.USER32(?,?), ref: 00369FB7
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00369FC4
InvalidateRect.USER32(?,00000000,00000001,?), ref: 00369FDE
ReleaseCapture.USER32 ref: 00369FE9
GetCursorPos.USER32(?), ref: 0036A021
ScreenToClient.USER32(?,?), ref: 0036A02E
SendMessageW.USER32(?,00001012,00000000,?), ref: 0036A088
SendMessageW.USER32 ref: 0036A0B6
SendMessageW.USER32(?,00001111,00000000,?), ref: 0036A0F3
SendMessageW.USER32 ref: 0036A122
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0036A143
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0036A152
GetCursorPos.USER32(?), ref: 0036A170
ScreenToClient.USER32(?,?), ref: 0036A17D
GetParent.USER32(?), ref: 0036A19B
SendMessageW.USER32(?,00001012,00000000,?), ref: 0036A202
SendMessageW.USER32 ref: 0036A233
ClientToScreen.USER32(?,?), ref: 0036A28C
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0036A2BC
SendMessageW.USER32(?,00001111,00000000,?), ref: 0036A2E6
SendMessageW.USER32 ref: 0036A309
ClientToScreen.USER32(?,?), ref: 0036A356
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0036A38A

Part of subcall function 002D2184: GetWindowLongW.USER32(?,000000EB), ref: 002D2192

GetWindowLongW.USER32(?,000000F0), ref: 0036A40D

Strings

F, xrefs: 0036A30F
@GUI_DRAGID, xrefs: 00369F85

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 8d21d34dd3fc0e2681ff8241f5656270b54d9b9ab734d0f37455f2f0d66f866f
Instruction ID: 941a04361dacd1a11c681cb5e23e4f3790e0f5d82246b17f2b9c68dd40794d54
Opcode Fuzzy Hash: 8d21d34dd3fc0e2681ff8241f5656270b54d9b9ab734d0f37455f2f0d66f866f
Instruction Fuzzy Hash: 6242AD34604201EFD726CF28D844BAABBE8FF49314F14861EF695972A5C771E8A4CF52

Function 00331A7B Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00331F3D: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00331F87
Part of subcall function 00331F3D: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00331FB4
Part of subcall function 00331F3D: GetLastError.KERNEL32 ref: 00331FC4

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00331B00
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00331B22
CloseHandle.KERNEL32(?), ref: 00331B33
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00331B4B
GetProcessWindowStation.USER32 ref: 00331B64
SetProcessWindowStation.USER32(00000000), ref: 00331B6E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00331B8A

Part of subcall function 00331939: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00331A76), ref: 0033194E
Part of subcall function 00331939: CloseHandle.KERNEL32(?,?,00331A76), ref: 00331963

Strings

winsta0, xrefs: 00331B46
j9, xrefs: 00331C0C
default, xrefs: 00331B85
, xrefs: 00331AD4

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$j9
API String ID: 22674027-1938401639
Opcode ID: fb9a3b77f691521b672ed2a393bb1b046822fae87e099a081d3e702ab768ecdd
Instruction ID: 8cbb19c3b015c53f8f1d127b5d8b75d6571a872efd93591957ff675cbf1bae95
Opcode Fuzzy Hash: fb9a3b77f691521b672ed2a393bb1b046822fae87e099a081d3e702ab768ecdd
Instruction Fuzzy Hash: 5781AF71A40209AFDF129FA4DD89FEEBBBCFF08700F154129F910A62A0D7B18955CB60

Function 003313DC Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00331973: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0033198E
Part of subcall function 00331973: GetLastError.KERNEL32(?,00000000,00000000,?,?,00331415,?,?,?), ref: 0033199A
Part of subcall function 00331973: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00331415,?,?,?), ref: 003319A9
Part of subcall function 00331973: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00331415,?,?,?), ref: 003319B0
Part of subcall function 00331973: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003319C7

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00331446
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0033147A
GetLengthSid.ADVAPI32(?), ref: 00331491
GetAce.ADVAPI32(?,00000000,?), ref: 003314CB
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003314E7
GetLengthSid.ADVAPI32(?), ref: 003314FE
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00331506
HeapAlloc.KERNEL32(00000000), ref: 0033150D
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0033152E
CopySid.ADVAPI32(00000000), ref: 00331535
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00331564
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00331586
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00331598
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003315BF
HeapFree.KERNEL32(00000000), ref: 003315C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003315CF
HeapFree.KERNEL32(00000000), ref: 003315D6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003315DF
HeapFree.KERNEL32(00000000), ref: 003315E6
GetProcessHeap.KERNEL32(00000000,?), ref: 003315F2
HeapFree.KERNEL32(00000000), ref: 003315F9

Part of subcall function 00331A0D: GetProcessHeap.KERNEL32(00000008,0033142B,?,00000000,?,0033142B,?), ref: 00331A1B
Part of subcall function 00331A0D: HeapAlloc.KERNEL32(00000000,?,00000000,?,0033142B,?), ref: 00331A22
Part of subcall function 00331A0D: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,0033142B,?), ref: 00331A31

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1b055e131d3ae31129b1b43bfe257e0ea5550b2fdd12cdbabe1faf8800929f3e
Instruction ID: 6a7477d1ed9d2b7cb8e0c6a698179ef105d89054d69dbff5af58057386425243
Opcode Fuzzy Hash: 1b055e131d3ae31129b1b43bfe257e0ea5550b2fdd12cdbabe1faf8800929f3e
Instruction Fuzzy Hash: 9A713EB1E00209AFEF12DFA5DC88FAEBBBCBF45311F158115E916A6190D7719A05CBA0

Function 0034F345 Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0036DBF4), ref: 0034F36F
IsClipboardFormatAvailable.USER32(0000000D), ref: 0034F37D
GetClipboardData.USER32(0000000D), ref: 0034F389
CloseClipboard.USER32 ref: 0034F395
GlobalLock.KERNEL32(00000000), ref: 0034F3CD
CloseClipboard.USER32 ref: 0034F3D7
GlobalUnlock.KERNEL32(00000000), ref: 0034F402
IsClipboardFormatAvailable.USER32(00000001), ref: 0034F40F
GetClipboardData.USER32(00000001), ref: 0034F417
GlobalLock.KERNEL32(00000000), ref: 0034F428
GlobalUnlock.KERNEL32(00000000), ref: 0034F468
IsClipboardFormatAvailable.USER32(0000000F), ref: 0034F47E
GetClipboardData.USER32(0000000F), ref: 0034F48A
GlobalLock.KERNEL32(00000000), ref: 0034F49B
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0034F4BD
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0034F4DA
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0034F518
GlobalUnlock.KERNEL32(00000000), ref: 0034F539
CountClipboardFormats.USER32 ref: 0034F55A
CloseClipboard.USER32 ref: 0034F59F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 8dd1fb80551cd55b39fd8612f5b0197121c59775a4c7ee15b0532819c7c16f96
Instruction ID: 4b5aec1708106b4814f41b0c34eabc8c6aae96bb781f1490f8d9f44ff2dae61f
Opcode Fuzzy Hash: 8dd1fb80551cd55b39fd8612f5b0197121c59775a4c7ee15b0532819c7c16f96
Instruction Fuzzy Hash: B361C3346043419FD302EF24D898F2AB7E8AF48704F59856DF8468B2A2DB71ED45CB62

Function 00344635 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00344657
_wcslen.LIBCMT ref: 00344684
CreateDirectoryW.KERNEL32(?,00000000), ref: 003446B4
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003446D5
RemoveDirectoryW.KERNEL32(?), ref: 003446E5
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0034476C
CloseHandle.KERNEL32(00000000), ref: 00344777
CloseHandle.KERNEL32(00000000), ref: 00344782

Strings

\??\%s, xrefs: 00344672
:, xrefs: 00344699
\, xrefs: 0034468E

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 711bea452cc81f9f73f82a6122aee94649b016596e6b941576bba022113e9b73
Instruction ID: ade760ed2b44ea19b9c4273e23dc35e8a1dec8780f48e8db4bb51cde9ec59f2f
Opcode Fuzzy Hash: 711bea452cc81f9f73f82a6122aee94649b016596e6b941576bba022113e9b73
Instruction Fuzzy Hash: AA31E675A00109ABDB229FA0DC49FEB77FDEF89700F2140B5F605D61A0EBB4A6548F24

Function 0035C5C4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0035D11B: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035BE2E,?,?), ref: 0035D138
Part of subcall function 0035D11B: _wcslen.LIBCMT ref: 0035D174
Part of subcall function 0035D11B: _wcslen.LIBCMT ref: 0035D1E2
Part of subcall function 0035D11B: _wcslen.LIBCMT ref: 0035D218

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035C6BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0035C729
RegCloseKey.ADVAPI32(00000000), ref: 0035C74D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0035C7AC
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0035C867
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0035C8D4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0035C969
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0035C9BA
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0035CA63
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0035CB02
RegCloseKey.ADVAPI32(00000000), ref: 0035CB0F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 8beda8a6c8446e401d40f8351f7b5d8bcafc45e5e8afb7044f2f07947639f88e
Instruction ID: 7eb493d6e4e66f8e58d288d8cf6f210a2c0116c93693db9dff39f5aaa33a2f92
Opcode Fuzzy Hash: 8beda8a6c8446e401d40f8351f7b5d8bcafc45e5e8afb7044f2f07947639f88e
Instruction Fuzzy Hash: 56026B71614340AFD715DF28C895E2ABBE4EF48308F19849DF84ADB2A2DB31ED46CB51

Function 003472A6 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 286timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003472D2
FindClose.KERNEL32(00000000), ref: 00347323
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0034734F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00347366

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

FileTimeToSystemTime.KERNEL32(?,?), ref: 0034738D

Strings

%4d, xrefs: 00347413
%02d, xrefs: 00347461, 0034746B, 003474B9, 00347508, 00347557, 003475A6
%4d%02d%02d%02d%02d%02d, xrefs: 003473D3

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FileTime$FindLocal$CloseFirstSystem_wcslen
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 409396820-2428617273
Opcode ID: 00122f665c068a71e885a3cb9259f8c8613042b94ba8b4adde68e1728c03fb89
Instruction ID: a81d5d7401db03f29dad6149760978a6a772a0643752ef9fa86320ae4ebc998f
Opcode Fuzzy Hash: 00122f665c068a71e885a3cb9259f8c8613042b94ba8b4adde68e1728c03fb89
Instruction Fuzzy Hash: 8FA14071528241AFC711EFA5C895DAFB7ECAF84344F44482EF58587292EB34ED18CB62

Function 0033D7CC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002D50F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D5035,?,?,00314641,?,?,00000100,00000000,00000000,CMDLINE), ref: 002D5117

Part of subcall function 0033E8F5: CompareStringW.KERNEL32(00000400,00000001,?,?,0033D818,?,?,?,?,?,?,00000000), ref: 0033E947

Part of subcall function 0033E970: GetFileAttributesW.KERNEL32(?,0033D6EB), ref: 0033E971

FindFirstFileW.KERNEL32(?,?), ref: 0033D878
CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?,?,?), ref: 0033D92D
DeleteFileW.KERNEL32(?), ref: 0033D93F
MoveFileW.KERNEL32(?,?), ref: 0033D952
DeleteFileW.KERNEL32(?,?,?,?), ref: 0033D96F
FindNextFileW.KERNEL32(00000000,00000010), ref: 0033D999

Part of subcall function 0033D9FE: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0033D97E,?,?), ref: 0033DA14

FindClose.KERNEL32(00000000,?,?,?), ref: 0033D9B5
FindClose.KERNEL32(00000000), ref: 0033D9C6

Strings

\*.*, xrefs: 0033D823, 0033D82C, 0033D841

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: File$Find$CloseCompareDeleteString$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 597992297-1173974218
Opcode ID: 202baceddb90a6e76fb91fe99b77e7db54821948659db997d87f092fcd7de8e6
Instruction ID: 0f135612f6e8df2010a1596b5fdf0cf9f7b85178ea253ae0ee52b05eaa2ef6f3
Opcode Fuzzy Hash: 202baceddb90a6e76fb91fe99b77e7db54821948659db997d87f092fcd7de8e6
Instruction Fuzzy Hash: 98617D31D0114DAFCF02EBA0E992AEDB779AF14304F204166E442772A1EB74AF59CF61

Function 0034F5B0 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0034F5D7
EmptyClipboard.USER32 ref: 0034F5DD
GlobalAlloc.KERNEL32(00000002,?), ref: 0034F5F2
CloseClipboard.USER32 ref: 0034F6E9

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9943af022b7a435f1dff00c2697fcb444ad50518b24027e8cd64afef5ea96878
Instruction ID: 187f3589a61bc3bf54df32b73473cacbec422f1012cb0f7343541da1c92fd570
Opcode Fuzzy Hash: 9943af022b7a435f1dff00c2697fcb444ad50518b24027e8cd64afef5ea96878
Instruction Fuzzy Hash: 59418C35604611AFD712DF25D888B16BBE8EF44359F1AC0A9E4198F6B2C779FC41CB90

Function 0033207D Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00331CC3,?,?,00000000), ref: 00332086
HeapAlloc.KERNEL32(00000000,?,00331CC3,?,?,00000000), ref: 0033208D
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00331CC3,?,?,00000000), ref: 003320A2
GetCurrentProcess.KERNEL32(?,00000000,?,00331CC3,?,?,00000000), ref: 003320AA
DuplicateHandle.KERNEL32(00000000,?,00331CC3,?,?,00000000), ref: 003320AD
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00331CC3,?,?,00000000), ref: 003320BD
GetCurrentProcess.KERNEL32(00331CC3,00000000,?,00331CC3,?,?,00000000), ref: 003320C5
DuplicateHandle.KERNEL32(00000000,?,00331CC3,?,?,00000000), ref: 003320C8
CreateThread.KERNEL32(00000000,00000000,003320EE,00000000,00000000,00000000), ref: 003320E2

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 6b6cc8c55957f28a51798c4ca166e24b310034b6e3322103cab9ca1943fa442f
Instruction ID: 0ddd3439d3ca66aebab686eea0a0d5b9254233f3ae7d1d0fc16f1da654b15141
Opcode Fuzzy Hash: 6b6cc8c55957f28a51798c4ca166e24b310034b6e3322103cab9ca1943fa442f
Instruction Fuzzy Hash: DD01B6B5740348BFE751ABA5DC8DF6B7BACEB89711F008411FA05DB2A1CAF19814CB60

Function 0033F0CD Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00331F3D: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00331F87
Part of subcall function 00331F3D: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00331FB4
Part of subcall function 00331F3D: GetLastError.KERNEL32 ref: 00331FC4

ExitWindowsEx.USER32(?,00000000), ref: 0033F109

Strings

, xrefs: 0033F133
, xrefs: 0033F0F7
SeShutdownPrivilege, xrefs: 0033F0D9
@, xrefs: 0033F0FC

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 51a672f0c576ba27d2075855aaec0a7c9d0d6d83b6b048ecf77ea9227dd03263
Instruction ID: eb78ed3ceb78033c0ffb379945c57d7f84e7f82794d3b54a8e1e1b4f06d15a17
Opcode Fuzzy Hash: 51a672f0c576ba27d2075855aaec0a7c9d0d6d83b6b048ecf77ea9227dd03263
Instruction Fuzzy Hash: 3501D672F10210AFEB2666B8FCD6FBE726C9B04344F964831FD02E61D2DB605C408190

Function 00351A4A Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00351ABC
WSAGetLastError.WSOCK32 ref: 00351AC9
bind.WSOCK32(00000000,?,00000010), ref: 00351B00
WSAGetLastError.WSOCK32 ref: 00351B0B
closesocket.WSOCK32(00000000), ref: 00351B3A
listen.WSOCK32(00000000,00000005), ref: 00351B49
WSAGetLastError.WSOCK32 ref: 00351B53
closesocket.WSOCK32(00000000), ref: 00351B82

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 05a156f523ee0b36e77f9453480b82d6ae54b6dc2ca1340f349386187d3debbe
Instruction ID: 6ba7cdc15f5269cea139557878de4d8ee68537d8d309480d73967af1dbdf49b2
Opcode Fuzzy Hash: 05a156f523ee0b36e77f9453480b82d6ae54b6dc2ca1340f349386187d3debbe
Instruction Fuzzy Hash: 7B418E35A001419FD712DF28C488F29BBE5BF46319F298189E8565F3A2C7B1ED85CBE1

Function 003438E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00313BC0,?,?,00000000,00000000), ref: 003438F0
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00313BC0,?,?,00000000,00000000), ref: 00343907
LoadResource.KERNEL32(?,00000000,?,?,00313BC0,?,?,00000000,00000000,?,?,?,?,?,?,002D2C35), ref: 00343917
SizeofResource.KERNEL32(?,00000000,?,?,00313BC0,?,?,00000000,00000000,?,?,?,?,?,?,002D2C35), ref: 00343928
LockResource.KERNEL32(00313BC0,?,?,00313BC0,?,?,00000000,00000000,?,?,?,?,?,?,002D2C35,?), ref: 00343937

Strings

SCRIPT, xrefs: 003438FD

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c0cbb94dbe33d49cf761d1a8c03894894654464df5c80babcbd5bd456aa53668
Instruction ID: 12761db05a88a3c8428253acb4dd6f323f38aae4d162a06fa03f8c1a5607b035
Opcode Fuzzy Hash: c0cbb94dbe33d49cf761d1a8c03894894654464df5c80babcbd5bd456aa53668
Instruction Fuzzy Hash: 2D112771600702BFE7228B65DC58F277BBDEFC9B51F158568F5069B2A0DBB1E9008A20

Function 00352B20 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00352B2E

Part of subcall function 0034ED1C: GetWindowRect.USER32(?,?), ref: 0034ED34

GetDesktopWindow.USER32 ref: 00352B58
GetWindowRect.USER32(00000000), ref: 00352B5F
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00352B91

Part of subcall function 0033F152: Sleep.KERNEL32 ref: 0033F1CA

GetCursorPos.USER32(?), ref: 00352BBD
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00352C1B

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 53cf648113135bd20a36c0246f650c9779f87bc8a751da8702c53dacabd2da95
Instruction ID: 0a13d564436fbd8dda9b35a7139f2869379427cee0acf34629fc4ead2045dda7
Opcode Fuzzy Hash: 53cf648113135bd20a36c0246f650c9779f87bc8a751da8702c53dacabd2da95
Instruction Fuzzy Hash: 8531D272905305AFD711DF14C849E9BBBEDFF89314F014919F989A7191D770EA08CB92

Function 0034A32C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0034A379
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0034A48C

Part of subcall function 0034418B: GetInputState.USER32 ref: 003441E2
Part of subcall function 0034418B: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0034427D

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0034A3A9
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0034A476

Strings

*.*, xrefs: 0034A35E

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: f6377d7baeb8baf9e22b12715cd510584306245ec255cc21216a8cbda39489ae
Instruction ID: 2f5f2cdcea644e44904ec70194fb2608619eb47000629b3813029e9580788c0d
Opcode Fuzzy Hash: f6377d7baeb8baf9e22b12715cd510584306245ec255cc21216a8cbda39489ae
Instruction Fuzzy Hash: B3416F7594060A9FCF12DF65DC49AEEBBF8EF05310F204066E805A63A1E774AE54CF61

Function 002D21FD Relevance: 7.8, APIs: 5, Instructions: 309COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 002D228E
GetSysColor.USER32(0000000F), ref: 002D2363
SetBkColor.GDI32(?,00000000), ref: 002D2376

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: ec02d0b4f26618f7b040ef627feaa013f2764b7c42708e1d475a30236e110903
Instruction ID: 418d625c2ab2fd0098c0d72db8d3d2b8451bf67843f3e43357921a4c5235e8a1
Opcode Fuzzy Hash: ec02d0b4f26618f7b040ef627feaa013f2764b7c42708e1d475a30236e110903
Instruction Fuzzy Hash: 01816770634014FAE32F6A3D8C4CEBF294DDB6B300F15450BF542DA786CE6A8E659636

Function 0035204C Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00353821: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0035384D
Part of subcall function 00353821: _wcslen.LIBCMT ref: 0035386E

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003520A3
WSAGetLastError.WSOCK32 ref: 003520CA
bind.WSOCK32(00000000,?,00000010), ref: 00352121
WSAGetLastError.WSOCK32 ref: 0035212C
closesocket.WSOCK32(00000000), ref: 0035215B

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: e65b838e05efaa63bfd9a8825ded9e22abad85044f93c995ebd7e7b9339d8ee5
Instruction ID: 636f79075a60d9b5949612bc593c2e8af95a0bad02065676f2fc4ee31225faed
Opcode Fuzzy Hash: e65b838e05efaa63bfd9a8825ded9e22abad85044f93c995ebd7e7b9339d8ee5
Instruction Fuzzy Hash: AB51E370A40250AFE711AF24C886F6A77E5AB49754F14C099F9059F3D3C771AD42CBE1

Function 0036231B Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0036239A
IsWindowEnabled.USER32 ref: 003623A8
GetForegroundWindow.USER32(?,?,00000001,?), ref: 003623B5
IsIconic.USER32 ref: 003623C3
IsZoomed.USER32 ref: 003623D1

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 61ed682f03a51e2aec29fa885a5f474947675166b0fd5a0cbb857c49d52c8c0f
Instruction ID: cac80ecb548935de2761fb3946ceda55ff9e85a01f2205133f1938a76cc0abfe
Opcode Fuzzy Hash: 61ed682f03a51e2aec29fa885a5f474947675166b0fd5a0cbb857c49d52c8c0f
Instruction Fuzzy Hash: 4921C735700A005FD7129F26C844B5B7BE9EF85315F2BC069E8498B355DB75DC42CB90

Function 003029B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00302AAA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00302AB4
UnhandledExceptionFilter.KERNEL32(?), ref: 00302AC1

Strings

]Y/, xrefs: 003029B4

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: ]Y/
API String ID: 3906539128-1536016309
Opcode ID: c3a68b5b371e9dffd104425eb18f6b6dcc7f5bdbce49a3729f2d6e866ee3ce32
Instruction ID: a4fe78c0457b474fca054faf4f9e2924f642061b37f5caf42c00d7737ba0004d
Opcode Fuzzy Hash: c3a68b5b371e9dffd104425eb18f6b6dcc7f5bdbce49a3729f2d6e866ee3ce32
Instruction Fuzzy Hash: 6E31C47491121C9BCB22DF68DD8979DBBB8BF08310F5041EAE50CA72A1EB709F958F45

Function 0034D672 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0034D6B7
GetLastError.KERNEL32(?,00000000), ref: 0034D718
SetEvent.KERNEL32(?,?,00000000), ref: 0034D72C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: aa3d4f925d01b38dcc6ce422fb1d9f198ebe54f107c8f55ea33f3352aeb44702
Instruction ID: 445c733582f16094551f52c2559c98741320b0b21a5346cbf158d60fed0a2fce
Opcode Fuzzy Hash: aa3d4f925d01b38dcc6ce422fb1d9f198ebe54f107c8f55ea33f3352aeb44702
Instruction Fuzzy Hash: 7B21CF71A00704AFEB22DF65C888BABBBFCEF00304F11842AE6469A551D774FA04CF60

Function 0032E3BB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0032E3BF

Strings

%.3d, xrefs: 0032E3CA
X64, xrefs: 0032E447

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 652abf4a4eea7e48683e52941c41cedaf9a187a2de588057af04818a6055ec67
Instruction ID: f4f3e05c334b61bf7074d04b3fda5968fdec4f2f24dc0b6966b17e186947504f
Opcode Fuzzy Hash: 652abf4a4eea7e48683e52941c41cedaf9a187a2de588057af04818a6055ec67
Instruction Fuzzy Hash: 73D05B75C05129D9CFD2E793AD8ADBD737CBB08700FA48462F906D2401D734D5149B32

Function 002F5108 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,002F50DE,00000003,00399820,0000000C,002F5235,00000003,00000002,00000000,?,00302D05,00000003), ref: 002F5129
TerminateProcess.KERNEL32(00000000,?,002F50DE,00000003,00399820,0000000C,002F5235,00000003,00000002,00000000,?,00302D05,00000003), ref: 002F5130
ExitProcess.KERNEL32 ref: 002F5142

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: afe55f477bb601249736aeb1615ed06ba77acd05c5445453092fc113b341fde6
Instruction ID: 0e6a88f6c7dc6832a2cd006f846df75b2a8529e12d69014a27d1b66dff207814
Opcode Fuzzy Hash: afe55f477bb601249736aeb1615ed06ba77acd05c5445453092fc113b341fde6
Instruction Fuzzy Hash: A4E0B631510658AFDF226F64DD19A697B6DEB45392F108024FA098A222DBB5ED62CB80

Function 0032E419 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0032E42B

Strings

X64, xrefs: 0032E447

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: baf5ba014e0942c77c3041edc7278efa31d876c8106aab9a368cc507e8da8966
Instruction ID: 6b9ecc129a419021fde2fffec0741d9f71ed0b95a716334bc70b5e5573644e1b
Opcode Fuzzy Hash: baf5ba014e0942c77c3041edc7278efa31d876c8106aab9a368cc507e8da8966
Instruction Fuzzy Hash: F3D0C9B591112DEACF81CB90EC8CDD9737CBB04304F104551F506E2000D77095498B10

Function 003440CC Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00355065,?,?,00000035,?), ref: 003440FB
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00355065,?,?,00000035,?), ref: 0034410B

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6bbc8d99970dc77e7bc2946915b1fda3a5c5564d025e0c89ab00e533ed1e4d8f
Instruction ID: fb6e66b4c9ff8e25ddd0b74eb2797bd16766162fdbd9471e5efb34c957bd6e17
Opcode Fuzzy Hash: 6bbc8d99970dc77e7bc2946915b1fda3a5c5564d025e0c89ab00e533ed1e4d8f
Instruction Fuzzy Hash: 78F02B347003292AEB2157768C4DFEB76ADEFC5761F000175F509D3281D9609C40C7B0

Function 0033BA4A Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0033BA81
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0033BA94

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 629bf84145b075739357a97cd2289af96f5ea22586f9e62bc53c813a66810de9
Instruction ID: ce2362411500c864f629c7cbc6ce2cba20d3c7ad798695cf109093b556952698
Opcode Fuzzy Hash: 629bf84145b075739357a97cd2289af96f5ea22586f9e62bc53c813a66810de9
Instruction Fuzzy Hash: F8F01D7190424EABDB069FA5C805BAEBFB4FF04309F04800AFA55A9191D3798611DF95

Function 00331939 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00331A76), ref: 0033194E
CloseHandle.KERNEL32(?,?,00331A76), ref: 00331963

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b988cfc36c33d0ce3a43295bbda4e6f5adfe848b43891b5cf4b7741e99416e60
Instruction ID: 5eb48ab2c9cae5f91d16c929ba8f363d0508b40443a6bb74a0433479db1852fa
Opcode Fuzzy Hash: b988cfc36c33d0ce3a43295bbda4e6f5adfe848b43891b5cf4b7741e99416e60
Instruction Fuzzy Hash: E2E04F32014614AFE7262B11EC4AF77BBADFB04360F25882DF59580471DBB26CA0DF50

Function 0034F2E8 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0034F303

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 37aabf3dfaac4378dc570023416793fa36d372fa090343fd7af437f77ce1a8ca
Instruction ID: e4bd3fa843918e253e16124445938a0a46244a16617f9154f1b478eddfbba33c
Opcode Fuzzy Hash: 37aabf3dfaac4378dc570023416793fa36d372fa090343fd7af437f77ce1a8ca
Instruction Fuzzy Hash: 7CE01A362102049FD710AF5AD944A9ABBEDAF94760F14802AF889CB351DAB0AC408BA0

Function 002F0DF5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020E01,002F080E), ref: 002F0DFA

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c99cb7028a5c9e3644bb156f95680825dfa826e00ec90a6deb97749102740bb9
Instruction ID: f88a8984238c2e74c1494278bea6c52ca716e2930622661d98944478263b5994
Opcode Fuzzy Hash: c99cb7028a5c9e3644bb156f95680825dfa826e00ec90a6deb97749102740bb9
Instruction Fuzzy Hash:

Function 003532B1 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00353303
DeleteObject.GDI32(00000000), ref: 00353316
DestroyWindow.USER32 ref: 00353325
GetDesktopWindow.USER32 ref: 00353340
GetWindowRect.USER32(00000000), ref: 00353347
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00353476
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00353484
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003534CB
GetClientRect.USER32(00000000,?), ref: 003534D7
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00353513
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00353535
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00353548
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00353553
GlobalLock.KERNEL32(00000000), ref: 0035355C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035356B
GlobalUnlock.KERNEL32(00000000), ref: 00353574
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035357B
GlobalFree.KERNEL32(00000000), ref: 00353586
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00353598
OleLoadPicture.OLEAUT32(?,00000000,00000000,00370BFC,00000000), ref: 003535AE
GlobalFree.KERNEL32(00000000), ref: 003535BE
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 003535E4
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00353603
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00353625
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00353812

Strings

static, xrefs: 0035350D, 00353664
AutoIt v3, xrefs: 003534C5
DISPLAY, xrefs: 00353675
, xrefs: 00353798

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: e1408e99d9c63b924cccc27c306c68bece5ad97d058b93c31124a0efcf6d980b
Instruction ID: 1990985e1cf42fcb4cce6bc2d05381b2da23e08612de2f6cd27cf41cc23bbafc
Opcode Fuzzy Hash: e1408e99d9c63b924cccc27c306c68bece5ad97d058b93c31124a0efcf6d980b
Instruction Fuzzy Hash: AE029E75A00205AFDB16DF64CC89EAE7BB9EF49311F148158F915AB2A0CB74EE05CF60

Function 003676BC Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00367716
GetSysColorBrush.USER32(0000000F), ref: 00367747
GetSysColor.USER32(0000000F), ref: 00367753
SetBkColor.GDI32(?,000000FF), ref: 0036776D
SelectObject.GDI32(?,?), ref: 0036777C
InflateRect.USER32(?,000000FF,000000FF), ref: 003677A7
GetSysColor.USER32(00000010), ref: 003677AF
CreateSolidBrush.GDI32(00000000), ref: 003677B6
FrameRect.USER32(?,?,00000000), ref: 003677C5
DeleteObject.GDI32(00000000), ref: 003677CC
InflateRect.USER32(?,000000FE,000000FE), ref: 00367817
FillRect.USER32(?,?,?), ref: 00367849
GetWindowLongW.USER32(?,000000F0), ref: 0036786B

Part of subcall function 003679CF: GetSysColor.USER32(00000012), ref: 00367A08
Part of subcall function 003679CF: SetTextColor.GDI32(?,003676DC), ref: 00367A0C
Part of subcall function 003679CF: GetSysColorBrush.USER32(0000000F), ref: 00367A22
Part of subcall function 003679CF: GetSysColor.USER32(0000000F), ref: 00367A2D
Part of subcall function 003679CF: GetSysColor.USER32(00000011), ref: 00367A4A
Part of subcall function 003679CF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00367A58
Part of subcall function 003679CF: SelectObject.GDI32(?,00000000), ref: 00367A69
Part of subcall function 003679CF: SetBkColor.GDI32(?,?), ref: 00367A72
Part of subcall function 003679CF: SelectObject.GDI32(?,?), ref: 00367A7F
Part of subcall function 003679CF: InflateRect.USER32(?,000000FF,000000FF), ref: 00367A9E
Part of subcall function 003679CF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00367AB5
Part of subcall function 003679CF: GetWindowLongW.USER32(?,000000F0), ref: 00367AC2

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 5f675e9988ed659b22aa8c7df257cba2e032344f5c37e1ae655ca23abd498e21
Instruction ID: 554fa4136eee54ee185bcbd81e4d7de5dce86e564c95aa06ebc632c33f504332
Opcode Fuzzy Hash: 5f675e9988ed659b22aa8c7df257cba2e032344f5c37e1ae655ca23abd498e21
Instruction Fuzzy Hash: BBA1A171508301AFDB029F64DC48E6BBBADFF49324F508A19FAA2961E0D7B1D944CB51

Function 002D6799 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 002D6828
SendMessageW.USER32(?,00001308,?,00000000), ref: 00315013
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0031504C
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00315491

Part of subcall function 002D670F: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D16CD,?,00000000,?,?,?,?,002D169F,00000000,?), ref: 002D6772

SendMessageW.USER32(?,00001053), ref: 003154CD
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 003154E4
ImageList_Destroy.COMCTL32(00000000,?), ref: 003154FA
ImageList_Destroy.COMCTL32(00000000,?), ref: 00315505

Strings

0, xrefs: 0031531D

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 19df986be3c3aabc41709c6fff42914b5256c26625c4e0c579cfa293c26546d6
Instruction ID: e8d8d9a2def2e8b28a2bdabf3affba0cc93f321638542c311710d880763459fe
Opcode Fuzzy Hash: 19df986be3c3aabc41709c6fff42914b5256c26625c4e0c579cfa293c26546d6
Instruction Fuzzy Hash: B812C230614601EFCB2ACF14C848BA6BBE5FB8D310F158469F456CB661C771EC96DB91

Function 00352F4D Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 288windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00352F80
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0035304B
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00353089
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00353099
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 003530DF
GetClientRect.USER32(00000000,?), ref: 003530EB
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00353132
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00353141
GetStockObject.GDI32(00000011), ref: 00353151
SelectObject.GDI32(00000000,00000000), ref: 00353155
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00353165
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0035316E
DeleteDC.GDI32(00000000), ref: 00353177
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003531A3
SendMessageW.USER32(00000030,00000000,00000001), ref: 003531BA
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 003531F5
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00353209
SendMessageW.USER32(00000404,00000001,00000000), ref: 0035321A
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0035324A
GetStockObject.GDI32(00000011), ref: 00353255
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00353260
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 0035326A

Strings

static, xrefs: 0035312C, 00353244
AutoIt v3, xrefs: 003530D7
msctls_progress32, xrefs: 003531EB
DISPLAY, xrefs: 00353137

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6a0983591f2c9ffa3279585eb851cc4b4893dddc8ad7245d088316abb8d995ab
Instruction ID: c4ae077767441acccf06979e97c358b46a3dfb5a16134d62a79ee498d5772650
Opcode Fuzzy Hash: 6a0983591f2c9ffa3279585eb851cc4b4893dddc8ad7245d088316abb8d995ab
Instruction Fuzzy Hash: 7FA16E71A10215AFEB15DF64DC4AFAF7BBDEB49710F108115FA15AB2E0D6B4AD00CB60

Function 003453F6 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00345404
GetDriveTypeW.KERNEL32(?,0036DB10,?,\\.\,0036DBF4), ref: 003454E1
SetErrorMode.KERNEL32(00000000,0036DB10,?,\\.\,0036DBF4), ref: 0034564D

Strings

1394, xrefs: 003455B6
ATA, xrefs: 003455AF
MMC, xrefs: 003455F5
SAS, xrefs: 003455E0
Fibre, xrefs: 003455C4
\\.\, xrefs: 00345456
ATAPI, xrefs: 003455A8
Unknown, xrefs: 00345504, 0034559A
iSCSI, xrefs: 003455D9
Fixed, xrefs: 00345520
SCSI, xrefs: 003455A1
SATA, xrefs: 003455E7
USB, xrefs: 003455CB
SSA, xrefs: 003455BD
FileBackedVirtual, xrefs: 00345603
Removable, xrefs: 00345527, 0034552C
PhysicalDrive, xrefs: 0034548D
CDROM, xrefs: 00345512
Network, xrefs: 00345519
RAID, xrefs: 003455D2
Virtual, xrefs: 003455FC
SSD, xrefs: 00345561
RAMDisk, xrefs: 0034550B

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 38377c4b7943a2424d38f300d460bcc980c0f2df706fed50e039e89b2648bf21
Instruction ID: b45baf7349ef46362cfa6afea9b7998efc57f325a583900260dadaf929a1b435
Opcode Fuzzy Hash: 38377c4b7943a2424d38f300d460bcc980c0f2df706fed50e039e89b2648bf21
Instruction Fuzzy Hash: C961DE31E68905ABCB07EB24C9818BCB7E5AF15701B669056F40AAF293C735FE41CF45

Function 00366B02 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 460windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00366BAF
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00366C68
SendMessageW.USER32(?,00001102,00000002,?), ref: 00366C84
GetMenuItemInfoW.USER32(?,00000030,00000000,?), ref: 00366CD5
SetMenuItemInfoW.USER32(?,00000030,00000000,00000030), ref: 00366D30
GetMenuItemInfoW.USER32(00000200,00000030,00000000,00000030), ref: 00366D53
SetMenuDefaultItem.USER32(00000200,?,00000000), ref: 00366D6F
DrawMenuBar.USER32(?), ref: 00366D7B
SendMessageW.USER32(00000466,00000466,00000000,00000000), ref: 00366DFD
SendMessageW.USER32(000000F1,000000F1,?,00000000), ref: 00366F4B
SendMessageW.USER32(?,00000401,?,00000000), ref: 00366F6F
GetFocus.USER32 ref: 00366F75
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?), ref: 00367030
SendMessageW.USER32(?,00000469,?,00000000), ref: 00367043
EnableWindow.USER32(00000000,00000000), ref: 0036707A
EnableWindow.USER32(00000001,00000001), ref: 00367096
ShowWindow.USER32(00000010,00000000), ref: 0036710C
ShowWindow.USER32(?,00000004), ref: 00367122
EnableWindow.USER32(?,00000001), ref: 0036713B

Strings

0, xrefs: 00366CBC

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$MessageSend$Menu$Item$EnableInfo$Show$DefaultDrawFocusMove
String ID: 0
API String ID: 1429628313-4108050209
Opcode ID: c7ecf2df33b0bf8dc776960ace02e15846fe983823af1042cbbf647e372c7f87
Instruction ID: 6d9ab56a74ce82415e24d4e5f8f0eb85f61d06854eccd75de89cfc62bf0da6df
Opcode Fuzzy Hash: c7ecf2df33b0bf8dc776960ace02e15846fe983823af1042cbbf647e372c7f87
Instruction Fuzzy Hash: F9020170608301AFD716CF24C849BAABBE9FF89348F04C61DF495862A9C774D954CBA2

Function 003679CF Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00367A08
SetTextColor.GDI32(?,003676DC), ref: 00367A0C
GetSysColorBrush.USER32(0000000F), ref: 00367A22
GetSysColor.USER32(0000000F), ref: 00367A2D
CreateSolidBrush.GDI32(?), ref: 00367A32
GetSysColor.USER32(00000011), ref: 00367A4A
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00367A58
SelectObject.GDI32(?,00000000), ref: 00367A69
SetBkColor.GDI32(?,?), ref: 00367A72
SelectObject.GDI32(?,?), ref: 00367A7F
InflateRect.USER32(?,000000FF,000000FF), ref: 00367A9E
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00367AB5
GetWindowLongW.USER32(?,000000F0), ref: 00367AC2
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00367B11
GetWindowTextW.USER32(?,00000000,00000001), ref: 00367B3B
InflateRect.USER32(?,000000FD,000000FD), ref: 00367B59
DrawFocusRect.USER32(?,?), ref: 00367B64
GetSysColor.USER32(00000011), ref: 00367B75
SetTextColor.GDI32(?,00000000), ref: 00367B7D
DrawTextW.USER32(?,003676DC,000000FF,?,00000000), ref: 00367B8F
SelectObject.GDI32(?,?), ref: 00367BA6
DeleteObject.GDI32(?), ref: 00367BB1
SelectObject.GDI32(?,?), ref: 00367BB7
DeleteObject.GDI32(?), ref: 00367BBC
SetTextColor.GDI32(?,?), ref: 00367BC2
SetBkColor.GDI32(?,?), ref: 00367BCC

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1738e96cca103fd32fd48ab0d628d94ba1b7829872956f605c28d78b04069543
Instruction ID: c7f2e44f9d505fef0f4fe699e7ba8c1829a32f22be1d926cc388a38048638d88
Opcode Fuzzy Hash: 1738e96cca103fd32fd48ab0d628d94ba1b7829872956f605c28d78b04069543
Instruction Fuzzy Hash: 85614071D04218AFDF029FA4DC49EAEBF79EB09324F118115F915AB2A1D7B19940CB90

Function 002D243E Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D2515
GetSystemMetrics.USER32(00000007), ref: 002D251D
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D2548
GetSystemMetrics.USER32(00000008), ref: 002D2550
GetSystemMetrics.USER32(00000004), ref: 002D2575
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002D2592
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002D25A2
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002D25D5
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002D25E9
GetClientRect.USER32(00000000,000000FF), ref: 002D2607
GetStockObject.GDI32(00000011), ref: 002D2623
SendMessageW.USER32(00000000,00000030,00000000), ref: 002D262E

Part of subcall function 002D1976: GetCursorPos.USER32(?), ref: 002D198A
Part of subcall function 002D1976: ScreenToClient.USER32(00000000,?), ref: 002D19A7
Part of subcall function 002D1976: GetAsyncKeyState.USER32(00000001), ref: 002D19CC
Part of subcall function 002D1976: GetAsyncKeyState.USER32(00000002), ref: 002D19E6

SetTimer.USER32(00000000,00000000,00000028,002D1945), ref: 002D2655

Strings

AutoIt v3 GUI, xrefs: 002D25CD
,):, xrefs: 003135A4
,):, xrefs: 002D2479

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: ,):$,):$AutoIt v3 GUI
API String ID: 1458621304-310900233
Opcode ID: 44fe4be6aee9e8b7d13cda0e1ed36a1bbf099722b3b8a691f68417544c6c6a37
Instruction ID: 2ce067e0da298388a2ca8aebb12f328117d1703b474a9916a17c17ae6f4bf5c8
Opcode Fuzzy Hash: 44fe4be6aee9e8b7d13cda0e1ed36a1bbf099722b3b8a691f68417544c6c6a37
Instruction Fuzzy Hash: 85B18E31A1020ADFDB1ADFA8CC45BAE7BB9FB49714F11422AFA05A7290CB74D950CF50

Function 00361709 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 275windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0036182B
GetDesktopWindow.USER32 ref: 00361840
GetWindowRect.USER32(00000000), ref: 00361847
GetWindowLongW.USER32(?,000000F0), ref: 0036189C
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003618D5
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003618F3
DestroyWindow.USER32(?), ref: 00361911
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00361933
SendMessageW.USER32(?,00000421,?,?), ref: 00361948
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0036195B
IsWindowVisible.USER32(?), ref: 0036197B
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00361996
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 003619AA
GetWindowRect.USER32(?,?), ref: 003619C2
MonitorFromPoint.USER32(?,?,00000002), ref: 003619E8
GetMonitorInfoW.USER32(00000000,?), ref: 00361A02
CopyRect.USER32(?,?), ref: 00361A19
SendMessageW.USER32(?,00000412,00000000), ref: 00361A84

Strings

0, xrefs: 003617D6
tooltips_class32, xrefs: 003618CE
(, xrefs: 003619F5

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e4fd893e711320a075e5b213e72ba7cb9444e323ed0f5f1bd2cdae593a02d66c
Instruction ID: 2e213e20ace2c165ac9fcc4d8ac95f581b97e7f82acfadd1b7d6984f68f4851e
Opcode Fuzzy Hash: e4fd893e711320a075e5b213e72ba7cb9444e323ed0f5f1bd2cdae593a02d66c
Instruction Fuzzy Hash: 56B18A71618341AFD705DF64C984B6ABBE8FF88310F04891DF989AB2A5C770EC14CB92

Function 00360957 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003609FB
_wcslen.LIBCMT ref: 00360A35
_wcslen.LIBCMT ref: 00360A9F
_wcslen.LIBCMT ref: 00360B07
_wcslen.LIBCMT ref: 00360B8B
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00360BDB
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00360C1A

Part of subcall function 002EFE52: _wcslen.LIBCMT ref: 002EFE5D

Part of subcall function 00332A3F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00332A58
Part of subcall function 00332A3F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00332A8A

Strings

SELECTALL, xrefs: 00360C2B
SELECT, xrefs: 00360C5E
GETSELECTEDCOUNT, xrefs: 00360B86, 00360BA1
GETTEXT, xrefs: 00360B02, 00360B1D
GETSELECTED, xrefs: 00360CF7
ISSELECTED, xrefs: 00360BF3
GETITEMCOUNT, xrefs: 00360A2C, 00360A4D
GETSUBITEMCOUNT, xrefs: 00360A9A, 00360AB5
DESELECT, xrefs: 00360CB2
VIEWCHANGE, xrefs: 00360D8B
SELECTINVERT, xrefs: 00360C94
SELECTCLEAR, xrefs: 00360C43
FINDITEM, xrefs: 00360D3D

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: d69fb9ffab8b619476e0d0bcd150cd3c1eec28b9017d5072e2d2bd77728ff29a
Instruction ID: 313be325df3e82b7e86bba7908a8274b8879878caf90ee79f71eedbc0ba50317
Opcode Fuzzy Hash: d69fb9ffab8b619476e0d0bcd150cd3c1eec28b9017d5072e2d2bd77728ff29a
Instruction Fuzzy Hash: F3E1CF712143418FCB1ADF24C59283BB3E6BF88314B158A6DF8969B3A5DB30ED05CB91

Function 00331605 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00331973: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0033198E
Part of subcall function 00331973: GetLastError.KERNEL32(?,00000000,00000000,?,?,00331415,?,?,?), ref: 0033199A
Part of subcall function 00331973: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00331415,?,?,?), ref: 003319A9
Part of subcall function 00331973: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00331415,?,?,?), ref: 003319B0
Part of subcall function 00331973: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003319C7

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0033166F
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003316A3
GetLengthSid.ADVAPI32(?), ref: 003316BA
GetAce.ADVAPI32(?,00000000,?), ref: 003316F4
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00331710
GetLengthSid.ADVAPI32(?), ref: 00331727
GetProcessHeap.KERNEL32(00000008,00000008), ref: 0033172F
HeapAlloc.KERNEL32(00000000), ref: 00331736
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00331757
CopySid.ADVAPI32(00000000), ref: 0033175E
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0033178D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003317AF
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003317C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003317E8
HeapFree.KERNEL32(00000000), ref: 003317EF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003317F8
HeapFree.KERNEL32(00000000), ref: 003317FF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00331808
HeapFree.KERNEL32(00000000), ref: 0033180F
GetProcessHeap.KERNEL32(00000000,?), ref: 0033181B
HeapFree.KERNEL32(00000000), ref: 00331822

Part of subcall function 00331A0D: GetProcessHeap.KERNEL32(00000008,0033142B,?,00000000,?,0033142B,?), ref: 00331A1B
Part of subcall function 00331A0D: HeapAlloc.KERNEL32(00000000,?,00000000,?,0033142B,?), ref: 00331A22
Part of subcall function 00331A0D: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,0033142B,?), ref: 00331A31

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1c988fa62df4b923d12ee37d96d5e8a8a0f4568177198b804db0158715d1a868
Instruction ID: e77c4b7e8cd49067347801c62b8d09a42d404fb3dcdbc40dd73311645b9f7fc3
Opcode Fuzzy Hash: 1c988fa62df4b923d12ee37d96d5e8a8a0f4568177198b804db0158715d1a868
Instruction Fuzzy Hash: B9715DB2A00209ABDF12DFA5DC89FEEBBBCBF04310F198115F915A7190D7719905CB60

Function 0035CB3A Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035CC40
RegCreateKeyExW.ADVAPI32(?,?,00000000,0036DBF4,00000000,?,00000000,?,?), ref: 0035CCC7
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0035CD27
_wcslen.LIBCMT ref: 0035CD77
_wcslen.LIBCMT ref: 0035CDF2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0035CE35
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0035CF44
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0035CFD0
RegCloseKey.ADVAPI32(?), ref: 0035D004
RegCloseKey.ADVAPI32(00000000), ref: 0035D011
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0035D0E3

Strings

REG_MULTI_SZ, xrefs: 0035CE78
REG_BINARY, xrefs: 0035D096
REG_QWORD, xrefs: 0035D046
REG_EXPAND_SZ, xrefs: 0035CD50
REG_SZ, xrefs: 0035CDC7
REG_DWORD, xrefs: 0035CF87

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: f5d6bb58c4c977b744938c17dd97b79091d701b3957920007d31b41cb81c5dea
Instruction ID: acea9b66f29a441f16817d8a88cfb897f6d88cf3a65de7cceef8d22ad6c7b6bc
Opcode Fuzzy Hash: f5d6bb58c4c977b744938c17dd97b79091d701b3957920007d31b41cb81c5dea
Instruction Fuzzy Hash: 981286352142019FCB15EF14C891E2ABBE5FF88714F15849DF88A9B3A2DB31ED46CB81

Function 00361034 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003610DC
_wcslen.LIBCMT ref: 00361117
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0036116A
_wcslen.LIBCMT ref: 003611A0
_wcslen.LIBCMT ref: 0036121C
_wcslen.LIBCMT ref: 00361297

Part of subcall function 002EFE52: _wcslen.LIBCMT ref: 002EFE5D

Part of subcall function 003333F3: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00333405

Strings

ISCHECKED, xrefs: 003613F7
COLLAPSE, xrefs: 00361217, 00361232
SELECT, xrefs: 00361427
EXPAND, xrefs: 0036130E
EXISTS, xrefs: 00361292, 003612AD
GETTOTALCOUNT, xrefs: 00361108, 0036112D
CHECK, xrefs: 0036119B, 003611B6
GETTEXT, xrefs: 003613AD
GETSELECTED, xrefs: 00361364
UNCHECK, xrefs: 00361454
GETITEMCOUNT, xrefs: 00361334

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 17b2d89a7908b3b3cc3606d7f84e5d845746f44ea328b3677d33a6eaffb9355a
Instruction ID: 4638e685c19d19e65722ddb1cad317e0fc635e2b75b7495907878fda36b213e1
Opcode Fuzzy Hash: 17b2d89a7908b3b3cc3606d7f84e5d845746f44ea328b3677d33a6eaffb9355a
Instruction Fuzzy Hash: E2E1ED352083818FCB16EF25C49086AB7F2BF85354F19895DF8969B7A6CB30ED45CB81

Function 0035D11B Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 240COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035BE2E,?,?), ref: 0035D138
_wcslen.LIBCMT ref: 0035D174
_wcslen.LIBCMT ref: 0035D1E2
_wcslen.LIBCMT ref: 0035D218
_wcslen.LIBCMT ref: 0035D273
_wcslen.LIBCMT ref: 0035D2A9
_wcslen.LIBCMT ref: 0035D2F9

Strings

HKEY_CLASSES_ROOT, xrefs: 0035D26D, 0035D272
HKEY_CURRENT_CONFIG, xrefs: 0035D2F3, 0035D2F8
HKLM, xrefs: 0035D212, 0035D217
HKEY_USERS, xrefs: 0035D359
HKEY_LOCAL_MACHINE, xrefs: 0035D1DC, 0035D1E1
HKCR, xrefs: 0035D2A3, 0035D2A8
HKCU, xrefs: 0035D348
HKEY_CURRENT_USER, xrefs: 0035D337
HKCC, xrefs: 0035D326
HKU, xrefs: 0035D36A

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ff978d25f03213739fc157530cb1473c9f10394e5597df3caad04839598b9d5c
Instruction ID: b6d935d9375a52dc75424841461a8cb69331f5cdb2438769f2db086f29c72f87
Opcode Fuzzy Hash: ff978d25f03213739fc157530cb1473c9f10394e5597df3caad04839598b9d5c
Instruction Fuzzy Hash: BA7126326101168BCB329F78CD10DBF33A5AFA5752F260929FC569B2A4EB31CD49C791

Function 00368944 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00368962
_wcslen.LIBCMT ref: 00368976
_wcslen.LIBCMT ref: 00368999
_wcslen.LIBCMT ref: 003689BC
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003689FA
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003662CE), ref: 00368A56
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00368A8F
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00368AD2
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00368B09
FreeLibrary.KERNEL32(?), ref: 00368B15
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00368B25
DestroyIcon.USER32(?,?,?,?,?,003662CE), ref: 00368B34
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00368B51
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00368B5D

Strings

.exe, xrefs: 00368990
.dll, xrefs: 003689B3
.icl, xrefs: 00368970

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 30d6fc7191338584e9faaa56c69eca4f751525ef6b2b22563b24851d31229588
Instruction ID: 71f88e8b943e0f04c86da9ccf36baed12191ee39526cda852eb5acb2118ede21
Opcode Fuzzy Hash: 30d6fc7191338584e9faaa56c69eca4f751525ef6b2b22563b24851d31229588
Instruction Fuzzy Hash: E461A071A10219BAEB169F64CC45FBE77ACFB08B10F108216F915D61D1DBB4A990CBA0

Function 00344790 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0034480F
_wcslen.LIBCMT ref: 0034481A
_wcslen.LIBCMT ref: 00344871
_wcslen.LIBCMT ref: 003448AF
GetDriveTypeW.KERNEL32(?), ref: 003448ED
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00344935
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00344970
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0034499E

Strings

set cd door , xrefs: 0034493F
type cdaudio alias cd wait, xrefs: 00344918
open, xrefs: 0034486B, 00344870
close cd wait, xrefs: 00344989
open , xrefs: 003448FC
wait, xrefs: 0034495B
closed, xrefs: 0034481F, 00344844, 0034485D, 00344895, 003448AE
close, xrefs: 00344815, 0034482F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 7365841dee428a37851f9ae7410c4d033e6a1e7fedbfa30fcaa2e95b03750d40
Instruction ID: 58b85c2cb33a28a3827fe3575df243bf5f0f0bcbb554beacb3c07c3f15a34286
Opcode Fuzzy Hash: 7365841dee428a37851f9ae7410c4d033e6a1e7fedbfa30fcaa2e95b03750d40
Instruction Fuzzy Hash: 1A7114326182019FC711EF24C890A6BB7E8FF94754F10492EF8969B391EB31ED45CB91

Function 00336237 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0033624A
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0033625C
SetWindowTextW.USER32(?,?), ref: 00336273
GetDlgItem.USER32(?,000003EA), ref: 00336288
SetWindowTextW.USER32(00000000,?), ref: 0033628E
GetDlgItem.USER32(?,000003E9), ref: 0033629E
SetWindowTextW.USER32(00000000,?), ref: 003362A4
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 003362C5
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 003362DF
GetWindowRect.USER32(?,?), ref: 003362E8
_wcslen.LIBCMT ref: 0033634F
SetWindowTextW.USER32(?,?), ref: 0033638B
GetDesktopWindow.USER32 ref: 00336391
GetWindowRect.USER32(00000000), ref: 00336398
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 003363EF
GetClientRect.USER32(?,?), ref: 003363FC
PostMessageW.USER32(?,00000005,00000000,?), ref: 00336421
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0033644B

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 2a695bd8750bd7c9c77860c19a67831fd597ead36742f24442b20b1d3b406395
Instruction ID: ccadb212e619035d34f04c3b1de361c8e912b019f5d3a3fc5260acbc7e70c3b8
Opcode Fuzzy Hash: 2a695bd8750bd7c9c77860c19a67831fd597ead36742f24442b20b1d3b406395
Instruction Fuzzy Hash: 3371A231A00705AFDB22DFA8CD86BAEBBF9FF48714F118918E546E25A0D774E944CB10

Function 00350654 Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0035066D
LoadCursorW.USER32(00000000,00007F8A), ref: 00350678
LoadCursorW.USER32(00000000,00007F00), ref: 00350683
LoadCursorW.USER32(00000000,00007F03), ref: 0035068E
LoadCursorW.USER32(00000000,00007F8B), ref: 00350699
LoadCursorW.USER32(00000000,00007F01), ref: 003506A4
LoadCursorW.USER32(00000000,00007F81), ref: 003506AF
LoadCursorW.USER32(00000000,00007F88), ref: 003506BA
LoadCursorW.USER32(00000000,00007F80), ref: 003506C5
LoadCursorW.USER32(00000000,00007F86), ref: 003506D0
LoadCursorW.USER32(00000000,00007F83), ref: 003506DB
LoadCursorW.USER32(00000000,00007F85), ref: 003506E6
LoadCursorW.USER32(00000000,00007F82), ref: 003506F1
LoadCursorW.USER32(00000000,00007F84), ref: 003506FC
LoadCursorW.USER32(00000000,00007F04), ref: 00350707
LoadCursorW.USER32(00000000,00007F02), ref: 00350712
GetCursorInfo.USER32(?), ref: 00350722
GetLastError.KERNEL32 ref: 00350764

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 7b572aa036ab6c307296d941d13c5e76d97adaf2f3e7a991bf7cc70f57a5df8b
Instruction ID: 86f83d45f1515a410c0125f076c43ff4ac088b6dd7bfe2a8950221c35b9475b3
Opcode Fuzzy Hash: 7b572aa036ab6c307296d941d13c5e76d97adaf2f3e7a991bf7cc70f57a5df8b
Instruction Fuzzy Hash: 6A4163B0D043196ADB109FBA8C89C5EBFE8FF08354B54452AE51CE7291DA79E9018F91

Function 00333901 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00333997
_wcslen.LIBCMT ref: 00333A02

Strings

CLASS, xrefs: 00333992, 003339AF
INSTANCE, xrefs: 00333C5D
REGEXPCLASS, xrefs: 00333A5F, 00333A70
k9, xrefs: 00333BA4
TEXT, xrefs: 00333C86
CLASSNN, xrefs: 003339FD, 00333A0E
NAME, xrefs: 00333B3F, 00333B50

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$k9
API String ID: 176396367-1618864517
Opcode ID: f5582fed8ea27f7dae66880259535c8cb3219c40d79c938c7d5fbfe9f1b01e56
Instruction ID: 40ffaa11c872024551b26a333abef8ef652e6718dd0f29ae64e4f67b5a991199
Opcode Fuzzy Hash: f5582fed8ea27f7dae66880259535c8cb3219c40d79c938c7d5fbfe9f1b01e56
Instruction Fuzzy Hash: 4EE1D332A005169BCF169FB8C491BFDFBB4BF04750F15C22AE456E7250EB70AE948B90

Function 002F04E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002F04E6

Part of subcall function 002F050D: InitializeCriticalSectionAndSpinCount.KERNEL32(003A16FC,00000FA0,3CE005FB,?,?,?,?,003127D3,000000FF), ref: 002F053C
Part of subcall function 002F050D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003127D3,000000FF), ref: 002F0547
Part of subcall function 002F050D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003127D3,000000FF), ref: 002F0558
Part of subcall function 002F050D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002F056E
Part of subcall function 002F050D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002F057C
Part of subcall function 002F050D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002F058A
Part of subcall function 002F050D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002F05B5
Part of subcall function 002F050D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002F05C0

___scrt_fastfail.LIBCMT ref: 002F0507

Part of subcall function 002F04C3: __onexit.LIBCMT ref: 002F04C9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 002F0542
InitializeConditionVariable, xrefs: 002F0568
WakeAllConditionVariable, xrefs: 002F0582
SleepConditionVariableCS, xrefs: 002F0574
kernel32.dll, xrefs: 002F0553

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: f0dd999f081f58e652a3284a2c18f7bd73c8796e54de2d00fafc4d80f0cf562a
Instruction ID: 525e95d06c1537b91449e6c3055b0b4a024fa1d2aebb7ca4a47221979c5b276a
Opcode Fuzzy Hash: f0dd999f081f58e652a3284a2c18f7bd73c8796e54de2d00fafc4d80f0cf562a
Instruction Fuzzy Hash: 94210A32A5171AABD7261BA49C85B7AB698EB05B91F044135FA01D6292DBF488408EA0

Function 00344DD7 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0036DBF4), ref: 00344E3E
_wcslen.LIBCMT ref: 00344E52
_wcslen.LIBCMT ref: 00344EB0
_wcslen.LIBCMT ref: 00344F0B
_wcslen.LIBCMT ref: 00344F56
_wcslen.LIBCMT ref: 00344FBE

Part of subcall function 002EFE52: _wcslen.LIBCMT ref: 002EFE5D

GetDriveTypeW.KERNEL32(?,00397BD0,00000061), ref: 0034505A

Strings

cdrom, xrefs: 00344EA6, 00344EAB
fixed, xrefs: 00344F4C, 00344F51
removable, xrefs: 00344F01, 00344F06
network, xrefs: 00344FB4, 00344FB9
all, xrefs: 00344E48, 00344E4D
ramdisk, xrefs: 00345008
unknown, xrefs: 0034501F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 1dadd0e44d0325568451acee26d1a1e5e0041868beb309aaa8fe385c85b040bf
Instruction ID: b0d9eec29f68a06db4a276203ff014f86bb8bcb77486eb204e81cfdefe46ec60
Opcode Fuzzy Hash: 1dadd0e44d0325568451acee26d1a1e5e0041868beb309aaa8fe385c85b040bf
Instruction Fuzzy Hash: 3AB1E335A183029FC711DF28C890A7EB7E5BFA4764F51492DF5968B292D730EC44CBA2

Function 0035B779 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0035B918
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0035B930
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0035B954
_wcslen.LIBCMT ref: 0035B980
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0035B994
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0035B9B6
_wcslen.LIBCMT ref: 0035BAB2

Part of subcall function 00340E01: GetStdHandle.KERNEL32(000000F6), ref: 00340E20

_wcslen.LIBCMT ref: 0035BACB
_wcslen.LIBCMT ref: 0035BAE6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0035BB36
GetLastError.KERNEL32(00000000), ref: 0035BB87
CloseHandle.KERNEL32(?), ref: 0035BBB9
CloseHandle.KERNEL32(00000000), ref: 0035BBCA
CloseHandle.KERNEL32(00000000), ref: 0035BBDC
CloseHandle.KERNEL32(00000000), ref: 0035BBEE
CloseHandle.KERNEL32(?), ref: 0035BC63

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c43f9178f00bbe3009b9d3c03116ce73ac6e68eada841d17e9abefe567031445
Instruction ID: eb4f7c9c2ec4f1685d8322e6dba2d434826052255b2886294a2c74bee34acb01
Opcode Fuzzy Hash: c43f9178f00bbe3009b9d3c03116ce73ac6e68eada841d17e9abefe567031445
Instruction Fuzzy Hash: 7DF19D316142409FC716EF24C891F6AFBE5AF85311F25855DF8898B2A2DB71EC44CF52

Function 003547BC Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0036DBF4), ref: 0035488E
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003548A0
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0036DBF4), ref: 003548C5
FreeLibrary.KERNEL32(00000000,?,0036DBF4), ref: 00354911
StringFromGUID2.OLE32(?,?,00000028,?,0036DBF4), ref: 0035497B
SysFreeString.OLEAUT32(00000009), ref: 00354A35
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00354A9B
SysFreeString.OLEAUT32(?), ref: 00354AC5

Strings

kernel32.dll, xrefs: 00354889
GetModuleHandleExW, xrefs: 0035489A

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: a51e0e060d71855163ba09ece93f13b8d67cc94b96db673c8bf86a3f27c8efaa
Instruction ID: 5e8c08e5f753751f7350fb252106ced61dadb57ef7ccb323fd27b80c8e0c38ee
Opcode Fuzzy Hash: a51e0e060d71855163ba09ece93f13b8d67cc94b96db673c8bf86a3f27c8efaa
Instruction Fuzzy Hash: 41124F71A00105EFDB19CF94C884EAEB7B9FF85319F158098E9059B261D771ED86CFA0

Function 003672C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 003673D2

Part of subcall function 002DB0DB: _wcslen.LIBCMT ref: 002DB0EE

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00367446
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00367468
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0036747B
DestroyWindow.USER32(?), ref: 0036749C
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002D0000,00000000), ref: 003674CB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003674E4
GetDesktopWindow.USER32 ref: 003674FD
GetWindowRect.USER32(00000000), ref: 00367504
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0036751C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00367534

Part of subcall function 002D2184: GetWindowLongW.USER32(?,000000EB), ref: 002D2192

Strings

tooltips_class32, xrefs: 0036743F, 003674C4
0, xrefs: 0036737F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 6b262ba76bfd2023d099d8d4e532b969865a2e2d8e6aefd5e033c40c4319bdf3
Instruction ID: eab100a1285b50404f1a901b72d5f1f3ece99ce3089287841e83fb2e9aeddb9f
Opcode Fuzzy Hash: 6b262ba76bfd2023d099d8d4e532b969865a2e2d8e6aefd5e033c40c4319bdf3
Instruction Fuzzy Hash: 24719C70508244AFD722DF18CC44F6BBBE9FB8A718F94855DF98687261DB70E902CB51

Function 00369726 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 002D23E1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D23F2

DragQueryPoint.SHELL32(?,?), ref: 0036974F

Part of subcall function 00367C5B: ClientToScreen.USER32(?,?), ref: 00367C81
Part of subcall function 00367C5B: GetWindowRect.USER32(?,?), ref: 00367CF7
Part of subcall function 00367C5B: PtInRect.USER32(?,?,?), ref: 00367D07

SendMessageW.USER32(?,000000B0,?,?), ref: 003697B8
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003697C3
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003697E6
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0036982D
SendMessageW.USER32(?,000000B0,?,?), ref: 00369846
SendMessageW.USER32(?,000000B1,?,?), ref: 0036985D
SendMessageW.USER32(?,000000B1,?,?), ref: 0036987F
DragFinish.SHELL32(?), ref: 00369886
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00369979

Strings

@GUI_DRAGID, xrefs: 003698F1
@GUI_DROPID, xrefs: 003698A6
@GUI_DRAGFILE, xrefs: 00369928

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 1f1fca8357abbfaa7cf5800086585a799ac17ab5585da556bfd65a2fb8986812
Instruction ID: 36f299c2201f1bbe81274138edc8f2bd739e1ecf4f1669fc04a729153d9a510f
Opcode Fuzzy Hash: 1f1fca8357abbfaa7cf5800086585a799ac17ab5585da556bfd65a2fb8986812
Instruction Fuzzy Hash: C4618B71508301AFC702EF64DC85E9FBBECEF89750F00491EF596922A1DB709A59CB62

Function 002D16B2 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 002D670F: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D16CD,?,00000000,?,?,?,?,002D169F,00000000,?), ref: 002D6772

DestroyWindow.USER32(?), ref: 002D1766
KillTimer.USER32(00000000,?,?,?,?,002D169F,00000000,?), ref: 002D1800
DestroyAcceleratorTable.USER32(00000000), ref: 00312BFF
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,002D169F,00000000,?), ref: 00312C2D
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,002D169F,00000000,?), ref: 00312C44
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002D169F,00000000), ref: 00312C60
DeleteObject.GDI32(00000000), ref: 00312C72

Strings

,):, xrefs: 002D1825

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: ,):
API String ID: 641708696-1281106127
Opcode ID: 0e5fc73625afd951205e8219197e55dde8c36b191ede9b7a44fdafc35f0992b4
Instruction ID: 93e7e0ec4f592fb8f4482c397dbfbf03abee8d4743ddd7c48e09a713b3dd46f2
Opcode Fuzzy Hash: 0e5fc73625afd951205e8219197e55dde8c36b191ede9b7a44fdafc35f0992b4
Instruction Fuzzy Hash: E5617F30521601EFEB2B9F18D948B2BB7B5FB45716F15411EE5829AA70C7B4ACB0DF80

Function 0034CCA9 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0034CCE3
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0034CCF6
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0034CD0A
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0034CD23
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0034CD66
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0034CD7C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0034CD87
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0034CDB7
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0034CE0F
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0034CE23
InternetCloseHandle.WININET(00000000), ref: 0034CE2E

Strings

, xrefs: 0034CDA8

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 3c2df19145854aba071dd0a48221998e8287e318c4dd0c86fe544a0adbdc2abc
Instruction ID: c58af8f6e9f38d421b571d928b833fd353507f1e0e68e9c2b3c62e6725b1ba5c
Opcode Fuzzy Hash: 3c2df19145854aba071dd0a48221998e8287e318c4dd0c86fe544a0adbdc2abc
Instruction Fuzzy Hash: E8519FB1A01608BFDB629F61C888AAB7BFCFF09744F009429F9458A210D774ED44DBA0

Function 00368B77 Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00366313,?,?), ref: 00368B9A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00366313,?,?,00000000,?), ref: 00368BAA
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00366313,?,?,00000000,?), ref: 00368BB5
CloseHandle.KERNEL32(00000000,?,?,?,?,00366313,?,?,00000000,?), ref: 00368BC2
GlobalLock.KERNEL32(00000000), ref: 00368BD0
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00366313,?,?,00000000,?), ref: 00368BDF
GlobalUnlock.KERNEL32(00000000), ref: 00368BE8
CloseHandle.KERNEL32(00000000,?,?,?,?,00366313,?,?,00000000,?), ref: 00368BEF
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00366313,?,?,00000000,?), ref: 00368C00
OleLoadPicture.OLEAUT32(?,00000000,00000000,00370BFC,?), ref: 00368C19
GlobalFree.KERNEL32(00000000), ref: 00368C29
GetObjectW.GDI32(00000000,00000018,?), ref: 00368C49
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00368C79
DeleteObject.GDI32(00000000), ref: 00368CA1
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00368CB7

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0daed7ccceb734390110747be6d21ca1602902740d26cebcb728326df1fbfe76
Instruction ID: 616a1eb3bccf8b3b1d466e778de66a6cc1f1e32daf3983315c2ae957da8bc83f
Opcode Fuzzy Hash: 0daed7ccceb734390110747be6d21ca1602902740d26cebcb728326df1fbfe76
Instruction Fuzzy Hash: 3B410A75A00208AFDB129F65DC88EAABBBDFF89711F118558F905D7260DBB09D41CB20

Function 00352D98 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00352E14
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00352E24
CreateCompatibleDC.GDI32(?), ref: 00352E30
SelectObject.GDI32(00000000,?), ref: 00352E3D
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00352EA9
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00352EE8
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00352F0C
SelectObject.GDI32(?,?), ref: 00352F14
DeleteObject.GDI32(?), ref: 00352F1D
DeleteDC.GDI32(?), ref: 00352F24
ReleaseDC.USER32(00000000,?), ref: 00352F2F

Strings

(, xrefs: 00352EC9

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 40cf55ec61f8f711f89c67f276327135a4531eda211a876257c9bf35b708f542
Instruction ID: c85ac7b8e3158fd8513f09e22b5a01228fe1b036fda0a6aeb19c0e639f84e525
Opcode Fuzzy Hash: 40cf55ec61f8f711f89c67f276327135a4531eda211a876257c9bf35b708f542
Instruction Fuzzy Hash: 6B61C275E00219AFCB05CFA4D885EAEBBB9FF48310F248519E955A7250D770A941CFA0

Function 00335162 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 0033519E
GetWindowTextW.USER32(?,?,00000400), ref: 003351E0
_wcslen.LIBCMT ref: 003351F1
CharUpperBuffW.USER32(?,00000000), ref: 003351FD
_wcsstr.LIBVCRUNTIME ref: 00335232
GetClassNameW.USER32(00000018,?,00000400), ref: 0033526A
GetWindowTextW.USER32(?,?,00000400), ref: 003352A3
GetClassNameW.USER32(00000018,?,00000400), ref: 003352FD
GetClassNameW.USER32(?,?,00000400), ref: 0033532F
GetWindowRect.USER32(?,?), ref: 003353A7

Strings

ThumbnailClass, xrefs: 00335275, 00335308

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: c2d6ab5f916558fc940f89c12c3cdd2c74756d5f07087f3ac8a49b892653d69c
Instruction ID: 731d5b025afd43be04667f0957e2770db52a65c5d4fba425ef935fe0c1bf2e08
Opcode Fuzzy Hash: c2d6ab5f916558fc940f89c12c3cdd2c74756d5f07087f3ac8a49b892653d69c
Instruction Fuzzy Hash: 9D91D071204B06AFDB0ADF24C8D4BAAF7A8FF40354F004929FA99C2191EB71ED55CB91

Function 00369316 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D23E1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D23F2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00369362
GetFocus.USER32 ref: 00369372
GetDlgCtrlID.USER32(00000000), ref: 0036937D
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00369425
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003694D7
GetMenuItemCount.USER32(?), ref: 003694F4
GetMenuItemID.USER32(?,00000000), ref: 00369504
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00369536
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00369578
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003695A9

Strings

0, xrefs: 003694A7

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 6de987c248f0f9a325dc20a5804779c115044f3ee4ed77841b7aed7f54bb937e
Instruction ID: 3b029f84d6b9df9d17dda50363d1ecef8a1209d5541353f28a46a25f27862bf8
Opcode Fuzzy Hash: 6de987c248f0f9a325dc20a5804779c115044f3ee4ed77841b7aed7f54bb937e
Instruction Fuzzy Hash: C781BD716043019FDB13DF25C884BABBBECFB8A714F11851AFA8697295CB70D905CB62

Function 0033C7A2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(003A29B0,000000FF,00000000,00000030), ref: 0033C81E
SetMenuItemInfoW.USER32(003A29B0,00000004,00000000,00000030), ref: 0033C853
Sleep.KERNEL32(000001F4), ref: 0033C865
GetMenuItemCount.USER32(?), ref: 0033C8AB
GetMenuItemID.USER32(?,00000000), ref: 0033C8C8
GetMenuItemID.USER32(?,-00000001), ref: 0033C8F4
GetMenuItemID.USER32(?,?), ref: 0033C93B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0033C981
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0033C996
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0033C9B7

Strings

0, xrefs: 0033C7AF

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 048283ca94b709be9bf099adf7f415dfd3d94eed4f54e9ad4dee79012f1afc7e
Instruction ID: 0b36b0f670653a8b326e06d82b4ffcdab39229127cc8a41d7616c1965fdb4afc
Opcode Fuzzy Hash: 048283ca94b709be9bf099adf7f415dfd3d94eed4f54e9ad4dee79012f1afc7e
Instruction Fuzzy Hash: 11619E71A20249AFDF12CF64C9C8BFEBBA8FB06344F155015E942B7291D774AD05CB60

Function 0033E374 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0033E386
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0033E3AC
_wcslen.LIBCMT ref: 0033E3B6
_wcsstr.LIBVCRUNTIME ref: 0033E406
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0033E422

Strings

%u.%u.%u.%u, xrefs: 0033E500
StringFileInfo\, xrefs: 0033E3F5
\VarFileInfo\Translation, xrefs: 0033E41A
DefaultLangCodepage, xrefs: 0033E485
04090000, xrefs: 0033E458

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 92ec1dd63d57a5a3b0d81e19d13e3a1eb360aee87da63032eeba2a6a6c66945b
Instruction ID: 58e0e12df459f0d95a16df14af13c0663333040239052a6be4918d7bfeffb333
Opcode Fuzzy Hash: 92ec1dd63d57a5a3b0d81e19d13e3a1eb360aee87da63032eeba2a6a6c66945b
Instruction Fuzzy Hash: 23411732A102087AEB02BB618C8BEFFB76CDF55750F104075FA01A61C2FA74D9218AB5

Function 0035D3AE Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0035D3DE
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0035D407
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0035D4C2

Part of subcall function 0035D3AE: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0035D424
Part of subcall function 0035D3AE: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0035D437
Part of subcall function 0035D3AE: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0035D449
Part of subcall function 0035D3AE: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0035D47F
Part of subcall function 0035D3AE: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0035D4A2

RegDeleteKeyW.ADVAPI32(?,?), ref: 0035D46D

Strings

RegDeleteKeyExW, xrefs: 0035D443
advapi32.dll, xrefs: 0035D432

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f2b6c99930b16c6e74ec46ab8e1cdb7a0ce3848a611168fc53aaac9e515b7aa5
Instruction ID: 8a2d23a0e6a1cd49120aa7c48aab31bc4c2cc3a2044f58a0660f09f1a9b11fc5
Opcode Fuzzy Hash: f2b6c99930b16c6e74ec46ab8e1cdb7a0ce3848a611168fc53aaac9e515b7aa5
Instruction Fuzzy Hash: B531A2B1E01119BBDB329B91DC88EEF7B7CEF51701F004055E802E2160DB749A499AB0

Function 0033EE87 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0033EE8B

Part of subcall function 002EEDA7: timeGetTime.WINMM(?,?,0033EEAB), ref: 002EEDAB

Sleep.KERNEL32(0000000A), ref: 0033EEB8
EnumThreadWindows.USER32(?,Function_0006EE3C,00000000), ref: 0033EEDC
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0033EEFE
SetActiveWindow.USER32 ref: 0033EF1D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0033EF2B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0033EF4A
Sleep.KERNEL32(000000FA), ref: 0033EF55
IsWindow.USER32 ref: 0033EF61
EndDialog.USER32(00000000), ref: 0033EF72

Strings

BUTTON, xrefs: 0033EEF0

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3c2ad62f0345fca74a8cbcbd428a8455133b25a65378a107dd066284d54afbb9
Instruction ID: 88ab109df4d33098070a975bba98d62b98c4a267c7b2d02344ce3d8e2726bd47
Opcode Fuzzy Hash: 3c2ad62f0345fca74a8cbcbd428a8455133b25a65378a107dd066284d54afbb9
Instruction Fuzzy Hash: E5218974614285BFEB036F30ECC8A66BB6DFB46789F018014F502922F1CBF19C449A62

Function 0033F1D3 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0033F234
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0033F24A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033F25B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0033F26D
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0033F27E

Strings

play PlayMe wait, xrefs: 0033F268
play PlayMe, xrefs: 0033F279
open , xrefs: 0033F1E3
alias PlayMe, xrefs: 0033F20D
close PlayMe, xrefs: 0033F245, 0033F272
status PlayMe mode, xrefs: 0033F22F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 22d9a1c5c77470302f4f439655aee14b773b6ece8e34ec117063301656ebe723
Instruction ID: ed10e9cc9d9cc51f4475842a0ec71b412ac4df80af56a2e3e11715b128779cc3
Opcode Fuzzy Hash: 22d9a1c5c77470302f4f439655aee14b773b6ece8e34ec117063301656ebe723
Instruction Fuzzy Hash: A911C634EA42297DDB21B761DC8AEFF6A7CEBD1B00F40082AF401E21D1DBA05D15C9B1

Function 003030A0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003030B4

Part of subcall function 00302DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,0030DBF1,?,00000000,?,00000000,?,0030DC18,?,00000007,?,?,0030E016,?), ref: 00302DFE
Part of subcall function 00302DE8: GetLastError.KERNEL32(?,?,0030DBF1,?,00000000,?,00000000,?,0030DC18,?,00000007,?,?,0030E016,?,?), ref: 00302E10

_free.LIBCMT ref: 003030C0
_free.LIBCMT ref: 003030CB
_free.LIBCMT ref: 003030D6
_free.LIBCMT ref: 003030E1
_free.LIBCMT ref: 003030EC
_free.LIBCMT ref: 003030F7
_free.LIBCMT ref: 00303102
_free.LIBCMT ref: 0030310D
_free.LIBCMT ref: 0030311B

Strings

h%7, xrefs: 003030AB

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: h%7
API String ID: 776569668-3922409058
Opcode ID: 86ac2598b2d9ee2e8ef298eefadefa7fad070f4d0c7d5ae6eb98f1354ac48e40
Instruction ID: 903a5dee66a2a00e1cf0072a1daab40ed0792d562bbe26e799986b0bc4257575
Opcode Fuzzy Hash: 86ac2598b2d9ee2e8ef298eefadefa7fad070f4d0c7d5ae6eb98f1354ac48e40
Instruction Fuzzy Hash: F9116376502108AFCF02FF54CC56DDE7BA9EF05350B5141A5BA189F2B2DA31DE50EB80

Function 0033A7B5 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0033A836
SetKeyboardState.USER32(?), ref: 0033A8A1
GetAsyncKeyState.USER32(000000A0), ref: 0033A8C1
GetKeyState.USER32(000000A0), ref: 0033A8D8
GetAsyncKeyState.USER32(000000A1), ref: 0033A907
GetKeyState.USER32(000000A1), ref: 0033A918
GetAsyncKeyState.USER32(00000011), ref: 0033A944
GetKeyState.USER32(00000011), ref: 0033A952
GetAsyncKeyState.USER32(00000012), ref: 0033A97B
GetKeyState.USER32(00000012), ref: 0033A989
GetAsyncKeyState.USER32(0000005B), ref: 0033A9B2
GetKeyState.USER32(0000005B), ref: 0033A9C0

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5c002cf0d530a7dfe15382f802fd70d8f8dc4fb805fb7dec87ebafcf8ae07344
Instruction ID: b53634859c225d70276d889be9b6bbb91acafeab071c498b0956bd7b300e2df1
Opcode Fuzzy Hash: 5c002cf0d530a7dfe15382f802fd70d8f8dc4fb805fb7dec87ebafcf8ae07344
Instruction Fuzzy Hash: 02519624A08B8829FB36D7B088957EAFFF49F11340F0A8599D5C25F5C2DB549A4CC763

Function 003364E2 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 003364FE
GetWindowRect.USER32(00000000,?), ref: 00336517
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00336575
GetDlgItem.USER32(?,00000002), ref: 00336585
GetWindowRect.USER32(00000000,?), ref: 00336597
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 003365EB
GetDlgItem.USER32(?,000003E9), ref: 003365F9
GetWindowRect.USER32(00000000,?), ref: 0033660B
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 0033664D
GetDlgItem.USER32(?,000003EA), ref: 00336660
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00336676
InvalidateRect.USER32(?,00000000,00000001), ref: 00336683

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0708673dc954830e8ee96671a4f7b3200a53c2e3cfacfe83a1d804b7ac6f32cc
Instruction ID: 9f676903368a717acee6802a757c02c06fc32e0472ed41d64278fd005ddcdd6c
Opcode Fuzzy Hash: 0708673dc954830e8ee96671a4f7b3200a53c2e3cfacfe83a1d804b7ac6f32cc
Instruction Fuzzy Hash: 9D510FB1F00205AFDB09CF69DD96AAEBBB9FB48300F518129F515E7294D7709D008B50

Function 002D2078 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002D2184: GetWindowLongW.USER32(?,000000EB), ref: 002D2192

GetSysColor.USER32(0000000F), ref: 002D20A2

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 58e8675a6e1cfdf50887e567c02fe4f36ba317691a6cb44efd4da0af4e05d4bc
Instruction ID: a9a483933202a608578a33a2043efbfd7c05154fd7433b34c0a3306c88fb6f7d
Opcode Fuzzy Hash: 58e8675a6e1cfdf50887e567c02fe4f36ba317691a6cb44efd4da0af4e05d4bc
Instruction Fuzzy Hash: 4C411B31610200EFCB255F38DC44BB93B69EB66331F148616FAA6972E2C7B1CD56DB10

Function 00330EFD Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB0DB: _wcslen.LIBCMT ref: 002DB0EE

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00330FC1
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00330FDD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00330FF9
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00331023
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0033104B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00331056
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0033105B

Strings

SOFTWARE\Classes\, xrefs: 00330F2D
\CLSID, xrefs: 00330F43
\IPC$, xrefs: 00330FA3

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 6db3c844e64bf952836b5a34e8027dedb44da2c93cde72db1302b4e642eb61fd
Instruction ID: a2449f3a89608d05ef311639e6155663bcfe260da77510b52c33c71295ae7ebc
Opcode Fuzzy Hash: 6db3c844e64bf952836b5a34e8027dedb44da2c93cde72db1302b4e642eb61fd
Instruction Fuzzy Hash: 20410A72D10229ABCF26EBA4DC959EEB778FF18350F01412AF911A3260EB709E54CF50

Function 00364672 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00364717
CreateCompatibleDC.GDI32(00000000), ref: 0036471E
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00364731
SelectObject.GDI32(00000000,00000000), ref: 00364739
GetPixel.GDI32(00000000,00000000,00000000), ref: 00364744
DeleteDC.GDI32(00000000), ref: 0036474E
GetWindowLongW.USER32(?,000000EC), ref: 00364758
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 0036476E
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0036477A

Strings

static, xrefs: 003646AF

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: efe2dfd00e1cc512b5cab45175b59dd72ec2c4e9db847a3e32d7f1204f46ae09
Instruction ID: 39f15686c29f20b4aa05fbb7ce51f664e2de67327172b6f9e36df03e1c37af01
Opcode Fuzzy Hash: efe2dfd00e1cc512b5cab45175b59dd72ec2c4e9db847a3e32d7f1204f46ae09
Instruction Fuzzy Hash: BD316031600215ABDF139F64DC48FDA3B6DFF0E364F118211FA64A61A0C7B5D860DBA4

Function 00354403 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0035442F
CoInitialize.OLE32(00000000), ref: 0035445D
CoUninitialize.OLE32 ref: 00354467
_wcslen.LIBCMT ref: 00354500
GetRunningObjectTable.OLE32(00000000,?), ref: 00354584
SetErrorMode.KERNEL32(00000001,00000029), ref: 003546A8
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 003546E1
CoGetObject.OLE32(?,00000000,00370B5C,?), ref: 00354700
SetErrorMode.KERNEL32(00000000), ref: 00354713
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00354797
VariantClear.OLEAUT32(?), ref: 003547AB

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: d8b732b5188d8ce077e010a896b5ed8dec72e7375ef6d2177cac43757d052361
Instruction ID: 27c48c88d2e69d5479fb4e1a7fa558812fd0506a3941b35a3ce63519d6dc09d5
Opcode Fuzzy Hash: d8b732b5188d8ce077e010a896b5ed8dec72e7375ef6d2177cac43757d052361
Instruction Fuzzy Hash: 97C144B16042019FC705DF68C884D2BB7E9FF89749F10491DF98A9B260DB70ED49CB92

Function 00348297 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003482F4
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00348390
SHGetDesktopFolder.SHELL32(?), ref: 003483A4
CoCreateInstance.OLE32(00370CCC,00000000,00000001,00397E4C,?), ref: 003483F0
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00348475
CoTaskMemFree.OLE32(?,?), ref: 003484CD
SHBrowseForFolderW.SHELL32(?), ref: 00348558
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0034857B
CoTaskMemFree.OLE32(00000000), ref: 00348582
CoTaskMemFree.OLE32(00000000), ref: 003485D7
CoUninitialize.OLE32 ref: 003485DD

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 6c320c6115405549cbec237765776405767af226668322c4de59d96d76148deb
Instruction ID: 53e292e395573275e5103d366dcc98e05c0e3ff68845520e022c1d6f9b51dab4
Opcode Fuzzy Hash: 6c320c6115405549cbec237765776405767af226668322c4de59d96d76148deb
Instruction Fuzzy Hash: 16C10975A00109AFCB15DFA4C888DAEBBF9FF48304B158499E8199B361DB30ED45CF90

Function 00365AF9 Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00365BE0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00365BF1
CharNextW.USER32(00000158), ref: 00365C20
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00365C61
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00365C77
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00365C88

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: cdc72a4e7f89054fbe581e25d6be989ac7f4c8c2f902b55c3687a4b40f0706d9
Instruction ID: e89226005151a42751afd2b62a6b4f7e34420ff2613b7a6bf89dd5d7ae1cc372
Opcode Fuzzy Hash: cdc72a4e7f89054fbe581e25d6be989ac7f4c8c2f902b55c3687a4b40f0706d9
Instruction Fuzzy Hash: E0618B30A00209ABDF228F94CC859FE7BBCEF49750F14C169F965AB295C7B49A40DB61

Function 003302A7 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003302CE
SafeArrayAllocData.OLEAUT32(?), ref: 00330327
VariantInit.OLEAUT32(?), ref: 00330339
SafeArrayAccessData.OLEAUT32(?,?), ref: 00330359
VariantCopy.OLEAUT32(?,?), ref: 003303AC
SafeArrayUnaccessData.OLEAUT32(?), ref: 003303C0
VariantClear.OLEAUT32(?), ref: 003303D5
SafeArrayDestroyData.OLEAUT32(?), ref: 003303E2
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003303EB
VariantClear.OLEAUT32(?), ref: 003303FD
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00330408

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 086c3a9b5504922f7e57278ad5ee258ccbb308f85c0731b8c062f1bf530414a1
Instruction ID: ea6eecdabf4f9fb52a96a8a66b412d5d3a16ff231c98bc5600dfbf8623c8a027
Opcode Fuzzy Hash: 086c3a9b5504922f7e57278ad5ee258ccbb308f85c0731b8c062f1bf530414a1
Instruction Fuzzy Hash: 29419335E002199FCB06DF65C8989ADBBB9FF48354F008065E905A7261CF74ED45CFA0

Function 0033A492 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0033A4BA
GetAsyncKeyState.USER32(000000A0), ref: 0033A53B
GetKeyState.USER32(000000A0), ref: 0033A556
GetAsyncKeyState.USER32(000000A1), ref: 0033A570
GetKeyState.USER32(000000A1), ref: 0033A585
GetAsyncKeyState.USER32(00000011), ref: 0033A59D
GetKeyState.USER32(00000011), ref: 0033A5AF
GetAsyncKeyState.USER32(00000012), ref: 0033A5C7
GetKeyState.USER32(00000012), ref: 0033A5D9
GetAsyncKeyState.USER32(0000005B), ref: 0033A5F1
GetKeyState.USER32(0000005B), ref: 0033A603

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3022922ce2d20735908339734cdf0cb37b114c6897b5c0fa5ea8f8292b8ea986
Instruction ID: 425f0a2ae993f942977562139869fa3e8856c9bcd41512ba7e1ca35145a40e42
Opcode Fuzzy Hash: 3022922ce2d20735908339734cdf0cb37b114c6897b5c0fa5ea8f8292b8ea986
Instruction Fuzzy Hash: F2418660A04FC96DFF339B6488847B5BEA46B22344F0A8059D5C64A5C2EBD49DC8C763

Function 0036A58E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D23E1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D23F2

GetSystemMetrics.USER32(0000000F), ref: 0036A5CF
GetSystemMetrics.USER32(0000000F), ref: 0036A5EF
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0036A82C
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0036A84A
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0036A86B
ShowWindow.USER32(00000003,00000000), ref: 0036A88A
InvalidateRect.USER32(?,00000000,00000001), ref: 0036A8AF
DefDlgProcW.USER32(?,00000005,?,?), ref: 0036A8D2

Strings

, xrefs: 0036A7E0

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-3916222277
Opcode ID: 9d60599ad7bc2ebc068e163e961ce00fd4f0527c6fb1433d684840033caf3f33
Instruction ID: 817807312e2c35573cdc879654bc4f7617700eb19e04993454c4d0e252ebff03
Opcode Fuzzy Hash: 9d60599ad7bc2ebc068e163e961ce00fd4f0527c6fb1433d684840033caf3f33
Instruction Fuzzy Hash: 65B19835A006159FDF16CF68C9847AE7BF2BF44700F09C069ED49AB299DB30A941CF62

Function 00359445 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00359465

Part of subcall function 00339670: _wcslen.LIBCMT ref: 00339693

_wcslen.LIBCMT ref: 003594C0
_wcslen.LIBCMT ref: 0035950E
_wcslen.LIBCMT ref: 0035954E
_wcslen.LIBCMT ref: 003595E0

Strings

none, xrefs: 003595D7, 003595DC
stdcall, xrefs: 00359548, 0035954D
cdecl, xrefs: 003594BA, 003594BF
winapi, xrefs: 00359508, 0035950D

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a550775e1b636ff2b25e96437d94dd477428cea546cdd1832b474f4529bd93ef
Instruction ID: 4e726a1dc3aa2df32df3742469dcbad3d86a9cf6438f4f25598452bd6663727e
Opcode Fuzzy Hash: a550775e1b636ff2b25e96437d94dd477428cea546cdd1832b474f4529bd93ef
Instruction Fuzzy Hash: AB51E731A04116DBCF12DF68C950EBDB3A5AF25325B21462AFC26D7390EB35DD58CB90

Function 00348996 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00348A58
SystemTimeToFileTime.KERNEL32(?,?), ref: 00348A68
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00348A74
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00348B11
SetCurrentDirectoryW.KERNEL32(?), ref: 00348B25
SetCurrentDirectoryW.KERNEL32(?), ref: 00348B57
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00348B8D
SetCurrentDirectoryW.KERNEL32(?), ref: 00348B96

Strings

*.*, xrefs: 00348B9C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: d13993debde5b41696f7de92df8b3a793c7231c70bbcbc460055154583bb2cf2
Instruction ID: 59a35507180995374d5c9b5e4f5f1935b9e0016215dd3142336275c4de36c932
Opcode Fuzzy Hash: d13993debde5b41696f7de92df8b3a793c7231c70bbcbc460055154583bb2cf2
Instruction Fuzzy Hash: 4C617BB25043459FC711EF60C840AAEB3E8FF89310F14891EF9899B251DB71E955CF92

Function 00364320 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00364353
SetMenu.USER32(?,00000000), ref: 00364362
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003643EA
IsMenu.USER32(?), ref: 003643FE
CreatePopupMenu.USER32 ref: 00364408
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00364435
DrawMenuBar.USER32 ref: 0036443D

Strings

0, xrefs: 0036432E
F, xrefs: 00364428

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: a9357cc64ae1ac1b4f01bfd3ea85ae5e3201498503cf00c2251988d636f178ba
Instruction ID: 1aa36380d8467f5e9267b87401264c741478296b148df264a356f02b20e7eac9
Opcode Fuzzy Hash: a9357cc64ae1ac1b4f01bfd3ea85ae5e3201498503cf00c2251988d636f178ba
Instruction Fuzzy Hash: 5E416D74A01209EFDF16CF65E845BAA7BB9FF0A314F158028FA4697350C770A910CF61

Function 003326DF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

Part of subcall function 003344BB: GetClassNameW.USER32(?,?,000000FF), ref: 003344DE

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00332764
GetDlgCtrlID.USER32 ref: 0033276F
GetParent.USER32 ref: 0033278B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0033278E
GetDlgCtrlID.USER32(?), ref: 00332797
GetParent.USER32(?), ref: 003327AB
SendMessageW.USER32(00000000,?,00000111,?), ref: 003327AE

Strings

ListBox, xrefs: 00332721
ComboBox, xrefs: 003326EC

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b71185715d5ee83a4a356ef0163b4caed4b1ffd99d34329afa4355b6a1264320
Instruction ID: f0d5d72c7218cc53f5d9cf133a836d827e5bc1a83735d1163d2814879c071a56
Opcode Fuzzy Hash: b71185715d5ee83a4a356ef0163b4caed4b1ffd99d34329afa4355b6a1264320
Instruction Fuzzy Hash: F921A474E00114BBCF06EFA0CC85EEEBBB8EF05350F104556F961A72A2DA799818DB60

Function 003327C0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

Part of subcall function 003344BB: GetClassNameW.USER32(?,?,000000FF), ref: 003344DE

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00332843
GetDlgCtrlID.USER32 ref: 0033284E
GetParent.USER32 ref: 0033286A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0033286D
GetDlgCtrlID.USER32(?), ref: 00332876
GetParent.USER32(?), ref: 0033288A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0033288D

Strings

ListBox, xrefs: 00332802
ComboBox, xrefs: 003327CD

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 36c5409191a37c91507c6f805f10cd6bf750b6add38ad08ff995074d2932c3f6
Instruction ID: 4d9ded3894c8979713f3546e6f53a22fd85f4e9febb72214b20f4de27b39996c
Opcode Fuzzy Hash: 36c5409191a37c91507c6f805f10cd6bf750b6add38ad08ff995074d2932c3f6
Instruction Fuzzy Hash: BB21C6B5E00114BBCF02EFA1CC85EEFBBB8EF04300F104456F95197292DA799814DB60

Function 003640FD Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00364177
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 0036417A
GetWindowLongW.USER32(?,000000F0), ref: 003641A1
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003641C4
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0036423C
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00364286
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 003642A1
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 003642BC
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 003642D0
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 003642ED

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 2f388f77984482d2a86045774ac00b421e12ec0a23eb87a42cf1e68b5770f236
Instruction ID: 6a450a51574838c6ff94ca13aa59495f25a6e183f7331b0fbed9990f20e58d04
Opcode Fuzzy Hash: 2f388f77984482d2a86045774ac00b421e12ec0a23eb87a42cf1e68b5770f236
Instruction Fuzzy Hash: F9618D75900248AFDB12DFA8CC81EEE77B8EF09710F204569FA15EB2A1C774AD51DB50

Function 0033B953 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0033B975
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0033AA05,?,00000001), ref: 0033B989
GetWindowThreadProcessId.USER32(00000000), ref: 0033B990
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0033AA05,?,00000001), ref: 0033B99F
GetWindowThreadProcessId.USER32(?,00000000), ref: 0033B9B1
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0033AA05,?,00000001), ref: 0033B9CA
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0033AA05,?,00000001), ref: 0033B9DC
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0033AA05,?,00000001), ref: 0033BA21
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0033AA05,?,00000001), ref: 0033BA36
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0033AA05,?,00000001), ref: 0033BA41

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 314fe590a5740a4c70082211f9fc8f81af9b2b2243b13124a8b5434a0fe5d06b
Instruction ID: 30f57317e165e0af896a0e6e337ad756d1ed45ea36c93026cfb4e52d7b0ed300
Opcode Fuzzy Hash: 314fe590a5740a4c70082211f9fc8f81af9b2b2243b13124a8b5434a0fe5d06b
Instruction Fuzzy Hash: 58317E71A00604ABDB23DF18DC89F69B7ADEB96311F528015FB05D72A0D7F49A80AB61

Function 002D63CE Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002D6417
OleUninitialize.OLE32(?,00000000), ref: 002D64B6
UnregisterHotKey.USER32(?), ref: 002D669B
DestroyWindow.USER32(?), ref: 00314DC7
FreeLibrary.KERNEL32(?), ref: 00314E2C
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00314E59

Strings

close all, xrefs: 002D6412

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b23405c1ffab3489a71b1e1012ff597e07ea1d0ed60a58b225621f2e1e80605d
Instruction ID: 70ac5c819c2b258539d9f3ef250adcd38b7763f294204325939cdbd939cba39d
Opcode Fuzzy Hash: b23405c1ffab3489a71b1e1012ff597e07ea1d0ed60a58b225621f2e1e80605d
Instruction Fuzzy Hash: C6D13E31711212CFCB2ADF54D499A69F7A4BF08704F1542AEE94A6B352CB70EC62CF90

Function 003485F1 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003487AE
SetCurrentDirectoryW.KERNEL32(?), ref: 003487C2
GetFileAttributesW.KERNEL32(?), ref: 003487EC
SetFileAttributesW.KERNEL32(?,00000000), ref: 00348806
SetCurrentDirectoryW.KERNEL32(?), ref: 00348818
SetCurrentDirectoryW.KERNEL32(?), ref: 00348861
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003488B1

Strings

*.*, xrefs: 00348867

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e50bee10261f10c2af95aad18ebdcd163760432fc1ca00a747fadb74daf4d882
Instruction ID: dea32985e432a3808b6a4b4af16a7ac7922375cb0b9d673da22a513389e89752
Opcode Fuzzy Hash: e50bee10261f10c2af95aad18ebdcd163760432fc1ca00a747fadb74daf4d882
Instruction Fuzzy Hash: 3981B0725042419BCB62EF54C854AAEB3E8BF84310F56882EF985DB250DF78ED45CF92

Function 002D698D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 002D6A1D

Part of subcall function 002D6AAD: GetClientRect.USER32(?,?), ref: 002D6AD3
Part of subcall function 002D6AAD: GetWindowRect.USER32(?,?), ref: 002D6B14
Part of subcall function 002D6AAD: ScreenToClient.USER32(?,?), ref: 002D6B3C

GetDC.USER32 ref: 00315960
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00315973
SelectObject.GDI32(00000000,00000000), ref: 00315981
SelectObject.GDI32(00000000,00000000), ref: 00315996
ReleaseDC.USER32(?,00000000), ref: 0031599E
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00315A2F

Strings

U, xrefs: 003158FE

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 37f9c01e77e88d3bb8a93ebb8de9f775a8c1dacf2f8f281ec8636acbf55201f7
Instruction ID: a67b0afdbb1060299a5e88967561076aa85edf1fbf4921ca0d48636630504e6a
Opcode Fuzzy Hash: 37f9c01e77e88d3bb8a93ebb8de9f775a8c1dacf2f8f281ec8636acbf55201f7
Instruction Fuzzy Hash: 7871E431500605DFCF2B8F64C884AEA7BB9FF8D320F15826AED955A2A6C7318C91DF51

Function 0036910A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D23E1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D23F2

Part of subcall function 002D1976: GetCursorPos.USER32(?), ref: 002D198A
Part of subcall function 002D1976: ScreenToClient.USER32(00000000,?), ref: 002D19A7
Part of subcall function 002D1976: GetAsyncKeyState.USER32(00000001), ref: 002D19CC
Part of subcall function 002D1976: GetAsyncKeyState.USER32(00000002), ref: 002D19E6

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00369173
ImageList_EndDrag.COMCTL32 ref: 00369179
ReleaseCapture.USER32 ref: 0036917F
SetWindowTextW.USER32(?,00000000), ref: 0036921A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0036922D
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00369307

Strings

@GUI_DROPID, xrefs: 00369259
@GUI_DRAGFILE, xrefs: 003692A2

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: b8f6f5154433c88204455b00c65ba7342c0d8266b6b15a8acda5e978da2aaa6e
Instruction ID: 25dae2fe1920f8ce40db10bc53694880b0e055c91aa5df8b2cb4f4caf2cf6625
Opcode Fuzzy Hash: b8f6f5154433c88204455b00c65ba7342c0d8266b6b15a8acda5e978da2aaa6e
Instruction Fuzzy Hash: A1517B71604304AFD701EF14D89AFAB77E8EB88714F10491EF996972E2DB70AD14CB52

Function 0034CA86 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0034CAA5
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0034CACD
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0034CAFD
GetLastError.KERNEL32 ref: 0034CB55
SetEvent.KERNEL32(?), ref: 0034CB69
InternetCloseHandle.WININET(00000000), ref: 0034CB74

Strings

, xrefs: 0034CAEE

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 07f2c5927c3a5d0c126aa9d87c66897cd297bf570eaa23da109e384feea0993b
Instruction ID: 12a0a52b1a4cd5815efbb3e851e9965582220f188af3a838486ececba8fa7b46
Opcode Fuzzy Hash: 07f2c5927c3a5d0c126aa9d87c66897cd297bf570eaa23da109e384feea0993b
Instruction Fuzzy Hash: C731BC71A11308AFD7629F65CC89AABBBFCEB05B40F10542EF4469A210DB74ED049B61

Function 0033A072 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00313B35,?,?,Bad directive syntax error,0036DBF4,00000000,00000010,?,?), ref: 0033A093
LoadStringW.USER32(00000000,?,00313B35,?), ref: 0033A09A

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0033A15E

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0033A0C8
Line %d:, xrefs: 0033A0E9
Line %d (File "%s"):, xrefs: 0033A104
., xrefs: 0033A144
Error: , xrefs: 0033A12C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: ab48cf38b868c2e2c4f3955177e3ac1de00904c4512c783a5d04c5052960d4b4
Instruction ID: c03444c9572cd414f31b84a1b6720d6344313388224bf73e14f6d3ae85e34ef2
Opcode Fuzzy Hash: ab48cf38b868c2e2c4f3955177e3ac1de00904c4512c783a5d04c5052960d4b4
Instruction Fuzzy Hash: 9421B532D1021AEBCF12EF90CC46EEE7739BF18300F044866F515661A2DA75AA68DF61

Function 0033289F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003328AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003328C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0033294D

Strings

SHELLDLL_DefView, xrefs: 003328CC
largeicons, xrefs: 003328E1
smallicons, xrefs: 00332915
details, xrefs: 003328FB
list, xrefs: 0033292F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 26f199f8ac1bf8a8222a5d0a832b7e8457171c1d897c4842cd3de633404e9755
Instruction ID: 8679a9ac2fcc7a2ea4f842079e56236542c43dce5fe832961d4df36aad921ed2
Opcode Fuzzy Hash: 26f199f8ac1bf8a8222a5d0a832b7e8457171c1d897c4842cd3de633404e9755
Instruction Fuzzy Hash: DC11A07B68830BBAEA032625EC47EE7779CAB19764F214022FA04E50E1FBA168614954

Function 0030D2B0 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0030D2D7
_free.LIBCMT ref: 0030D342
_free.LIBCMT ref: 0030D368
_free.LIBCMT ref: 0030D391
_free.LIBCMT ref: 0030D3C9
_free.LIBCMT ref: 0030D3FA
_free.LIBCMT ref: 0030D43B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0030D4BC
_free.LIBCMT ref: 0030D4D5

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 6ded80809921fb91db118f54b0e49007ef853ab830625fc0f0160d0e49df4aa3
Instruction ID: faa032ca1fdc5b169b850e30caaf5efc410641cb8b4f3e3a852c210284e7d978
Opcode Fuzzy Hash: 6ded80809921fb91db118f54b0e49007ef853ab830625fc0f0160d0e49df4aa3
Instruction Fuzzy Hash: 37611676902700AFDF27AFB598A577E7BE89F02310F0542ADF945AB2C1DA319C008792

Function 003657B0 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00365862
ShowWindow.USER32(?,00000000), ref: 003658A3
ShowWindow.USER32(?,00000005,?,00000000), ref: 003658A9
SetFocus.USER32(?,?,00000005,?,00000000), ref: 003658AD

Part of subcall function 003675A1: DeleteObject.GDI32(00000000), ref: 003675CD

GetWindowLongW.USER32(?,000000F0), ref: 003658E9
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003658F6
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00365929
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00365963
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00365972

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: a4ff4b06a5bc9a9d08e289a9955f564402694cfcdeb88af39855cc49805c03bb
Instruction ID: fa61895329fc5427a57a59fb4a6d5e31f55a079f8fba54ca6bbeeab133071701
Opcode Fuzzy Hash: a4ff4b06a5bc9a9d08e289a9955f564402694cfcdeb88af39855cc49805c03bb
Instruction Fuzzy Hash: 55519F30B41A08FFEF329F59CC49B993BA9EB14360F14C026F9159B9E9C771A990DB41

Function 002D15EB Relevance: 13.7, APIs: 9, Instructions: 160windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00312B05
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00312B27
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00312B3F
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00312B5D
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00312B7E
DestroyIcon.USER32(00000000,?,?,?,?,?,002D143A,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00312B8D
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00312BAA
DestroyIcon.USER32(00000000,?,?,?,?,?,002D143A,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00312BB9

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ceef16a20f5954a1d9280fd761f41d2e2bf7be59f4ca6863b3b5bf8c60c60059
Instruction ID: e251d8bea3bd4a6586ca8195624b316c3f41f5886099126d99c770170acc350f
Opcode Fuzzy Hash: ceef16a20f5954a1d9280fd761f41d2e2bf7be59f4ca6863b3b5bf8c60c60059
Instruction Fuzzy Hash: 3F515C70610209AFDB26DF24CC85FAB7BB9EF48710F148519F94297690D7B0EDA0DB90

Function 0034C976 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0034C9B5
GetLastError.KERNEL32 ref: 0034C9C8
SetEvent.KERNEL32(?), ref: 0034C9DC

Part of subcall function 0034CA86: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0034CAA5
Part of subcall function 0034CA86: GetLastError.KERNEL32 ref: 0034CB55
Part of subcall function 0034CA86: SetEvent.KERNEL32(?), ref: 0034CB69
Part of subcall function 0034CA86: InternetCloseHandle.WININET(00000000), ref: 0034CB74

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: c47f7b205f6fde4427213a67b7ac1b31a23a4e8c565709e93d5337864998ba88
Instruction ID: a426d064fca4e92112bc5319410e7eae8cf96b30c7351ec550e772a49d0e9f59
Opcode Fuzzy Hash: c47f7b205f6fde4427213a67b7ac1b31a23a4e8c565709e93d5337864998ba88
Instruction Fuzzy Hash: 6F318C71612709AFDB62CFB18C44A7ABBFCFF49300B15951DF95A8A610D771E810EBA0

Function 00332DA2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00334251: GetWindowThreadProcessId.USER32(?,00000000), ref: 0033426B
Part of subcall function 00334251: GetCurrentThreadId.KERNEL32 ref: 00334272
Part of subcall function 00334251: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00332DB3), ref: 00334279

MapVirtualKeyW.USER32(00000025,00000000), ref: 00332DBD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00332DDB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00332DDF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00332DE9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00332E01
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00332E05
MapVirtualKeyW.USER32(00000025,00000000), ref: 00332E0F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00332E23
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00332E27

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6541e0d055dd160893a2cc84141fdd78c96da42e2324f6b19feebf53f5fc2a16
Instruction ID: 367bf3edc7b70c7f080980a050af7be2a10c893e599b116275ce7e240a3acb0b
Opcode Fuzzy Hash: 6541e0d055dd160893a2cc84141fdd78c96da42e2324f6b19feebf53f5fc2a16
Instruction Fuzzy Hash: C901B530B802147BFB116769DCCEF567F5DDF5AB11F104015F328AE1E0C9E164448A69

Function 0035A854 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0033DC3E: CreateToolhelp32Snapshot.KERNEL32 ref: 0033DC63
Part of subcall function 0033DC3E: Process32FirstW.KERNEL32(00000000,?), ref: 0033DC71
Part of subcall function 0033DC3E: CloseHandle.KERNEL32(00000000), ref: 0033DD49

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0035A8DF
GetLastError.KERNEL32 ref: 0035A8F2
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0035A925
TerminateProcess.KERNEL32(00000000,00000000), ref: 0035A9DA
GetLastError.KERNEL32(00000000), ref: 0035A9E5
CloseHandle.KERNEL32(00000000), ref: 0035AA36

Strings

SeDebugPrivilege, xrefs: 0035A901

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 81e3751248efaaa7d98aff41c3225946d1ad2e82b1d03e09bb8830b22b6efce4
Instruction ID: 679488c4fc4092d952c3bae20b46cdea8d5ec7226dc79835302dc9db2c9ae1ec
Opcode Fuzzy Hash: 81e3751248efaaa7d98aff41c3225946d1ad2e82b1d03e09bb8830b22b6efce4
Instruction Fuzzy Hash: 2161C034204642AFD721DF14C494F25BBE4AF44309F16859DE8668FBA2C7B1EC49CB92

Function 0033C4D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0033C56F
IsMenu.USER32(00000000), ref: 0033C58F
CreatePopupMenu.USER32 ref: 0033C5C5
GetMenuItemCount.USER32(00D04B18), ref: 0033C616
InsertMenuItemW.USER32(00D04B18,?,00000001,00000030), ref: 0033C63E

Strings

0, xrefs: 0033C51A
2, xrefs: 0033C5A9

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 68ad2f239389ab09ed3b73f4901cc491b0e55594d41a63808ecc0ee0c023594a
Instruction ID: fceebdbe210215bb4b0a99631cfb6d662077bfbef0b29bc3aec194995ad9ebaa
Opcode Fuzzy Hash: 68ad2f239389ab09ed3b73f4901cc491b0e55594d41a63808ecc0ee0c023594a
Instruction Fuzzy Hash: 7C51D570A10305DBDF12CF68C9C5BAEBBF8AF59314F18A219E412FB291D7709945CB61

Function 002D1976 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002D198A
ScreenToClient.USER32(00000000,?), ref: 002D19A7
GetAsyncKeyState.USER32(00000001), ref: 002D19CC
GetAsyncKeyState.USER32(00000002), ref: 002D19E6

Strings

A&-, xrefs: 002D1999, 002D19B0, 00312D78
A&-, xrefs: 00312E06, 00312DD0, 00312DA7

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: A&-$A&-
API String ID: 4210589936-1337830626
Opcode ID: f3b1a366f7166ef1ff84a6571d0c85929fa8a3652df76622cc12cdf985027163
Instruction ID: bde26d675c685097e628667fe5177b1c56e12f1d6c029039aa771164ffef8f1f
Opcode Fuzzy Hash: f3b1a366f7166ef1ff84a6571d0c85929fa8a3652df76622cc12cdf985027163
Instruction Fuzzy Hash: 9F414F75A0811AFFDF0A9F68C854BEEB774FF09324F20821AE465A6290C7705DB0DB91

Function 002F3140 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002F316B
___except_validate_context_record.LIBVCRUNTIME ref: 002F3173
_ValidateLocalCookies.LIBCMT ref: 002F3201
__IsNonwritableInCurrentImage.LIBCMT ref: 002F322C
_ValidateLocalCookies.LIBCMT ref: 002F3281

Strings

FL/, xrefs: 002F321E, 002F3227, 002F3238
csm, xrefs: 002F3216

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: FL/$csm
API String ID: 1170836740-3728842777
Opcode ID: 5d8a7ca5561c4b6f09fa5263d15448bf416d7d080a57c28f064b4edac3d04d43
Instruction ID: 4f934f2037d4e621a8c28765ca0e55faff2f6a2fbb4561682efafa7e7c78e106
Opcode Fuzzy Hash: 5d8a7ca5561c4b6f09fa5263d15448bf416d7d080a57c28f064b4edac3d04d43
Instruction Fuzzy Hash: D241C230A2020D9BCF10DF68C841ABEFBA5AF453A4F148165EA19AB352D771DF25CB90

Function 0033CFCA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0033D069

Strings

question, xrefs: 0033D022
stop, xrefs: 0033D03A
info, xrefs: 0033D00A
warning, xrefs: 0033D052
blank, xrefs: 0033CFEB

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 52d6ddfc2bb6d9cdfa045ffac1a2d5cabada6f49237fb046e0d3289d7a7978fe
Instruction ID: e55059a71c98ac100f9cb178275310cbdd9f6c30eedf4e058b4fcdb3140084a4
Opcode Fuzzy Hash: 52d6ddfc2bb6d9cdfa045ffac1a2d5cabada6f49237fb046e0d3289d7a7978fe
Instruction Fuzzy Hash: 8D110A3664C30EBAEB1B5B54BCC2CBB639CFF19B60F61002AF500A71C1D6F19D014565

Function 0033E5F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0033E60B
gethostname.WSOCK32(?,00000100), ref: 0033E625
gethostbyname.WSOCK32(?), ref: 0033E632
inet_ntoa.WSOCK32(?), ref: 0033E674
_strcat.LIBCMT ref: 0033E682
WSACleanup.WSOCK32 ref: 0033E6A7

Strings

0.0.0.0, xrefs: 0033E650

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 1e4a41d5c33c64ba9e0dc4b8fecbeac5c2266110ee93948be243f46d71341772
Instruction ID: 4899740ca1a089962c0cdf5d2fc8b4c467e81b65d7d58bc965cb608841755d50
Opcode Fuzzy Hash: 1e4a41d5c33c64ba9e0dc4b8fecbeac5c2266110ee93948be243f46d71341772
Instruction Fuzzy Hash: 00110671E14118AFDB227B60DC4BEEE776CDF54310F010079F511A60D2EFB08A818E55

Function 0033F4F0 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0033F501
_wcslen.LIBCMT ref: 0033F512
_wcslen.LIBCMT ref: 0033F550
_wcslen.LIBCMT ref: 0033F586
_wcslen.LIBCMT ref: 0033F5B6
_wcslen.LIBCMT ref: 0033F5C6
_wcslen.LIBCMT ref: 0033F602
_wcslen.LIBCMT ref: 0033F631

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 86d6777490bba19413d74a873b4fe3796ec26b4be9a16c98b367e0616b4dbab2
Instruction ID: edefa0afce23644a5563b0e206ca1e4bb081eef5cbcc182cd77d7f20b0a2fd58
Opcode Fuzzy Hash: 86d6777490bba19413d74a873b4fe3796ec26b4be9a16c98b367e0616b4dbab2
Instruction Fuzzy Hash: D2415065C2021869CB12BBA4888ADEFF7AC9F05740F908472E619E3161FB349365CBA5

Function 002EFBD2 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003135E0,00000004,00000000,00000000), ref: 002EFC4D
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,003135E0,00000004,00000000,00000000), ref: 0032FA40
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003135E0,00000004,00000000,00000000), ref: 0032FAC3

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4abec2ef5200d948bf036f2ed7c4db830684ea112d578e452e89b1ec0fdf0841
Instruction ID: 8b79a55b1ddd8a8e87653d31815ab1d612894f703fca7e30f597892af4cbcb69
Opcode Fuzzy Hash: 4abec2ef5200d948bf036f2ed7c4db830684ea112d578e452e89b1ec0fdf0841
Instruction Fuzzy Hash: 224131306682C5DEC7B6CF3EDBC87263BB56B46700FB5953EE44B46960C6B1A850CB12

Function 003633DD Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003633F5
GetDC.USER32(00000000), ref: 003633FD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00363408
ReleaseDC.USER32(00000000,00000000), ref: 00363414
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00363450
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00363461
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00366141,?,?,000000FF,00000000,?,000000FF,?), ref: 0036349C
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003634BB

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0ab8799f2bf471a96269e196d245678981d718505825a3ade22addc427f79003
Instruction ID: a29ce62b35596e2a8cb35636344ebb8fc08a56fa62ff7e29409ede4dc1787eef
Opcode Fuzzy Hash: 0ab8799f2bf471a96269e196d245678981d718505825a3ade22addc427f79003
Instruction Fuzzy Hash: 853180726012147FEB124F11DC8AFEB3FADEF49711F058055FE089A295CAB59C41C7A4

Function 00355777 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 003557F7, 00355B4C
Not an Object type, xrefs: 003557D0

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3b5cdc3b27d14001c5524184262bb70154f7268ac850af0856e0586bc72ffdc9
Instruction ID: 3f68d8c49f17d0df8c6ad8eab4aa0a1904ceecf4180a0550e2c30eae39e1ae4a
Opcode Fuzzy Hash: 3b5cdc3b27d14001c5524184262bb70154f7268ac850af0856e0586bc72ffdc9
Instruction Fuzzy Hash: A3D10371A0020ADFDF11CFA8C895EAEB7B5FF48315F158069E915AB290E770ED49CB60

Function 00311942 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00311C1B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003119EE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00311C1B,00000000,00000000,?,00000000,?,?,?,?), ref: 00311A71
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00311C1B,?,00311C1B,00000000,00000000,?,00000000,?,?,?,?), ref: 00311B04
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00311C1B,00000000,00000000,?,00000000,?,?,?,?), ref: 00311B1B

Part of subcall function 00303C40: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,002F0215,00000000,?,002D8E5F,00000004,?,00314C6B,?,?,002D10E8,0036DBF4), ref: 00303C72

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00311C1B,00000000,00000000,?,00000000,?,?,?,?), ref: 00311B97
__freea.LIBCMT ref: 00311BC2
__freea.LIBCMT ref: 00311BCE

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d1ac9408d2ca4784a9c22087640da56a720a178592e133af083f9fb605520784
Instruction ID: 23983efd948dceeb554cc85df968a4a6c3908c37e7d82ae2b8cbdb10a50437e0
Opcode Fuzzy Hash: d1ac9408d2ca4784a9c22087640da56a720a178592e133af083f9fb605520784
Instruction Fuzzy Hash: A191F472E052169ADF2A8E65CC51EEEBBF9AF0D310F154559EA11EB180E734DCC0C7A0

Function 00354CF6 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00354E1B
VariantInit.OLEAUT32(?), ref: 00354F1C
VariantClear.OLEAUT32(?), ref: 00354F26
VariantClear.OLEAUT32(?), ref: 00354F83

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00354EFF
Null Object assignment in FOR..IN loop, xrefs: 00354DAB, 00354ED9, 00354F91

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 6e26e40a3dff6f75872befde688edc308dc97b8a6619c5fc97472da73e583dc5
Instruction ID: b1ff2569aa5e1cd4c592d7aa47b7f8ed5b04f342d99b8fedde5205038fa3ef12
Opcode Fuzzy Hash: 6e26e40a3dff6f75872befde688edc308dc97b8a6619c5fc97472da73e583dc5
Instruction Fuzzy Hash: 1F91C371A00205ABDF2ACFA5C845FAEBBB8FF45719F108159F905AB250D7709988CFA0

Function 00341A18 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00341AED
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00341B15
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00341B39
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00341B69
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00341BF0
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00341C55
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00341CC1

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: e71c05669fd00ac52d0fba6e43f3282e8aac7e84bf6f228cc5920626b711381e
Instruction ID: 01cab69d802e69ca8bd479b4cd89b373a0f39f7b375ede836babcb272caa1ae9
Opcode Fuzzy Hash: e71c05669fd00ac52d0fba6e43f3282e8aac7e84bf6f228cc5920626b711381e
Instruction Fuzzy Hash: 8091CE76A006189FDB029F98C885BBEB7F8EF45315F114029E550EF291EBB4BD81CB91

Function 0035411A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0035413E
CharUpperBuffW.USER32(?,?), ref: 0035424D
_wcslen.LIBCMT ref: 0035425D
VariantClear.OLEAUT32(?), ref: 003543F2

Part of subcall function 00341570: VariantInit.OLEAUT32(00000000), ref: 003415B0
Part of subcall function 00341570: VariantCopy.OLEAUT32(?,?), ref: 003415B9
Part of subcall function 00341570: VariantClear.OLEAUT32(?), ref: 003415C5

Strings

AUTOIT.ERROR, xrefs: 00354253, 00354258
Incorrect Parameter format, xrefs: 00354179, 00354374

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 27988dbe20aa3de79d38bd63949f2e19bcd6bb2336a06fb65e91d1805625c9ab
Instruction ID: 3c6d0dfecb67122c30ee4a7f6f3c3f6d292e55715f0a9fa9a08b476b46e5f5c2
Opcode Fuzzy Hash: 27988dbe20aa3de79d38bd63949f2e19bcd6bb2336a06fb65e91d1805625c9ab
Instruction Fuzzy Hash: 08914674A083419FC705DF24C48196AB7E9FF88719F14892EF8899B361DB30ED49CB92

Function 00355381 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0033082D: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330760,80070057,?,?,?,00330B7D), ref: 0033084A
Part of subcall function 0033082D: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330760,80070057,?,?), ref: 00330865
Part of subcall function 0033082D: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330760,80070057,?,?), ref: 00330873
Part of subcall function 0033082D: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330760,80070057,?), ref: 00330883

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00355425
_wcslen.LIBCMT ref: 0035552D
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 003555A3
CoTaskMemFree.OLE32(?), ref: 003555AE

Strings

NULL Pointer assignment, xrefs: 003555F7, 00355626

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 8bbb71229a6ad5c4ab653f3585f5c8e2a3fe02edd2ca98158b5cb96a5c434751
Instruction ID: 8e8ab4c96ed11bbc5d8a7e5fccf03e7ddd65a022bab4f3bf4f5ecbdb6751f9b2
Opcode Fuzzy Hash: 8bbb71229a6ad5c4ab653f3585f5c8e2a3fe02edd2ca98158b5cb96a5c434751
Instruction Fuzzy Hash: F6911971D00219AFDF11DFA4D891EEEB7B9BF08304F10456AE915A7251EB70AE58CF60

Function 003627D7 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 0036285D
GetMenuItemCount.USER32(00000000), ref: 0036288F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003628B7
_wcslen.LIBCMT ref: 003628ED
GetMenuItemID.USER32(?,?), ref: 00362927
GetSubMenu.USER32(?,?), ref: 00362935

Part of subcall function 00334251: GetWindowThreadProcessId.USER32(?,00000000), ref: 0033426B
Part of subcall function 00334251: GetCurrentThreadId.KERNEL32 ref: 00334272
Part of subcall function 00334251: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00332DB3), ref: 00334279

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003629BD

Part of subcall function 0033F152: Sleep.KERNEL32 ref: 0033F1CA

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 6afce86bfc9198be4697006f10d72acd18b3c9e750354eb0c3d61f4cf14e17f8
Instruction ID: e5bd270a2c874d65737a129da5d7bbc731a6c76225983aa241b48656693368bd
Opcode Fuzzy Hash: 6afce86bfc9198be4697006f10d72acd18b3c9e750354eb0c3d61f4cf14e17f8
Instruction Fuzzy Hash: 82718E35E00605AFCB02DF64C885AAEBBF5EF88350F168459E816AB355DB34AD41CF90

Function 003684A6 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0036853F
IsWindowEnabled.USER32(00000000), ref: 0036854B
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00368626
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00368659
IsDlgButtonChecked.USER32(?,00000000), ref: 00368691
GetWindowLongW.USER32(00000000,000000EC), ref: 003686B3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003686CB

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: fa025a47affb093dba8281a5d4f613dceae7ed2a7b9e327709d42cb903c0e5d3
Instruction ID: c8a76428a909e7fb87101fbf13e7d53e2574fff5bfbb16d2a574ebed66df852a
Opcode Fuzzy Hash: fa025a47affb093dba8281a5d4f613dceae7ed2a7b9e327709d42cb903c0e5d3
Instruction Fuzzy Hash: 1B710074A00204AFEF339F54C894FAA7BB9EF1E300F118259FA4697269CB71AC50CB55

Function 0033CD26 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7A0C: _wcslen.LIBCMT ref: 002D7A11

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0033CE44
_wcslen.LIBCMT ref: 0033CE8B
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0033CEF2
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0033CF20

Strings

0, xrefs: 0033CE05
,*:, xrefs: 0033CDA1

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: ,*:$0
API String ID: 1227352736-4082223886
Opcode ID: b43a0a723f67d2c7f639f9ed2be136580a01797a15cf42fd1bbd4dee8abada8e
Instruction ID: ded4e4e6e230f552f9bcd38628b77cc060a7d9d8746e967e7c00752750c82661
Opcode Fuzzy Hash: b43a0a723f67d2c7f639f9ed2be136580a01797a15cf42fd1bbd4dee8abada8e
Instruction Fuzzy Hash: 0751EF716283019BD716AF28C8C4A6BBBE8AF45350F041A2DFA95E31D1EB70DD44CB52

Function 0033B6DE Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0033B71D
GetKeyboardState.USER32(?), ref: 0033B732
SetKeyboardState.USER32(?), ref: 0033B793
PostMessageW.USER32(?,00000101,00000010,?), ref: 0033B7C1
PostMessageW.USER32(?,00000101,00000011,?), ref: 0033B7E0
PostMessageW.USER32(?,00000101,00000012,?), ref: 0033B821
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0033B844

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3732360b6e8495b6866d738a9637dd62e1bef46e66f2ad307d28e15dbc410e39
Instruction ID: b65d0f74f1521166112bbba01a18d058e9b7664965173703eb435a786b877407
Opcode Fuzzy Hash: 3732360b6e8495b6866d738a9637dd62e1bef46e66f2ad307d28e15dbc410e39
Instruction Fuzzy Hash: 5A5190A0A047D57DFB374234C886BBAFEA99F46304F098989E2D5498D2C7E8E9C4D750

Function 0033B4FE Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0033B53D
GetKeyboardState.USER32(?), ref: 0033B552
SetKeyboardState.USER32(?), ref: 0033B5B3
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0033B5DF
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0033B5FC
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0033B63B
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0033B65C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fdb2cfa243c2d718de31f6e75af51b601f5ab3e596448e82cb7b0f3e72f4c42a
Instruction ID: a47d18f826b060413a2d4a7075678d4530e7f2af43f57ce9144fb7364e41db60
Opcode Fuzzy Hash: fdb2cfa243c2d718de31f6e75af51b601f5ab3e596448e82cb7b0f3e72f4c42a
Instruction Fuzzy Hash: 9F51B4A0A047D67EFB378724CC96B7AFEA95B06300F088589E2D55A8D3D7D4EC84D760

Function 0030584E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00305FC3,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00305890
__fassign.LIBCMT ref: 0030590B
__fassign.LIBCMT ref: 00305926
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0030594C
WriteFile.KERNEL32(?,FF8BC35D,00000000,00305FC3,00000000,?,?,?,?,?,?,?,?,?,00305FC3,?), ref: 0030596B
WriteFile.KERNEL32(?,?,00000001,00305FC3,00000000,?,?,?,?,?,?,?,?,?,00305FC3,?), ref: 003059A4

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b07d73a46af9ac39cd1aee6e5e3c54a0ef6a5b0a0c949ace9eda91d7c33a3c5c
Instruction ID: 518932bab342fbd30474cf3d0195622cc3c6031bc2df870641a686b396c51075
Opcode Fuzzy Hash: b07d73a46af9ac39cd1aee6e5e3c54a0ef6a5b0a0c949ace9eda91d7c33a3c5c
Instruction Fuzzy Hash: 2351AF71A01649DFDB12CFA8D895BEEBBF8EF09310F14411AE955E7291D7709A40CF60

Function 003518FE Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00353821: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0035384D
Part of subcall function 00353821: _wcslen.LIBCMT ref: 0035386E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00351958
WSAGetLastError.WSOCK32 ref: 00351967
WSAGetLastError.WSOCK32 ref: 00351A0F
closesocket.WSOCK32(00000000), ref: 00351A3F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 3e5d9a0467140f2650d3d35a8367d1e4adcbd8c22f050e7169fa867b7749705c
Instruction ID: 7cfaba8c16ed989fe65958b5b9f3fdd0d7ad21b08a0285b116ff3046df2409b1
Opcode Fuzzy Hash: 3e5d9a0467140f2650d3d35a8367d1e4adcbd8c22f050e7169fa867b7749705c
Instruction Fuzzy Hash: 52410531600104AFDB129F24C884FAABBE9EF44365F15C059FC499B2A1C770ED45CBE1

Function 0033D656 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0033E5A9: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0033D678,?), ref: 0033E5C6

Part of subcall function 0033E5A9: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0033D678,?), ref: 0033E5DF

lstrcmpiW.KERNEL32(?,?), ref: 0033D69B
MoveFileW.KERNEL32(?,?), ref: 0033D6D5
_wcslen.LIBCMT ref: 0033D75B
_wcslen.LIBCMT ref: 0033D771
SHFileOperationW.SHELL32(?), ref: 0033D7B7

Strings

\*.*, xrefs: 0033D749

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 5900d5e34c0cba71c4171b59a98d5d1fe4d2c6eadb1221ef571ee7952974c145
Instruction ID: 39dfb95a295f55510d938c028c581d995b70575bfc28b8f398a7931c44a7fdb9
Opcode Fuzzy Hash: 5900d5e34c0cba71c4171b59a98d5d1fe4d2c6eadb1221ef571ee7952974c145
Instruction Fuzzy Hash: 07413271D452185EDF13EFA4E981ADE77BCAF08380F1104A6E609EB181EB74E688CF50

Function 003634D7 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 003634F6
GetWindowLongW.USER32(?,000000F0), ref: 00363529
GetWindowLongW.USER32(?,000000F0), ref: 0036355E
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00363590
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 003635BA
GetWindowLongW.USER32(?,000000F0), ref: 003635CB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003635E5

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 7af0a534b94c0d2f81045f7e1e51f480ab8b485ca37433fb2486d38de9c3c2fd
Instruction ID: 05411f8fb0810b2861b6b0dc50278adf212ca1845f3d0e4b94c5eb36f59854df
Opcode Fuzzy Hash: 7af0a534b94c0d2f81045f7e1e51f480ab8b485ca37433fb2486d38de9c3c2fd
Instruction Fuzzy Hash: 1C313730B042509FEB22CF08DC88F6637A8FB5B720F159164FA028B2B6CB71E950DB51

Function 00338019 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0033805E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00338084
SysAllocString.OLEAUT32(00000000), ref: 00338087
SysAllocString.OLEAUT32 ref: 003380A8
SysFreeString.OLEAUT32 ref: 003380B1
StringFromGUID2.OLE32(?,?,00000028), ref: 003380CB
SysAllocString.OLEAUT32(?), ref: 003380D9

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0f13df2dac08eeb235105e4706595aa4a4db28d535f9f03fbd0aa023694531a8
Instruction ID: a00b7b24948cf08684e8c160c2b736960b32a6494b980275a31b8ddd8a04b5e5
Opcode Fuzzy Hash: 0f13df2dac08eeb235105e4706595aa4a4db28d535f9f03fbd0aa023694531a8
Instruction Fuzzy Hash: DF216531600204BF9B169BA9DCC8CAA77ECEB09360B018125F905CB1A1DEB0EC85CB64

Function 00340D2C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00340D4C
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00340D88

Strings

nul, xrefs: 00340DC1

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: db36989da1a5ab541866da63e8feccfdbdc7eb0af42ed37368e357109b569776
Instruction ID: 80dcac20a1dea13bbc57eaf24f8f6f2f6338c24f752c0143de5948d35618a309
Opcode Fuzzy Hash: db36989da1a5ab541866da63e8feccfdbdc7eb0af42ed37368e357109b569776
Instruction Fuzzy Hash: DF215174B00306EFDB254F69D854E997BE8EF46724F208A19FAA1DB2D0D770B854CB10

Function 00340E01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00340E20
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00340E5B

Strings

nul, xrefs: 00340E93

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4393b43c470cbda596784bdd9b4848fec4bdb508a5c272a30ce0d708627819f3
Instruction ID: 7cdd3c4e8625ad9ff040befd3a91a21f053a7888a4761f399f4c6047036b0096
Opcode Fuzzy Hash: 4393b43c470cbda596784bdd9b4848fec4bdb508a5c272a30ce0d708627819f3
Instruction Fuzzy Hash: 8B21B0717047059FDB268F69CC04A9A77E8AF45720F200E18FAA1EB2D0D7B1E8A0CB50

Function 00364789 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D6DB1: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002D6DEF
Part of subcall function 002D6DB1: GetStockObject.GDI32(00000011), ref: 002D6E03
Part of subcall function 002D6DB1: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D6E0D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003647EE
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003647FB
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00364806
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00364815
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00364821

Strings

Msctls_Progress32, xrefs: 003647BF

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 5033bc75080d02221b8d74efe2cc492da77bc23a4e03f62ae9f14af8ef61f2c1
Instruction ID: aac1dba9b4a9dae400767038fa9d30add954fc139c2e7e6b483ee0ee55824387
Opcode Fuzzy Hash: 5033bc75080d02221b8d74efe2cc492da77bc23a4e03f62ae9f14af8ef61f2c1
Instruction Fuzzy Hash: B111B6B255011DBEEF128FA4CC85EE77F6DEF09798F018111FA08A6154C6729C21DBA0

Function 0030DBFF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0030DBC3: _free.LIBCMT ref: 0030DBEC

_free.LIBCMT ref: 0030DC4D

Part of subcall function 00302DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,0030DBF1,?,00000000,?,00000000,?,0030DC18,?,00000007,?,?,0030E016,?), ref: 00302DFE
Part of subcall function 00302DE8: GetLastError.KERNEL32(?,?,0030DBF1,?,00000000,?,00000000,?,0030DC18,?,00000007,?,?,0030E016,?,?), ref: 00302E10

_free.LIBCMT ref: 0030DC58
_free.LIBCMT ref: 0030DC63
_free.LIBCMT ref: 0030DCB7
_free.LIBCMT ref: 0030DCC2
_free.LIBCMT ref: 0030DCCD
_free.LIBCMT ref: 0030DCD8

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: bb05316cb8dd3d962b0bc4a43140fa8d08fb4df31c08811b81b71ace1a24f9af
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: B1110371542B04BAD922BBF0CC5BFCB77DC7F04700F819815B2A9AE1E2DA75B9049750

Function 0033E1D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0033E1EA
LoadStringW.USER32(00000000), ref: 0033E1F1
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0033E207
LoadStringW.USER32(00000000), ref: 0033E20E
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0033E252

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0033E22F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 31b6a0fc1a44f8a47b951c9ed538300ec43dac036e80a9e1878ed5ba736fa46b
Instruction ID: 8fe5cb064dd5c48009411b4b48d41f233c67e7f096ae458547d329dd4bc1dcdd
Opcode Fuzzy Hash: 31b6a0fc1a44f8a47b951c9ed538300ec43dac036e80a9e1878ed5ba736fa46b
Instruction Fuzzy Hash: D00131F6E002087FE752A7E4DD89EE7776CDB08300F4185A1F75AE6081EAB49E844B71

Function 003411AF Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 003411BF
EnterCriticalSection.KERNEL32(00000000,?), ref: 003411D1
TerminateThread.KERNEL32(00000000,000001F6), ref: 003411DF
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003411ED
CloseHandle.KERNEL32(00000000), ref: 003411FC
InterlockedExchange.KERNEL32(?,000001F6), ref: 0034120C
LeaveCriticalSection.KERNEL32(00000000), ref: 00341213

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a8ff8942b90e516bf62798271ee5e43cc76d559878d49fe0220fe747491e2d49
Instruction ID: b821d3603c5982a0e2b465f95773dd86e8d89da1e3d4048913000f9be59fa8fd
Opcode Fuzzy Hash: a8ff8942b90e516bf62798271ee5e43cc76d559878d49fe0220fe747491e2d49
Instruction Fuzzy Hash: 42F03C32A50A42BBD7875F64ED48BC6BB39FF05702F405521F202958A087B4E4B0CB90

Function 003524A6 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00352606
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00352627
WSAGetLastError.WSOCK32 ref: 00352638
htons.WSOCK32(?,?,?,?,?), ref: 00352721
inet_ntoa.WSOCK32(?), ref: 003526D2

Part of subcall function 003341FC: _strlen.LIBCMT ref: 00334206

Part of subcall function 003539F7: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0034F452), ref: 00353A13

_strlen.LIBCMT ref: 0035277B

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: f02223ddad0cddf6b35927d8c24ed0fb770686a5e90057c459035a76633e4d2d
Instruction ID: 6ac156c706cbee1f7801fffe378c35fdeb064a0bcfe90a5a0a7942a15537f4df
Opcode Fuzzy Hash: f02223ddad0cddf6b35927d8c24ed0fb770686a5e90057c459035a76633e4d2d
Instruction Fuzzy Hash: 41B1F331600340AFC325DF24C895E2BBBA5AF86318F55895CF8565F3A2DB31ED4ACB91

Function 002D6AAD Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 002D6AD3
GetWindowRect.USER32(?,?), ref: 002D6B14
ScreenToClient.USER32(?,?), ref: 002D6B3C
GetClientRect.USER32(?,?), ref: 002D6C7A
GetWindowRect.USER32(?,?), ref: 002D6C9B

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: c24ff9e9cf371b1e7bcb1bad423709cf45ad37b0ff612696cb4759a3d9946414
Instruction ID: 2a4ed370ea5203a4f809fd78aa6ff9e8ce277f265cc90427e44bea6ac387a52c
Opcode Fuzzy Hash: c24ff9e9cf371b1e7bcb1bad423709cf45ad37b0ff612696cb4759a3d9946414
Instruction Fuzzy Hash: 5AB18C34A2064ADBCB14CFA8C4846EEB7F1FF58310F14851AE8AAD7250DB70A9A1DB54

Function 00300547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0030044A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00300466
__allrem.LIBCMT ref: 0030047D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0030049B
__allrem.LIBCMT ref: 003004B2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003004D0

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 029c3ef4bcc714795bc71d205ea565990a04dab318b7c22ceac17bb4587af116
Instruction ID: af7e346c44171de5be2fc1fb42453d4b0301eb27937b602fccbd322d359c5a72
Opcode Fuzzy Hash: 029c3ef4bcc714795bc71d205ea565990a04dab318b7c22ceac17bb4587af116
Instruction Fuzzy Hash: 78812B72602B069BD72B9E79CCA1B6FB3E8AF44720F25452EF511DB6C1E770D9008B58

Function 0030661E Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002F86F9,002F86F9,?,?,?,0030686F,00000001,00000001,8BE85006), ref: 00306678
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0030686F,00000001,00000001,8BE85006,?,?,?), ref: 003066FE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003067F8
__freea.LIBCMT ref: 00306805

Part of subcall function 00303C40: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,002F0215,00000000,?,002D8E5F,00000004,?,00314C6B,?,?,002D10E8,0036DBF4), ref: 00303C72

__freea.LIBCMT ref: 0030680E
__freea.LIBCMT ref: 00306833

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3fa516768a17d5101f0a13db3edb2d69e0b006e6835fbaedc12761113d9d826d
Instruction ID: e42c6e5354467c0b72742d1329907f2662a0d8cbf6de328ca8157643d2708646
Opcode Fuzzy Hash: 3fa516768a17d5101f0a13db3edb2d69e0b006e6835fbaedc12761113d9d826d
Instruction Fuzzy Hash: 6D51F472A01616ABEB268F64CC62EBF77A9EF44B10F168628FD04DA1C4DB35DC60C650

Function 0035C35B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

Part of subcall function 0035D11B: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035BE2E,?,?), ref: 0035D138
Part of subcall function 0035D11B: _wcslen.LIBCMT ref: 0035D174
Part of subcall function 0035D11B: _wcslen.LIBCMT ref: 0035D1E2
Part of subcall function 0035D11B: _wcslen.LIBCMT ref: 0035D218

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035C44A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035C4A5
RegCloseKey.ADVAPI32(00000000), ref: 0035C4EA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0035C519
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0035C573
RegCloseKey.ADVAPI32(?), ref: 0035C57F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: c4d5e26adcbec0761f66cf0f931f02a709e52699d0a6e84a7a951404bf5865eb
Instruction ID: a212096d6f74fad1c979eef70f5adfadc6f61c6757c910a0f3167baaabff06b6
Opcode Fuzzy Hash: c4d5e26adcbec0761f66cf0f931f02a709e52699d0a6e84a7a951404bf5865eb
Instruction Fuzzy Hash: 3981C270218341AFD716DF64C895E2ABBE9FF84308F14885DF8454B2A2DB31ED49CB91

Function 0034990D Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 002D7A0C: _wcslen.LIBCMT ref: 002D7A11

Part of subcall function 002DB0DB: _wcslen.LIBCMT ref: 002DB0EE

GetOpenFileNameW.COMDLG32(00000058), ref: 00349CE6
_wcslen.LIBCMT ref: 00349D07
_wcslen.LIBCMT ref: 00349D2E
GetSaveFileNameW.COMDLG32(00000058), ref: 00349D86

Strings

X, xrefs: 00349C13

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ce3bd27a484c6d96ef61e94e611ff7d0698d98707669e2acd59b3f6b6cd038bb
Instruction ID: 4faa877970534e3a84664407ccd83df4ef746f64e90f5315de0497ef929b70a5
Opcode Fuzzy Hash: ce3bd27a484c6d96ef61e94e611ff7d0698d98707669e2acd59b3f6b6cd038bb
Instruction Fuzzy Hash: D4E19C319183408FC725EF24C881B6AB7E4BF85314F15896EE8898B392DB31ED05CF92

Function 00346DA5 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00346DF3
CoInitialize.OLE32(00000000), ref: 00346F50
CoCreateInstance.OLE32(00370CBC,00000000,00000001,00370B2C,?), ref: 00346F67
CoUninitialize.OLE32 ref: 003471EB

Strings

.lnk, xrefs: 00346DD1, 00346E3B, 00346EF7

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: e873e132364d2362268a56689fc666a9aefcee1c581825d91df6bccf7be902da
Instruction ID: 0ee5e5cdc1a3aa2a0db5bb36bc4f888bb15c038cc06af885c6cf6ae740301b60
Opcode Fuzzy Hash: e873e132364d2362268a56689fc666a9aefcee1c581825d91df6bccf7be902da
Instruction Fuzzy Hash: 2FD16771618241AFD305EF24C881E6BB7E8FF89344F00896DF5858B2A2DB71ED45CB92

Function 002D1A55 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 002D23E1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D23F2

BeginPaint.USER32(?,?,?), ref: 002D1A8A
GetWindowRect.USER32(?,?), ref: 002D1AEE
ScreenToClient.USER32(?,?), ref: 002D1B0B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002D1B1C
EndPaint.USER32(?,?,?,?,?), ref: 002D1B6A
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00312E6F

Part of subcall function 002D1B82: BeginPath.GDI32(00000000), ref: 002D1BA0

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: d4135db055a5a6bcb54ceb313778b2d0a104b7a34fa8a5adedf2fd5e62dd8467
Instruction ID: 1dd8acee9e7cbf7da2b776495ab5a301c7e27d0c97441afa330272c447707980
Opcode Fuzzy Hash: d4135db055a5a6bcb54ceb313778b2d0a104b7a34fa8a5adedf2fd5e62dd8467
Instruction Fuzzy Hash: 8E41D030611201AFC712DF18DC84FB77BACEB5A724F04022AF9A9872B1D7709C64DB61

Function 003687E3 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0032FA1A,00000000,?,?,00000000,?,003135E0,00000004,00000000,00000000), ref: 00368854
EnableWindow.USER32(?,00000000), ref: 0036887A
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003688D9
ShowWindow.USER32(?,00000004), ref: 003688ED
EnableWindow.USER32(?,00000001), ref: 00368913
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00368937

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: faf98f015289ae6bd4467041367144f6adf9d2bea5cf3ead36a867fba02340ac
Instruction ID: d6f609a1e3177d93fee3007cef9e773baa9707ce8ce10f29b95828703452c04b
Opcode Fuzzy Hash: faf98f015289ae6bd4467041367144f6adf9d2bea5cf3ead36a867fba02340ac
Instruction Fuzzy Hash: 35410974701240AFDB2BCF18C889BA17BE4FB0E714F598269E9484F2B6CB71A855CB51

Function 00341049 Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00341060
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00341097
EnterCriticalSection.KERNEL32(?), ref: 003410B3
LeaveCriticalSection.KERNEL32(?), ref: 0034112D
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00341142
InterlockedExchange.KERNEL32(?,000001F6), ref: 00341161

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 1bb175d4751355081c9a36a8c0e74d6004244634593735918fbb53b0da6a959c
Instruction ID: 487bec68fad60b77f85abad0e54be1cddbcdd1f1fbaff456ba53346f36b2c896
Opcode Fuzzy Hash: 1bb175d4751355081c9a36a8c0e74d6004244634593735918fbb53b0da6a959c
Instruction Fuzzy Hash: 23318131A00205EBDF01EF94DC89AAEB7B8FF45750F1480A5F900EB246DB70EA64CB60

Function 00335499 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 003354B1
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003354CE
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00335506
_wcslen.LIBCMT ref: 00335524
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0033552C
_wcsstr.LIBVCRUNTIME ref: 00335536

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 5e70b0feffcd9669b2c47dd8841811e6132e673fca9f5e7d1498a270875ade15
Instruction ID: 9f2b162e534ffc2913bbae6b47153d1dfd16d0ee83d05e8b0c6ab1c4864c62fd
Opcode Fuzzy Hash: 5e70b0feffcd9669b2c47dd8841811e6132e673fca9f5e7d1498a270875ade15
Instruction Fuzzy Hash: 11213B71604604BBFB175F29DC89E7F7BADDF45750F108039F90ACA191EAB0EC4096A0

Function 00346135 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 002D50F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D5035,?,?,00314641,?,?,00000100,00000000,00000000,CMDLINE), ref: 002D5117

_wcslen.LIBCMT ref: 00346192
CoInitialize.OLE32(00000000), ref: 003462AC
CoCreateInstance.OLE32(00370CBC,00000000,00000001,00370B2C,?), ref: 003462C5
CoUninitialize.OLE32 ref: 003462E3

Strings

.lnk, xrefs: 0034618D, 003461D8, 0034629C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f318ef63ae07bd8a5a9d453e480add931dc8a33dc5815a58fb8d6fab09b771ee
Instruction ID: cb28835d9011e63543251231d12fb127e90a8f5e36931cdcc02082e449b1ae49
Opcode Fuzzy Hash: f318ef63ae07bd8a5a9d453e480add931dc8a33dc5815a58fb8d6fab09b771ee
Instruction Fuzzy Hash: 1ED162706042019FCB15EF25C481A2ABBE5FF8A714F15885DF88A9B3A1D731ED45CF92

Function 003682A9 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 003682ED
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00368312
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0036832A
GetSystemMetrics.USER32(00000004), ref: 00368353
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0034BFE0,00000000), ref: 00368373

Part of subcall function 002D23E1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D23F2

GetSystemMetrics.USER32(00000004), ref: 0036835E

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: d580a05424586aec180db1bddeba5d23cc1c2fb631d41bbf1ee126a299ce1baa
Instruction ID: 6b0df722b4b8c841bbdb947e8550da0504e1e7e59ae06e1c030135ea98046041
Opcode Fuzzy Hash: d580a05424586aec180db1bddeba5d23cc1c2fb631d41bbf1ee126a299ce1baa
Instruction Fuzzy Hash: D9216279610245DFCB165F79CC08A6A3BA8FB49B25F25872DF926C26E4DF70D850CB10

Function 002F37A2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002F3799,002F3405), ref: 002F37B0
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002F37BE
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002F37D7
SetLastError.KERNEL32(00000000,?,002F3799,002F3405), ref: 002F3829

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 47571a16189af405d34f5e8f84dfb388e9ecf825b404c6236942e3f958eca35e
Instruction ID: 93855e28f01e1152a6fa416e82de8c424b66f96c3de433626b5e148300e43db4
Opcode Fuzzy Hash: 47571a16189af405d34f5e8f84dfb388e9ecf825b404c6236942e3f958eca35e
Instruction Fuzzy Hash: E501D87263A31B5EA626BA757C86537A698EB057F1F30023AF310451F0EE564D325540

Function 00303194 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002F4E03,?,00000002,?,002F59A6,002F6714), ref: 00303198
_free.LIBCMT ref: 003031CB
_free.LIBCMT ref: 003031F3
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,002F6714,00000000), ref: 00303200
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,002F6714,00000000), ref: 0030320C
_abort.LIBCMT ref: 00303212

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d90478c80c245e586411f558e6f0525edd20faa117dc3b3ab85fb3959d40f30d
Instruction ID: 536354baf1126e41aab7317b41c1f154a6bb26b233424a221a4cdd4930c4514d
Opcode Fuzzy Hash: d90478c80c245e586411f558e6f0525edd20faa117dc3b3ab85fb3959d40f30d
Instruction Fuzzy Hash: 81F0283A60BA0027C6373735BC3EF5B262D9FC5760F360514F825D62E2EF628E014121

Function 0036902C Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002D1E82: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D1EDC
Part of subcall function 002D1E82: SelectObject.GDI32(?,00000000), ref: 002D1EEB
Part of subcall function 002D1E82: BeginPath.GDI32(?), ref: 002D1F02
Part of subcall function 002D1E82: SelectObject.GDI32(?,00000000), ref: 002D1F2B

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00369056
LineTo.GDI32(?,00000003,00000000), ref: 0036906A
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00369078
LineTo.GDI32(?,00000000,00000003), ref: 00369088
EndPath.GDI32(?), ref: 00369098
StrokePath.GDI32(?), ref: 003690A8

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b10b386ad237f8a473e956c46200721c7994b609a9daa7f69ea80263a3b6bb3f
Instruction ID: 64730dfaeb5048c55cd95ac5ee4abfdacd9c06dc13fd35df35ff72661e47c207
Opcode Fuzzy Hash: b10b386ad237f8a473e956c46200721c7994b609a9daa7f69ea80263a3b6bb3f
Instruction Fuzzy Hash: 10111B7250010DBFEF129F94DC88EAA7F6DEB09354F04C012FE094A161C7B29D65DBA0

Function 00335A19 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00335A34
GetDeviceCaps.GDI32(00000000,00000058), ref: 00335A45
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00335A4C
ReleaseDC.USER32(00000000,00000000), ref: 00335A54
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00335A6B
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00335A7D

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 66790968f15622dd96c525824c040f373f459604803db62657653cd8874bfcca
Instruction ID: 3f72bfbfec4e0944c1ce850b7c6311946104293f78ac8838bcd309f6ba74e192
Opcode Fuzzy Hash: 66790968f15622dd96c525824c040f373f459604803db62657653cd8874bfcca
Instruction Fuzzy Hash: 9C014475E00714BBEB119FA59C89A5EBF78EB48751F058065FA04AB280D6709C00CF60

Function 002D3700 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002D3731
MapVirtualKeyW.USER32(00000010,00000000), ref: 002D3739
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002D3744
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002D374F
MapVirtualKeyW.USER32(00000011,00000000), ref: 002D3757
MapVirtualKeyW.USER32(00000012,00000000), ref: 002D375F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b9083e78f4d292f48c58d4a53521f2dbd7b8d1fc0fdf843afb511f11058a2a20
Instruction ID: d743f7f636a7a5c724c08b1caf0d21076c70c0d7b6120100438c832debcaa4bf
Opcode Fuzzy Hash: b9083e78f4d292f48c58d4a53521f2dbd7b8d1fc0fdf843afb511f11058a2a20
Instruction Fuzzy Hash: B3016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BD15C4B941C7F5A864CBE5

Function 0033F2F7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0033F307
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0033F31D
GetWindowThreadProcessId.USER32(?,?), ref: 0033F32C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0033F33B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0033F345
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0033F34C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5065763a788a7780b1acf245cc64beba137e4a3a0fdb3283014c115084a3ca21
Instruction ID: aeb9de2e8d7fe862d837414ae9bab01d816c0456fe814e117ff1ca9dab6fb1c6
Opcode Fuzzy Hash: 5065763a788a7780b1acf245cc64beba137e4a3a0fdb3283014c115084a3ca21
Instruction Fuzzy Hash: 18F01D36A41158BBE7225B529C0EEEB7A7CEBCBB11F004058F6059119096E05A01C6B5

Function 003130BE Relevance: 9.0, APIs: 6, Instructions: 38windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 003130D7
SendMessageW.USER32(?,00001328,00000000,?), ref: 003130EE
GetWindowDC.USER32(?), ref: 003130FA
GetPixel.GDI32(00000000,?,?), ref: 00313109
ReleaseDC.USER32(?,00000000), ref: 0031311B
GetSysColor.USER32(00000005), ref: 00313135

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 05cb687c94e9806261c97dfd425bea33564fe55d5aa0d872aa3eb08c13d77474
Instruction ID: 449d410b2efc5529a6c4966df84d2656252cc4d70f7b9bb4cf5ed631f48b636b
Opcode Fuzzy Hash: 05cb687c94e9806261c97dfd425bea33564fe55d5aa0d872aa3eb08c13d77474
Instruction Fuzzy Hash: 18016D31A00205FFDB526F60DC08BEA7BB9FF19321F514160FA16A21A0CBB10E91EF51

Function 003320EE Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003320F9
UnloadUserProfile.USERENV(?,?), ref: 00332105
CloseHandle.KERNEL32(?), ref: 0033210E
CloseHandle.KERNEL32(?), ref: 00332116
GetProcessHeap.KERNEL32(00000000,?), ref: 0033211F
HeapFree.KERNEL32(00000000), ref: 00332126

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 516124c5ff315009e2daf8b2d9e32f90d096a802ce376872779da66e82347e21
Instruction ID: 71167504763f55b5df773725f3d74afd320366cd72cd9d5f20056cd9335741f1
Opcode Fuzzy Hash: 516124c5ff315009e2daf8b2d9e32f90d096a802ce376872779da66e82347e21
Instruction Fuzzy Hash: ADE0E576604145BBDB421FA2EC0C90ABF3DFF4A322F108220F22582170CBB29430DB51

Function 0035B4E4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0035B623

Part of subcall function 002D7A0C: _wcslen.LIBCMT ref: 002D7A11

GetProcessId.KERNEL32(00000000), ref: 0035B6B8
CloseHandle.KERNEL32(00000000), ref: 0035B6E7

Strings

<, xrefs: 0035B5EB
@, xrefs: 0035B5F2

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 34d11b4ce184b256e635bed2a6c7f625e90e6207a31b26f79a92c03d6ed8d82a
Instruction ID: e7e3fdd2695c218612566c598da0c0c7e2e9a2103cd7de44713bbe23090ad5c2
Opcode Fuzzy Hash: 34d11b4ce184b256e635bed2a6c7f625e90e6207a31b26f79a92c03d6ed8d82a
Instruction Fuzzy Hash: 2E715634A10219DFCB15EF94C495A9EBBB0BF08300F15849AE856AB3A2DB74ED54CF90

Function 003379BA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00337A22
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00337A58
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00337A69
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00337AEB

Strings

DllGetClassObject, xrefs: 00337A5E

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5aaa2928e43bfb0beaa4480ecbb479fdff31c21c3085a793e4abf035ac9d9e97
Instruction ID: 03c0779335df9ca91ae129e0f555ba904ca036e9b59ff91221059425f6ec2649
Opcode Fuzzy Hash: 5aaa2928e43bfb0beaa4480ecbb479fdff31c21c3085a793e4abf035ac9d9e97
Instruction Fuzzy Hash: B7418EB1604204EFDB26CF54C8C4A9A7BB9EF49710F1480A9E9059F346E7B0DE41CBA0

Function 00364456 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0036450F
IsMenu.USER32(?), ref: 00364524
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0036456C
DrawMenuBar.USER32 ref: 0036457F

Strings

0, xrefs: 00364463

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ddedbbf24445dbf29d47b826f1a2d04129934558aab60d241eac1cff2a403ae6
Instruction ID: b56f9e6a5ffcc8e5182c895104b051e9e75f70c0a1521877096afb14fa060d7f
Opcode Fuzzy Hash: ddedbbf24445dbf29d47b826f1a2d04129934558aab60d241eac1cff2a403ae6
Instruction Fuzzy Hash: 08413B75A01209EFDB11CF95E884EAABBB9FF06354F05812AFA16A7250C730ED50CF90

Function 003325E2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

Part of subcall function 003344BB: GetClassNameW.USER32(?,?,000000FF), ref: 003344DE

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00332666
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00332679
SendMessageW.USER32(?,00000189,?,00000000), ref: 003326A9

Part of subcall function 002DB0DB: _wcslen.LIBCMT ref: 002DB0EE

Strings

ListBox, xrefs: 00332625
ComboBox, xrefs: 003325F0

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: b5cd4514269d8e69d17f0c1895b65e0d13488fbd45397624e33570ddc46beef3
Instruction ID: 57f74fab75effd1ae24de34a48ed80742fcd260b155f1c418c3e3609479aaf0d
Opcode Fuzzy Hash: b5cd4514269d8e69d17f0c1895b65e0d13488fbd45397624e33570ddc46beef3
Instruction Fuzzy Hash: 5821D671A00108BFDB16ABA0D886DFFB7ACDF45360F10451AF421A72E1DBB95D558A20

Function 003635F1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00363667
LoadLibraryW.KERNEL32(?), ref: 0036366E
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00363683
DestroyWindow.USER32(?), ref: 0036368B

Strings

SysAnimate32, xrefs: 00363642

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5685c406f2ba32a06b2dc7bc9a01302fef62988526bf6cceb67801e2428c20b0
Instruction ID: f573ef4511f3fbbd6e772843f2664061391b40af4cff7802320564b552b50c5a
Opcode Fuzzy Hash: 5685c406f2ba32a06b2dc7bc9a01302fef62988526bf6cceb67801e2428c20b0
Instruction Fuzzy Hash: 1221FD31A00206BBEF124F64DCC8EBB77ADEB58324F218628FA54D62D4C771CD909760

Function 002F518D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002F513E,00000003,?,002F50DE,00000003,00399820,0000000C,002F5235,00000003,00000002), ref: 002F51AD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002F51C0
FreeLibrary.KERNEL32(00000000,?,?,?,002F513E,00000003,?,002F50DE,00000003,00399820,0000000C,002F5235,00000003,00000002,00000000), ref: 002F51E3

Strings

CorExitProcess, xrefs: 002F51B8
mscoree.dll, xrefs: 002F51A6

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bd04eb636814624f87c6dc71ae0fb317d4d02393a7ff6c9bd8536b6429cf3820
Instruction ID: 9956dd1a3e2c374bc7b911dbe3d9e2fa1f3521e17c78241ad74c6df112d2f6ae
Opcode Fuzzy Hash: bd04eb636814624f87c6dc71ae0fb317d4d02393a7ff6c9bd8536b6429cf3820
Instruction Fuzzy Hash: 65F0C831A1021CBBDB129F54DC49BAEBFB8EF44751F004064F90AA6150CBB15D50CA90

Function 002D320E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002D2BF2,?,?,002D2B95,?,00000001,?,?,00000000), ref: 002D321A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002D322C
FreeLibrary.KERNEL32(00000000,?,?,002D2BF2,?,?,002D2B95,?,00000001,?,?,00000000), ref: 002D323E

Strings

Wow64DisableWow64FsRedirection, xrefs: 002D3226
kernel32.dll, xrefs: 002D3212

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 6a6314c5f430247a95b1276e77ea05108f060247ec1f5846be5a71137efd706a
Instruction ID: 2817db7285c4688f1c3ec0125e43a1e40596861b44bdccbb82b56d70de84fd3f
Opcode Fuzzy Hash: 6a6314c5f430247a95b1276e77ea05108f060247ec1f5846be5a71137efd706a
Instruction Fuzzy Hash: 1AE08635F115221782531B15AC0CB5AA55C9F93F26B054026FC41D2304DBE0CD0144E1

Function 002D31D7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00313B55,?,?,002D2B95,?,00000001,?,?,00000000), ref: 002D31E0
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002D31F2
FreeLibrary.KERNEL32(00000000,?,?,00313B55,?,?,002D2B95,?,00000001,?,?,00000000), ref: 002D3205

Strings

kernel32.dll, xrefs: 002D31D9
Wow64RevertWow64FsRedirection, xrefs: 002D31EC

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: a4649617a692beab06a86926cbd4a84a604bf3ec1a53896bed7e5ee7febe865e
Instruction ID: 9e38841db88e411cd6a4c2406d5dcb8aaa5ee9e4a25dd81c98cd581f0e46a177
Opcode Fuzzy Hash: a4649617a692beab06a86926cbd4a84a604bf3ec1a53896bed7e5ee7febe865e
Instruction Fuzzy Hash: 8DD01235F125225756736B25AC1CDCE6E18AE83B213158016FC12A621CCFF0CE1585E5

Function 003431D8 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00343496
DeleteFileW.KERNEL32(?), ref: 00343518
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0034352E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0034353F
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00343551

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 6148014e9cf66db764e7b85b6c8b63582f68c34155cf4e51ed5c1f3b53d66ca2
Instruction ID: 87792983b8d672eed8adbbf15e800757277a41e212000b4ce3fc687d4b973efc
Opcode Fuzzy Hash: 6148014e9cf66db764e7b85b6c8b63582f68c34155cf4e51ed5c1f3b53d66ca2
Instruction Fuzzy Hash: 46B14071D0011DABDF16DBA4CC85EEEBBBDEF59350F0040A6F609AB141DA30AB558F61

Function 0035AAF9 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0035AB99
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0035ABA7
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0035ABDA
CloseHandle.KERNEL32(?), ref: 0035ADAF

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 14e3975e6d71e20a3a434d8cdae45d24cff78dd689ced648eb7d7242676413fd
Instruction ID: bd4ad2d967f13fa94e12566aa46bd7bdd066f9b8cba7dd8d83cb98e83455f95c
Opcode Fuzzy Hash: 14e3975e6d71e20a3a434d8cdae45d24cff78dd689ced648eb7d7242676413fd
Instruction Fuzzy Hash: D0A1BE716047019FE721EF24C892F2AB7E5AF44710F14895DF9999B3A2DBB0EC44CB92

Function 0035ADEE Relevance: 7.7, APIs: 5, Instructions: 181processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0035AE1E
Process32FirstW.KERNEL32(00000000,?), ref: 0035AE2C

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?), ref: 0035AEB0
Process32NextW.KERNEL32(00000000,?), ref: 0035AF18
CloseHandle.KERNEL32(00000000), ref: 0035AF2A

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: cc1753583e45f6f1472d35d88ab9cd3c2aa986368b3770bf5538aba669f7da9b
Instruction ID: a9b87b02da06c0bee015cbcd39eae6d07fa3b45bc5b3304f77a4997ff367f33d
Opcode Fuzzy Hash: cc1753583e45f6f1472d35d88ab9cd3c2aa986368b3770bf5538aba669f7da9b
Instruction Fuzzy Hash: FB6149B1508341AFD311EF24D886A5BBBE8EF88754F00492EF985972A1EB70D914CB92

Function 0035C149 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

Part of subcall function 0035D11B: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0035BE2E,?,?), ref: 0035D138
Part of subcall function 0035D11B: _wcslen.LIBCMT ref: 0035D174
Part of subcall function 0035D11B: _wcslen.LIBCMT ref: 0035D1E2
Part of subcall function 0035D11B: _wcslen.LIBCMT ref: 0035D218

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0035C225
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035C280
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0035C2E3
RegCloseKey.ADVAPI32(?,?), ref: 0035C326
RegCloseKey.ADVAPI32(00000000), ref: 0035C333

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: b112213bbfe552d7edad3ae1450f1e4730559e146ee9a873dab4b8610f196a98
Instruction ID: 5dfa98966663a9515b1ce88833bc46990397abb4758695fd4bdec43a146171ed
Opcode Fuzzy Hash: b112213bbfe552d7edad3ae1450f1e4730559e146ee9a873dab4b8610f196a98
Instruction Fuzzy Hash: F761A231218341AFD715DF54C890E2ABBE9FF84308F14995DF8994B2A2DB31ED49CB91

Function 0033EBD2 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0033E5A9: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0033D678,?), ref: 0033E5C6

Part of subcall function 0033E5A9: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0033D678,?), ref: 0033E5DF

Part of subcall function 0033E970: GetFileAttributesW.KERNEL32(?,0033D6EB), ref: 0033E971

lstrcmpiW.KERNEL32(?,?), ref: 0033EC4A
MoveFileW.KERNEL32(?,?), ref: 0033EC83
_wcslen.LIBCMT ref: 0033EDC2
_wcslen.LIBCMT ref: 0033EDDA
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0033EE27

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 95f73a66f7bd693e40e56ea8f1a93f8b1e813dd2d66c18c2bf585bc2693f6319
Instruction ID: 8b701a522e55beabdd8643133c520655bbc40f56434661958f09e60650d4414a
Opcode Fuzzy Hash: 95f73a66f7bd693e40e56ea8f1a93f8b1e813dd2d66c18c2bf585bc2693f6319
Instruction Fuzzy Hash: 625153B24083859BD725EB94DC919DFB7DCAF84340F00492EF689D3291EF74E5888B66

Function 003393CC Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003393E9
VariantClear.OLEAUT32 ref: 0033945A
VariantClear.OLEAUT32 ref: 003394B9
VariantClear.OLEAUT32(?), ref: 0033952C
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00339557

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8b89536ca8e9e47cd8d01ca80f66893a8dfbc83b66887c316642709c6af6d12e
Instruction ID: 1f19145200110f4e2588fdd680cbd45456583fec6920b8bd834e1ef4db2974ed
Opcode Fuzzy Hash: 8b89536ca8e9e47cd8d01ca80f66893a8dfbc83b66887c316642709c6af6d12e
Instruction Fuzzy Hash: C35149B5A00219EFDB15CF69C884AAAB7F8FF89310F15855AF945DB310E770E911CB90

Function 003492FC Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003493AF
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 003493DB
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00349433
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00349458
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00349460

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 0c89ba014ec585e374ef65b3ef951c4ea015b8adcc4f314a9577d48792004e8e
Instruction ID: c4ea2a37db1d0e6eca5b2c4bd3e14f5971a363358d54438f1fb12aca413e73d0
Opcode Fuzzy Hash: 0c89ba014ec585e374ef65b3ef951c4ea015b8adcc4f314a9577d48792004e8e
Instruction Fuzzy Hash: D2514A35A002199FCB11DF55C895AAEBBF5FF48354F048099E849AB3A2CB31ED51CF90

Function 00359656 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 003596B2
GetProcAddress.KERNEL32(00000000,?), ref: 00359742
GetProcAddress.KERNEL32(00000000,00000000), ref: 0035975E
GetProcAddress.KERNEL32(00000000,?), ref: 003597A4
FreeLibrary.KERNEL32(00000000), ref: 003597C4

Part of subcall function 002EF9F1: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,003418D4,?,7644E610), ref: 002EFA0E
Part of subcall function 002EF9F1: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00330283,00000000,00000000,?,?,003418D4,?,7644E610,?,00330283), ref: 002EFA35

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 56b77dca0a0f731e44b948b72389ff65c3d23660b1f04331c02df41c8cdea5fb
Instruction ID: 39fde648fa8f4674e3b1d9220dceb2331eeea8eae31705fceea043fb3080b7b9
Opcode Fuzzy Hash: 56b77dca0a0f731e44b948b72389ff65c3d23660b1f04331c02df41c8cdea5fb
Instruction Fuzzy Hash: BC517F35614245DFCB01DF58C484DA9BBB0FF09324B19809AE816AB762D731ED89CF80

Function 0036715D Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 0036721A
SetWindowLongW.USER32(?,000000EC,?), ref: 00367231
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 0036725A
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0034B3AC,00000000,00000000), ref: 0036727F
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 003672AE

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 21142648658a47a39b75ada31ef036e200f1ae606ea5b06b7907d3f5ccefa687
Instruction ID: a7357ab3ee953d236a7d2639c0286e6a1aac410fffbcc68343e4039fb34b4365
Opcode Fuzzy Hash: 21142648658a47a39b75ada31ef036e200f1ae606ea5b06b7907d3f5ccefa687
Instruction Fuzzy Hash: 63410235A08104AFD727CF38CC58FA67BA9FB0A324F568625F855A72E8C770ED51CA50

Function 003023E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00302453
_free.LIBCMT ref: 00302473

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9b63047ba847ec59f7c6e52a20ed986f4bee4dc154b6d1b8b85c688d8270eb2a
Instruction ID: 1b75f180a0e7993b9e9fbaeba137008fa5c342546058410cc8a5dbe5798da0ea
Opcode Fuzzy Hash: 9b63047ba847ec59f7c6e52a20ed986f4bee4dc154b6d1b8b85c688d8270eb2a
Instruction Fuzzy Hash: F141E132A012049FCB25DF78C899A6EB7F5EF89314F1685A9E915EB391D731ED01CB80

Function 0034418B Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003441E2
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00344239
TranslateMessage.USER32(?), ref: 00344262
DispatchMessageW.USER32(?), ref: 0034426C
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0034427D

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 61038afecc5fa6e590e9df553e8f40d982cc039aee988f47415ff131604b3b9d
Instruction ID: 6ef0e99adcc1c467b6fa78ed1f93598ad9d5ac265f848cc34c8ef9ff028d8ac5
Opcode Fuzzy Hash: 61038afecc5fa6e590e9df553e8f40d982cc039aee988f47415ff131604b3b9d
Instruction Fuzzy Hash: 1231A2709043429EEB378B789848BB77BECEB12304F16493DF5668A5A0E7B4B885D711

Function 0033217B Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0033218F
PostMessageW.USER32(00000001,00000201,00000001), ref: 0033223B
Sleep.KERNEL32(00000000,?,?,?), ref: 00332243
PostMessageW.USER32(00000001,00000202,00000000), ref: 00332254
Sleep.KERNEL32(00000000,?,?,?,?), ref: 0033225C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b27901a90fda25cf86fdb37af672009a346e0153bedadcfea1fc82fcdc8ce4c6
Instruction ID: 23e01d3cbe51af035cd7054c150ea460258c07dc279f5210e34d58f28db19aea
Opcode Fuzzy Hash: b27901a90fda25cf86fdb37af672009a346e0153bedadcfea1fc82fcdc8ce4c6
Instruction Fuzzy Hash: FE31D671A00219EFDB05CFA8CD89ADF7BB5EB04315F104615FA25EB2D0C3B0A944CB90

Function 0034D748 Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0034CA51,00000000), ref: 0034D766
InternetReadFile.WININET(?,00000000,?,?), ref: 0034D79D
GetLastError.KERNEL32(?,00000000,?,?,?,0034CA51,00000000), ref: 0034D7E2
SetEvent.KERNEL32(?,?,00000000,?,?,?,0034CA51,00000000), ref: 0034D7F6
SetEvent.KERNEL32(?,?,00000000,?,?,?,0034CA51,00000000), ref: 0034D820

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: aa96fc5e913afab844e254c7207494dfe07c29d1b6871f40033a22b4d3cd7dbe
Instruction ID: 0ed7572ca11bf918c73dfbbefb35e880be295bd6373668ed4074cb8366e9fdf4
Opcode Fuzzy Hash: aa96fc5e913afab844e254c7207494dfe07c29d1b6871f40033a22b4d3cd7dbe
Instruction Fuzzy Hash: 20312871A00209AFDB22DFA5D884AAFBBFCEB04355B10842EE506DA641D774BE419B60

Function 00351176 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00351197
GetForegroundWindow.USER32 ref: 003511AE
GetDC.USER32(00000000), ref: 003511EA
GetPixel.GDI32(00000000,?,00000003), ref: 003511F6
ReleaseDC.USER32(00000000,00000003), ref: 0035122E

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ba83c29bece9c8f74d24446349fb20920dd18b06a9ccecea7bfc87668d44b7d5
Instruction ID: f8a46de57a9e72d9471a0ec4c5b2e1961ccc14c8144a4f43eaed54cc2538c431
Opcode Fuzzy Hash: ba83c29bece9c8f74d24446349fb20920dd18b06a9ccecea7bfc87668d44b7d5
Instruction Fuzzy Hash: 7221C036B00204AFD715EF65C888A9EBBF9EF48300F10C069F84ADB761CA70AD44CB90

Function 0030D1DD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0030D1E6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0030D209

Part of subcall function 00303C40: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,002F0215,00000000,?,002D8E5F,00000004,?,00314C6B,?,?,002D10E8,0036DBF4), ref: 00303C72

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0030D22F
_free.LIBCMT ref: 0030D242
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0030D251

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 7bb9298df7414501dd9e6b43bef7f13ebda88755e2969e2f46f8697443401e3d
Instruction ID: 1ea1ee9a0af056ecf6aad802ca80b5086de67def85d8f3f2f59975ad00b0212c
Opcode Fuzzy Hash: 7bb9298df7414501dd9e6b43bef7f13ebda88755e2969e2f46f8697443401e3d
Instruction Fuzzy Hash: 8D01D472A032157FA32326FA5C9CC7B6AADDEC6B603150129FD04D6680DFA0CC0191B0

Function 00303218 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,00302C3D,00303C83,?,?,002F0215,00000000,?,002D8E5F,00000004,?,00314C6B), ref: 0030321D
_free.LIBCMT ref: 00303252
_free.LIBCMT ref: 00303279
SetLastError.KERNEL32(00000000), ref: 00303286
SetLastError.KERNEL32(00000000), ref: 0030328F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4f7aaa80490af5771e0b3285d7b7c421ab10a70293b3ff079603ebe8905e2fc9
Instruction ID: 4135c5c2dd3cd56841d8f4404da5b24c5be8f27d663289fa3f881bc42911056b
Opcode Fuzzy Hash: 4f7aaa80490af5771e0b3285d7b7c421ab10a70293b3ff079603ebe8905e2fc9
Instruction Fuzzy Hash: 1F012836647A0467C6133736ECAAD6B265DEFD1370F320A29F816D62D1EF718E014121

Function 0033082D Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330760,80070057,?,?,?,00330B7D), ref: 0033084A
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330760,80070057,?,?), ref: 00330865
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330760,80070057,?,?), ref: 00330873
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330760,80070057,?), ref: 00330883
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00330760,80070057,?,?), ref: 0033088F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8b38e9f9f6f791af5573488c641e0e40b289482b0428f3d5aa42c2e26ff5a892
Instruction ID: 6ecb038eb321bee6d65dcb449a192712ce8c365298504a9431e20dba41eacdc6
Opcode Fuzzy Hash: 8b38e9f9f6f791af5573488c641e0e40b289482b0428f3d5aa42c2e26ff5a892
Instruction Fuzzy Hash: 1A018F76A00214EFDB165F54CC88BAA7EADEF84792F154024F949DB210D7B0DD409BA0

Function 0033F152 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0033F16E
QueryPerformanceFrequency.KERNEL32(?), ref: 0033F17C
Sleep.KERNEL32(00000000), ref: 0033F184
QueryPerformanceCounter.KERNEL32(?), ref: 0033F18E
Sleep.KERNEL32 ref: 0033F1CA

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d575b8107baee5aa42b127cfabc1ccd72acbf59d23d5483b27e7ef16dea3f746
Instruction ID: e638aca47864cbe508aecf79022d84632c41d2fbcd28ea1e06d2fe0338a6cae3
Opcode Fuzzy Hash: d575b8107baee5aa42b127cfabc1ccd72acbf59d23d5483b27e7ef16dea3f746
Instruction Fuzzy Hash: 14012571D00629DFCF02AFB5EC89AEEBB7DFF09701F814466E901B2254DBB0965487A1

Function 00331973 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0033198E
GetLastError.KERNEL32(?,00000000,00000000,?,?,00331415,?,?,?), ref: 0033199A
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00331415,?,?,?), ref: 003319A9
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00331415,?,?,?), ref: 003319B0
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003319C7

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6b6107fa6fd495747b95f74527e549288b523649f5c84261a93b6c6a5ae4d53c
Instruction ID: 3816f3f28c39f527246359fa94e4742f45bd28c8ab590257683f85a15c151704
Opcode Fuzzy Hash: 6b6107fa6fd495747b95f74527e549288b523649f5c84261a93b6c6a5ae4d53c
Instruction Fuzzy Hash: 4C0181B5600205BFDB134F65DC48E6A3B6EEF89360F214414F845D7260DBB1DC408A60

Function 0033182E Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00331844
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00331850
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0033185F
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00331866
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0033187C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 50c32203d97d3e725f40565bd36e80398368814d09f91b76b803765c5d50ab33
Instruction ID: 98f6d06f542bc8da088bf5916c3ca0383afc97af847fe9263ab13a9d2e4ec7b5
Opcode Fuzzy Hash: 50c32203d97d3e725f40565bd36e80398368814d09f91b76b803765c5d50ab33
Instruction Fuzzy Hash: 8EF06D76600305BBDB121FA5DC8DF963BADEF89761F218424FA45CB2A0DAB1DC108A60

Function 0033188E Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003318A4
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003318B0
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003318BF
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003318C6
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003318DC

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f8584553f4faffe310dc3c2e0fc80aae1d37d0b4e00f93d3e4b2364ea7d3352b
Instruction ID: 34ce7b76a7c22c6ee7d7d97124a582630e9ff60781c680289829ea92ee4e062c
Opcode Fuzzy Hash: f8584553f4faffe310dc3c2e0fc80aae1d37d0b4e00f93d3e4b2364ea7d3352b
Instruction Fuzzy Hash: BBF06275600301BBD7230FA5EC5DF563B6DEF89760F114415F945CB260DAB1D8108A70

Function 00340B69 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,003409E1,?,00343C13,?,00000001,00314EA0,?), ref: 00340B7E
CloseHandle.KERNEL32(?,?,?,?,003409E1,?,00343C13,?,00000001,00314EA0,?), ref: 00340B8B
CloseHandle.KERNEL32(?,?,?,?,003409E1,?,00343C13,?,00000001,00314EA0,?), ref: 00340B98
CloseHandle.KERNEL32(?,?,?,?,003409E1,?,00343C13,?,00000001,00314EA0,?), ref: 00340BA5
CloseHandle.KERNEL32(?,?,?,?,003409E1,?,00343C13,?,00000001,00314EA0,?), ref: 00340BB2
CloseHandle.KERNEL32(?,?,?,?,003409E1,?,00343C13,?,00000001,00314EA0,?), ref: 00340BBF

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a593e58807d1b35c3dc0c545e78b9cb765887303cb52f9bcd6f37be29d5b3f91
Instruction ID: b4af01ea3ceaa828503b3eb57365adf9ab46cfb164e944b19cba05fc472f23b0
Opcode Fuzzy Hash: a593e58807d1b35c3dc0c545e78b9cb765887303cb52f9bcd6f37be29d5b3f91
Instruction Fuzzy Hash: 03019071901B159FCB359F66D880812FAF9FE503193168A3ED29652931C3B0B954CE84

Function 00336460 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00336474
GetWindowTextW.USER32(00000000,?,00000100), ref: 0033648B
MessageBeep.USER32(00000000), ref: 003364A3
KillTimer.USER32(?,0000040A), ref: 003364BF
EndDialog.USER32(?,00000001), ref: 003364D9

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 61c2b85282718fc25651ea0704817587a3f7e1566184d3c064787c7048cbc25b
Instruction ID: dc3253490f1458149bc14eca37a6ec24d6cba9fc533a472bf37b0a6d7153e3fb
Opcode Fuzzy Hash: 61c2b85282718fc25651ea0704817587a3f7e1566184d3c064787c7048cbc25b
Instruction Fuzzy Hash: EC018130E00304BFEB325B25DD9FB967BBCBF00705F018559E686A14E1DBF4A9548B90

Function 0030DB5A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0030DB72

Part of subcall function 00302DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,0030DBF1,?,00000000,?,00000000,?,0030DC18,?,00000007,?,?,0030E016,?), ref: 00302DFE
Part of subcall function 00302DE8: GetLastError.KERNEL32(?,?,0030DBF1,?,00000000,?,00000000,?,0030DC18,?,00000007,?,?,0030E016,?,?), ref: 00302E10

_free.LIBCMT ref: 0030DB84
_free.LIBCMT ref: 0030DB96
_free.LIBCMT ref: 0030DBA8
_free.LIBCMT ref: 0030DBBA

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 62149417b7a172958b5176e34f896d35d03004a36d689debc3d284f03037bbb7
Instruction ID: 05630f04270bfe35c290bc9e82c01e14767072a6d16aa3ecf4779f694d450eec
Opcode Fuzzy Hash: 62149417b7a172958b5176e34f896d35d03004a36d689debc3d284f03037bbb7
Instruction Fuzzy Hash: A4F0D672546204ABCA23FB98F9A6D1B77EDBE447107970C06F059DB591C731FC809B64

Function 00302630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0030264E

Part of subcall function 00302DE8: RtlFreeHeap.NTDLL(00000000,00000000,?,0030DBF1,?,00000000,?,00000000,?,0030DC18,?,00000007,?,?,0030E016,?), ref: 00302DFE
Part of subcall function 00302DE8: GetLastError.KERNEL32(?,?,0030DBF1,?,00000000,?,00000000,?,0030DC18,?,00000007,?,?,0030E016,?,?), ref: 00302E10

_free.LIBCMT ref: 00302660
_free.LIBCMT ref: 00302673
_free.LIBCMT ref: 00302684
_free.LIBCMT ref: 00302695

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 859c2221e611ae9ba7200b331bed759a98774ee76eb77f969398ac851078451b
Instruction ID: 0f42b19a14de196da3fc9074d41f502de27eca45e996b196c1d276177986a5b4
Opcode Fuzzy Hash: 859c2221e611ae9ba7200b331bed759a98774ee76eb77f969398ac851078451b
Instruction Fuzzy Hash: FBF0FE768162609FCA437F19BD1665A3B6CFB1A711F010707F4249A2F5CB360D42EF84

Function 003012D7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00301489
__freea.LIBCMT ref: 003014A7

Part of subcall function 003018C7: _free.LIBCMT ref: 003018DF

Strings

a/p, xrefs: 0030156E
am/pm, xrefs: 0030150A

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 688cf96ddbb64248fe9247df6b3c8b51a1f22d44d5cdeecd41e6961447da97c0
Instruction ID: c5f8f75c491912d7dc60dc36d23de554fbc1ef26b0f64250f86c4ba2a3c8ca98
Opcode Fuzzy Hash: 688cf96ddbb64248fe9247df6b3c8b51a1f22d44d5cdeecd41e6961447da97c0
Instruction Fuzzy Hash: B8D1037591220ACBDB2B9F68C8B57BAB7B4FF05710F2A4159E902AB6D0D3758D40CB90

Function 002E3620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002E38F3

Strings

d5:, xrefs: 002E38DA
d5:, xrefs: 002E366F
d5:, xrefs: 002E3668

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Init_thread_footer
String ID: d5:$d5:$d5:
API String ID: 1385522511-119481748
Opcode ID: c35ff5521344ca1b62a1203ee756577ea9ed11bb95e04ce104d94ccd96dd6255
Instruction ID: 1b71bf731ebd94f01b4b597e8d668fefabdf56cef5299535c93281136ea6ee68
Opcode Fuzzy Hash: c35ff5521344ca1b62a1203ee756577ea9ed11bb95e04ce104d94ccd96dd6255
Instruction Fuzzy Hash: BA9179B5E60246DFCB14CF6AC0946A9B7F1FF59301FA48169E9419B340E331EEA1CB90

Function 00308E81 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00308F8E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00308F9A
__dosmaperr.LIBCMT ref: 00308FA1

Strings

N/, xrefs: 00308E83

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: N/
API String ID: 2434981716-2604995802
Opcode ID: 0504d72a056aae466715c9f7cec4fbe0d3853fd97c449f7538868c5a35700de2
Instruction ID: 579919fc3d0e215000fb803d24b73eb2d6357deeeb59159ae17e0d5d87068fdd
Opcode Fuzzy Hash: 0504d72a056aae466715c9f7cec4fbe0d3853fd97c449f7538868c5a35700de2
Instruction Fuzzy Hash: 1A415C30605156AFDB239F34D8A0A793FABDF46304F298299F8C5875D2DA31CD028750

Function 00332F16 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0033BC27: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003329D0,?,?,00000034,00000800,?,00000034), ref: 0033BC51

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00332F60

Part of subcall function 0033BBF2: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003329FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0033BC1C

Part of subcall function 0033BB4E: GetWindowThreadProcessId.USER32(?,?), ref: 0033BB79
Part of subcall function 0033BB4E: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00332994,00000034,?,?,00001004,00000000,00000000), ref: 0033BB89
Part of subcall function 0033BB4E: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00332994,00000034,?,?,00001004,00000000,00000000), ref: 0033BB9F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00332FCD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0033301A

Strings

@, xrefs: 00333032

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 283801c43ff0c69ba651454708617bcf17d180f885c0dffaa30f9a113a7b9b8d
Instruction ID: 60d57245d9e1bfd6eb5052ec945b53918c3ff0c4145d78bee79ff81e2a67e214
Opcode Fuzzy Hash: 283801c43ff0c69ba651454708617bcf17d180f885c0dffaa30f9a113a7b9b8d
Instruction Fuzzy Hash: CF412C72900218AFDB11DFA4CD85ADEFBB8EF49700F008195FA85BB190DA706E85DB61

Function 00301ABE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\578678\Cooper.pif,00000104), ref: 00301AF9
_free.LIBCMT ref: 00301BC4
_free.LIBCMT ref: 00301BCE

Strings

C:\Users\user\AppData\Local\Temp\578678\Cooper.pif, xrefs: 00301AF0, 00301AF7, 00301B26, 00301B5E

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\578678\Cooper.pif
API String ID: 2506810119-58805975
Opcode ID: c7ce7909f990f9e8373c4720b59a23d284a03ec956da0d7bd85a0028d3d8ac98
Instruction ID: 39a696579557900f2471915d59626572cc377f6734314eea78435096222f3f34
Opcode Fuzzy Hash: c7ce7909f990f9e8373c4720b59a23d284a03ec956da0d7bd85a0028d3d8ac98
Instruction Fuzzy Hash: 37316071A02218ABDB23DF999C95D9FBBFCEB85710F114166F4049B290E7B08E40DB90

Function 0033C9D3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0033CA5C
DeleteMenu.USER32(?,00000007,00000000), ref: 0033CAA2
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003A29B0,00D04B18), ref: 0033CAEB

Strings

0, xrefs: 0033CA35

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 47fa1c7c160c5974f552b76f74fcb14cac70cf7c14ba34bb8e1cdccf580a9496
Instruction ID: 48463e52b939f3832242aa4b072d076a1c677006d824a3e4248bcfe1a7d51760
Opcode Fuzzy Hash: 47fa1c7c160c5974f552b76f74fcb14cac70cf7c14ba34bb8e1cdccf580a9496
Instruction Fuzzy Hash: D041E2302143419FD722DF24C8C5F1ABBE8EF85364F14462DF566A7291E770E804CB62

Function 00364AF2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0036DBF4,00000000,?,?,?,?), ref: 00364B86
GetWindowLongW.USER32 ref: 00364BA3
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00364BB3

Strings

SysTreeView32, xrefs: 00364B58

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8baa4d88355989422fb4a2e5723952ebc0db44c6821acb3e8e894cc53d928279
Instruction ID: be4af648c5883e92a9db890c57e3125eabfd8b997e3f38e0a0ab70e2c491415d
Opcode Fuzzy Hash: 8baa4d88355989422fb4a2e5723952ebc0db44c6821acb3e8e894cc53d928279
Instruction Fuzzy Hash: B1318F31A00205ABDF168F78DC45BEA7BA9EB49334F218315F9B5932D4D770EC618B50

Function 0033768D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00337709
VariantCopyInd.OLEAUT32(?,?), ref: 00337724
VariantClear.OLEAUT32(?), ref: 0033772E

Strings

Fr3, xrefs: 003376A7, 003376AC, 00337714

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: Fr3
API String ID: 2173805711-697258498
Opcode ID: a0796c24b4bc44cad675814a2b978995c56bfffd6cc6c3871ce4c1541c79dafa
Instruction ID: 89df7683213c86ca86ab4d7c4a7fe1a0c0bd1b51236c2501b623ebf77a62863e
Opcode Fuzzy Hash: a0796c24b4bc44cad675814a2b978995c56bfffd6cc6c3871ce4c1541c79dafa
Instruction Fuzzy Hash: 4531A4B5619245DFCB26AF24D8D18BD3779FF46310F610859F8124B391CB349D22DB94

Function 00353821 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00353B2E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,0035384A,?,?), ref: 00353B4B

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0035384D
_wcslen.LIBCMT ref: 0035386E
htons.WSOCK32(00000000,?,?,00000000), ref: 003538D9

Strings

255.255.255.255, xrefs: 00353868, 0035386D

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 06770d001f3edfbcf2c59a7059c5933627c407766b5032b0571fc5cf90cf9cb7
Instruction ID: 4bd7f68a6814cfdb5ef97c378d865eeb8daf8193765f4f8bfea3231996b3052a
Opcode Fuzzy Hash: 06770d001f3edfbcf2c59a7059c5933627c407766b5032b0571fc5cf90cf9cb7
Instruction Fuzzy Hash: BA31D0796002058FCB16CF68C485E697BE5EF14399F258059FC168B3A2D771EE4DCB60

Function 00364592 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0036461A
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0036462E
SendMessageW.USER32(?,00001002,00000000,?), ref: 00364652

Strings

SysMonthCal32, xrefs: 003645E5

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 5f1f05c97da39b78a2a2815f73d2befcb39fd3e6d3584cdf2795ac9a5f319f7e
Instruction ID: 308aa9e1c712c7186ed0c6a53260b6bbfb326d82f5cfa26f9a0510107460c623
Opcode Fuzzy Hash: 5f1f05c97da39b78a2a2815f73d2befcb39fd3e6d3584cdf2795ac9a5f319f7e
Instruction Fuzzy Hash: B121A132A00229BBDF128F54CC46FEA3B79EF89714F114214FE156B1D4DAB5A8558B90

Function 00364D2F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00364DE1
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00364DEF
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00364DF6

Strings

msctls_updown32, xrefs: 00364D60

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5e84f997b633f04a9ac5dd2b6c260b86c5efb6efca7432830f9a841fa2f82355
Instruction ID: df499cb87dedcb598664cecef6396a8fcfc0abbe02308bfebfe2e9323e6aad19
Opcode Fuzzy Hash: 5e84f997b633f04a9ac5dd2b6c260b86c5efb6efca7432830f9a841fa2f82355
Instruction Fuzzy Hash: 9D216DB5A00209AFDB12DF28DC91DB737ADEB5A3A4F114059FA009B366CB70EC518A60

Function 0034530B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0034531F
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00345373
SetErrorMode.KERNEL32(00000000,?,?,0036DBF4), ref: 003453E7

Strings

%lu, xrefs: 00345386

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: bf88b53b609544a775a706ab9938fdb6571ec16e2c38f11a41dcbc331958cb6a
Instruction ID: da21092dad051ec55e5da1454101e038f83e578a64dd1ca8c1aa272fa6eac9b7
Opcode Fuzzy Hash: bf88b53b609544a775a706ab9938fdb6571ec16e2c38f11a41dcbc331958cb6a
Instruction Fuzzy Hash: 4A310F75A00109AFDB11DF54C985EAAB7F8EF08308F158095E509DB252DBB1EE45CF61

Function 003648C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0036492B
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00364940
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0036494D

Strings

msctls_trackbar32, xrefs: 00364902

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 735a919936df6865b95a9d55427381c9673844c4511f7f68f50f633069fd353f
Instruction ID: 65f5ed64da7f96341393598312b8036b2f7582b6320bc3e7306322426f98e221
Opcode Fuzzy Hash: 735a919936df6865b95a9d55427381c9673844c4511f7f68f50f633069fd353f
Instruction Fuzzy Hash: 1411E332640248BEEF125F28CC06FEB3BACEF85B64F128124FA50E6190C671DC618B20

Function 0033375C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DB0DB: _wcslen.LIBCMT ref: 002DB0EE

Part of subcall function 003335B2: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003335D0
Part of subcall function 003335B2: GetWindowThreadProcessId.USER32(?,00000000), ref: 003335E1
Part of subcall function 003335B2: GetCurrentThreadId.KERNEL32 ref: 003335E8
Part of subcall function 003335B2: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003335EF

GetFocus.USER32 ref: 00333782

Part of subcall function 003335F9: GetParent.USER32(00000000), ref: 00333604

GetClassNameW.USER32(?,?,00000100), ref: 003337CD
EnumChildWindows.USER32(?,00333845), ref: 003337F5

Strings

%s%d, xrefs: 00333809

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: b807c57a26d80a2a75d5f97c2b7eea49025e3ec8c90016adf5f35dac11f6b14a
Instruction ID: 060694efce8dfe55d88e262919ceae8e8d9d794a2c62cbacbb1cab040c0bbd1e
Opcode Fuzzy Hash: b807c57a26d80a2a75d5f97c2b7eea49025e3ec8c90016adf5f35dac11f6b14a
Instruction Fuzzy Hash: 6411A2B57002059BDF02BF708CC5AEE776A9F88314F048075FD099B292DE719A4A8B70

Function 002D53CE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 002D5403
DestroyWindow.USER32(?,002D3CA9,?,?,?,?,?,002D3BFA,?,?), ref: 002D5460

Strings

,):, xrefs: 002D53D8
,):, xrefs: 00314AFE

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: ,):$,):
API String ID: 2587070983-3255745019
Opcode ID: 7fb41aa1c11f3ba5bb68ad0e2a144fe5bfac11311b02951c130952687c0d66e0
Instruction ID: 435b3f71fe4f65c46424479ecdbc623ea59e5e9ee27aabb255d4b64715fb1d82
Opcode Fuzzy Hash: 7fb41aa1c11f3ba5bb68ad0e2a144fe5bfac11311b02951c130952687c0d66e0
Instruction Fuzzy Hash: A9210E347266128FDB5ADF1CE854B2733E9FB56B51F05405EE40297360CBB49CA5DB01

Function 0036877A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003A4028,003A406C), ref: 003687C7
CloseHandle.KERNEL32 ref: 003687D9

Strings

(@:, xrefs: 00368783
l@:, xrefs: 00368792

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: (@:$l@:
API String ID: 3712363035-3709836884
Opcode ID: a966cd4cd3f55443a8d1fee90206323fc217c49defdf05f778351a75d26d9afe
Instruction ID: 75c0e57822cfb16f84d25dada3c9cf5d29983db11c61495cac980f177fce6f48
Opcode Fuzzy Hash: a966cd4cd3f55443a8d1fee90206323fc217c49defdf05f778351a75d26d9afe
Instruction Fuzzy Hash: CBF0BEF6640208FAE312A761AC45FB7BA4CEB4A351F114020FB09D6192D6F54C2497B9

Function 0032E53F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0032E55E
FreeLibrary.KERNEL32 ref: 0032E584

Strings

X64, xrefs: 0032E447
GetSystemWow64DirectoryW, xrefs: 0032E558

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 5f385a1259d2629f3f459e1dd664534b7240c67ec820af953189f85f47a1cf73
Instruction ID: 040138d8541ace32c6cfbbc9b97a2066ac3236c184a13b2a884ad06c85893cbe
Opcode Fuzzy Hash: 5f385a1259d2629f3f459e1dd664534b7240c67ec820af953189f85f47a1cf73
Instruction Fuzzy Hash: 1EE09B31A1563197CBB3A7115C49A6D222C6F13701FAA4458E902E6184EBB4CD4486A0

Function 0033089E Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f501ba0a52332d1cfde6b775ec2ff35d2292cb89dda80c5e605bd801ccb12285
Instruction ID: 4c8f46384506ea248beef7f90572f991bbb0cdc74d0c55e84f99e4fb92810aab
Opcode Fuzzy Hash: f501ba0a52332d1cfde6b775ec2ff35d2292cb89dda80c5e605bd801ccb12285
Instruction Fuzzy Hash: B0C14C75A00216EFDB09CFA4C894EAEB7B9FF48714F118598E505EB261D731ED81CB90

Function 003042A0 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0030432B
__alldvrm.LIBCMT ref: 0030452C
__alldvrm.LIBCMT ref: 0030454E

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: b7f10559f626c80453af757d5ec9f0138941ef8a887e3562974eb8c521b6b901
Instruction ID: 983f63806d6821fafe33811d8b198d0f7a7da75549c834e5d14b7dd261fdefbc
Opcode Fuzzy Hash: b7f10559f626c80453af757d5ec9f0138941ef8a887e3562974eb8c521b6b901
Instruction Fuzzy Hash: 51A168B59023869FDB27CF28CCA17AEBBE4EF56310F1941ADE6859B2C1C2349E51C750

Function 00353C01 Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00353C2C
CoUninitialize.OLE32 ref: 00353C36
VariantInit.OLEAUT32(?), ref: 00353C41
VariantClear.OLEAUT32(?), ref: 00353EEE

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: aae5d3e7d5da470a24e29982ef24596ddca4b62c18f32f57462c41c9d40c593c
Instruction ID: 00ab53b5bf6f123b3173ef057d60057be568f50b924b78f555991d2fbae6c08a
Opcode Fuzzy Hash: aae5d3e7d5da470a24e29982ef24596ddca4b62c18f32f57462c41c9d40c593c
Instruction Fuzzy Hash: CBA169756142419FCB11EF68C495E2AB7E4FF88750F158459F98A9B362CB30EE04CF92

Function 00330C55 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00370BCC,?), ref: 00330E0F
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00370BCC,?), ref: 00330E27
CLSIDFromProgID.OLE32(?,?,00000000,0036DC00,000000FF,?,00000000,00000800,00000000,?,00370BCC,?), ref: 00330E4C
_memcmp.LIBVCRUNTIME ref: 00330E6D

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 848e582938bc4004662d61da49563a01ea572650c8ea8f247719301c8f6f23fa
Instruction ID: afbab6712ea8b9d9c24877d34154dc71ab7b2dcfe5eb5fa78816de1f3adadba9
Opcode Fuzzy Hash: 848e582938bc4004662d61da49563a01ea572650c8ea8f247719301c8f6f23fa
Instruction Fuzzy Hash: 89810971A00109EFCB05DFD4C894EEEB7B9FF89315F208559E516AB250DB71AE06CB60

Function 003117B1 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003118E0

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0fdd8fa02ec7930e1ad0986ad2eb73bbfbbb391cf067ec32b86e1f5569537253
Instruction ID: 6034145038226aba89e1c867f7cc7019f7c47a7b46836715923cca4b57b5ed13
Opcode Fuzzy Hash: 0fdd8fa02ec7930e1ad0986ad2eb73bbfbbb391cf067ec32b86e1f5569537253
Instruction Fuzzy Hash: 41419E31A012046BDB2B7BBD8C95BFF3AA8EF0A370F158615F628DA2D1D7704C819361

Function 0035231C Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00352343
WSAGetLastError.WSOCK32 ref: 00352351
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003523D0
WSAGetLastError.WSOCK32 ref: 003523DA

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 57ec2158b890cd76b1aa54a3e24584a161d6f645ba92288e89d1a45a8d25363d
Instruction ID: 8cc624b7ee88f4c7eb9c7e951f231d26ee53aa9aed94623d09d544cbcb28de8f
Opcode Fuzzy Hash: 57ec2158b890cd76b1aa54a3e24584a161d6f645ba92288e89d1a45a8d25363d
Instruction Fuzzy Hash: B241DF78640200AFE721AF24C886F6A7BE5AB05718F54C099F9599F3D3C772ED52CB90

Function 003668ED Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00366957
ScreenToClient.USER32(?,?), ref: 0036698A
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 003669F7

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c477fe3bab5d1bce41a2ba9e1571eb2914ef0c534651fc7c28af8f6865eb8874
Instruction ID: 763ed37b24dbf9bbe7edb5d5431edb4777207dd7960275bef706bee0d314d965
Opcode Fuzzy Hash: c477fe3bab5d1bce41a2ba9e1571eb2914ef0c534651fc7c28af8f6865eb8874
Instruction Fuzzy Hash: 84514D74A00209EFCF12CF54C981AAE7BB5FF45760F11C159F8559B2A4D730AD51CB50

Function 0030B83F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ac6b8a69871c325e2dd2dc1916c5ead03d3a150e0bfd959ef3d424079f4e2c
Instruction ID: d0811f95146e8196377e77d6e1cf7c96e3cdf6b597ba9f7bd50fcd5fa8af5d34
Opcode Fuzzy Hash: f0ac6b8a69871c325e2dd2dc1916c5ead03d3a150e0bfd959ef3d424079f4e2c
Instruction Fuzzy Hash: 40413471A01748AFE726AF78CC55BABFBE8EB88710F10862AF111DF2D0D37599018790

Function 0033B27B Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0033B2D0
SetKeyboardState.USER32(00000080), ref: 0033B2EC
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0033B35A
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0033B3AC

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ab7123b6f4971abdd58af8dc6e51e67ba733f2a8ece1d0468699b0ba5a4429c3
Instruction ID: 12914143352c6c7445fb907c629ffc9834d91a601b389985f76851d466515a3c
Opcode Fuzzy Hash: ab7123b6f4971abdd58af8dc6e51e67ba733f2a8ece1d0468699b0ba5a4429c3
Instruction Fuzzy Hash: 65312E34E40268AEFF238A25CC857FDFBA9AF45330F48821AF2D1561D0C374CA858751

Function 0036599D Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00365A2E
GetWindowLongW.USER32(?,000000F0), ref: 00365A51
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00365A5E
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00365A84

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 9dcef168df96e0deb00b1e1b7db96f8958000f740cffba03c00d8e45cb1d913b
Instruction ID: d0ea78502fbec05a4f77483a65db74052eb83b9e71c30f60e7b061ff5aa897b4
Opcode Fuzzy Hash: 9dcef168df96e0deb00b1e1b7db96f8958000f740cffba03c00d8e45cb1d913b
Instruction Fuzzy Hash: D031E334A61A48AEEB339F94CC86FE93769FB05310F09C222FA51962E5C7706D50DB41

Function 0033B3C0 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0033B415
SetKeyboardState.USER32(00000080,?,00008000), ref: 0033B431
PostMessageW.USER32(00000000,00000101,00000000), ref: 0033B498
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0033B4EA

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b813041d2fb1a9229767f2096b20607f61ce8e5b6ef6ecfe32477f8933cde89b
Instruction ID: e1c9903a65806eb0922390fa8001bc4588e80c6a748e4a1e4aa9a33eca4850a7
Opcode Fuzzy Hash: b813041d2fb1a9229767f2096b20607f61ce8e5b6ef6ecfe32477f8933cde89b
Instruction Fuzzy Hash: 14318030E00608AEFF33CF66C8857FAFB69AF44314F45821AE685962D2C37989418799

Function 0033E75E Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 002D7A0C: _wcslen.LIBCMT ref: 002D7A11

_wcslen.LIBCMT ref: 0033E794
_wcslen.LIBCMT ref: 0033E7AB
_wcslen.LIBCMT ref: 0033E7D6
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0033E7E1

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: b834617242611a2ed71175cd901970ce629463d630427d8008972841597185b1
Instruction ID: 4851e5b93b419bd0485c6d4d10991e5c868960482bc1de839cc352ae6503b44a
Opcode Fuzzy Hash: b834617242611a2ed71175cd901970ce629463d630427d8008972841597185b1
Instruction Fuzzy Hash: 6521B275D00218AFCB12EFA4C8C1BBEBBF9EF45750F154065E904AB381D6709E41CBA1

Function 003695D1 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D23E1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D23F2

GetCursorPos.USER32(?), ref: 00369609
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0036961E
GetCursorPos.USER32(?), ref: 00369666
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 0036969C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: bc329f1dd698e8bb403ee4143132537bc1138c796b3713b6c91554654e624f19
Instruction ID: 1b468b4ec125d29d3be7fd71a216241ca3bf4666c397ff19b99b9983ff2cf802
Opcode Fuzzy Hash: bc329f1dd698e8bb403ee4143132537bc1138c796b3713b6c91554654e624f19
Instruction Fuzzy Hash: 1B21AD35601218EFCB268F98C858EEA7BBDEB4A720F01819AF9064A161C3719D60DB60

Function 0033DA23 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0036DB10), ref: 0033DA5D
GetLastError.KERNEL32 ref: 0033DA6C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0033DA7B
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0036DB10), ref: 0033DAD8

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: be4d40f9ef2e2deec90a75cf86d0ef78f5280cbde34aab7ea4d57348ca37e2da
Instruction ID: 7cb7094ca17c5844eaa49512823c91b0136f97052f86fe0566ed4933b87700c8
Opcode Fuzzy Hash: be4d40f9ef2e2deec90a75cf86d0ef78f5280cbde34aab7ea4d57348ca37e2da
Instruction Fuzzy Hash: 3A218170A0C2019F8311DF29EDC58ABBBE8AE5A364F104A5EF499C72A1D770DD56CB42

Function 00362E5C Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00362EE4
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00362EFE
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00362F0C
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00362F1A

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1d602eafb5fead3f7d814d3948b2aa3aee424ec7c48521924371808b993b81d5
Instruction ID: 9f7ca851ef60ff61e3ac77f8df3cc269e490d3004d68da8811762ca3201fe07a
Opcode Fuzzy Hash: 1d602eafb5fead3f7d814d3948b2aa3aee424ec7c48521924371808b993b81d5
Instruction Fuzzy Hash: 2D21C131309911AFD7169B14C854FAB7BA9AF86324F25C158F4268B2D2C7B1EC81CBD0

Function 00338111 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00339599: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00338126,?,000000FF,?,00338F70,00000000,?,0000001C,?,?), ref: 003395A8
Part of subcall function 00339599: lstrcpyW.KERNEL32(00000000,?,?,00338126,?,000000FF,?,00338F70,00000000,?,0000001C,?,?,00000000), ref: 003395CE
Part of subcall function 00339599: lstrcmpiW.KERNEL32(00000000,?,00338126,?,000000FF,?,00338F70,00000000,?,0000001C,?,?), ref: 003395FF

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00338F70,00000000,?,0000001C,?,?,00000000), ref: 0033813F
lstrcpyW.KERNEL32(00000000,?,?,00338F70,00000000,?,0000001C,?,?,00000000), ref: 00338165
lstrcmpiW.KERNEL32(00000002,cdecl,?,00338F70,00000000,?,0000001C,?,?,00000000), ref: 003381A0

Strings

cdecl, xrefs: 00338197

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 97975bcef192d2594ce3732b6ca6842bf9a697a3f954cd7f0125fb421b711bca
Instruction ID: 77aefe68c36c2dcfd6a61b4abf8123d74a70b75a792b474860652146003b5041
Opcode Fuzzy Hash: 97975bcef192d2594ce3732b6ca6842bf9a697a3f954cd7f0125fb421b711bca
Instruction Fuzzy Hash: CF11D33A600301ABDB169F38D885A7A77A9FF49350F50802AF902CB260EF71D812C7A0

Function 00302099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d83e0f8bbdfe41313c55b3266b899e5fec720294e847c74a085f1c5d787fbe9
Instruction ID: 2720dddfc9dcc54c7c05753721fd498841a96322f5e7f45b519042946cba5fbd
Opcode Fuzzy Hash: 4d83e0f8bbdfe41313c55b3266b899e5fec720294e847c74a085f1c5d787fbe9
Instruction Fuzzy Hash: B401D6B260B6163EFA2326796CE9F27670DDF423B8F360325F631A51D1DBB08C005660

Function 003322A1 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 003322C1
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003322D3
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003322E9
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00332304

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 73541bbc8424ca94855ccdb4ace883e4db8a8f847702feec3768f409fa233190
Instruction ID: 43f6e9851be69c4045b8ffcc9fe50f207953d2f4d74a861d2164ce10c8d56cd7
Opcode Fuzzy Hash: 73541bbc8424ca94855ccdb4ace883e4db8a8f847702feec3768f409fa233190
Instruction Fuzzy Hash: D211093AD00228FFEB119BA4CD85F9EBBB8FB08750F214091EA01B7290D7716E10DB94

Function 0036A4FB Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 002D23E1: GetWindowLongW.USER32(00000000,000000EB), ref: 002D23F2

GetClientRect.USER32(?,?), ref: 0036A539
GetCursorPos.USER32(?), ref: 0036A543
ScreenToClient.USER32(?,?), ref: 0036A54E
DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 0036A582

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 2b6977c8097d882b0952d56ab709b9f822e949b898ded6090095d5bea5e1515e
Instruction ID: 70d9fd548aba8cede3ca733e25713cbb3dbae89706687ad0788e785f75afe9d2
Opcode Fuzzy Hash: 2b6977c8097d882b0952d56ab709b9f822e949b898ded6090095d5bea5e1515e
Instruction Fuzzy Hash: BD114871A01519ABDB12DF58DC898EE7BBCFB06300F408555FA43E7554D370AA91CBA2

Function 0033E9AD Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0033E9D4
MessageBoxW.USER32(?,?,?,?), ref: 0033EA07
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0033EA1D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0033EA24

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 67956cd58cdb8e55076cc22caa31dbd29c8788f1aa5a54027b0dd138e5e10ea0
Instruction ID: ed378a2117771c180ec4a6f019ac0e5c3075c9834a07fa28778bc19347ef1002
Opcode Fuzzy Hash: 67956cd58cdb8e55076cc22caa31dbd29c8788f1aa5a54027b0dd138e5e10ea0
Instruction Fuzzy Hash: 3611C4B6A00259BFCB039FAC9C44A9B7FADAB46320F148255F811E72D0D6B48D0487A0

Function 002FD5EC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,002FD419,00000000,00000004,00000000), ref: 002FD638
GetLastError.KERNEL32 ref: 002FD644
__dosmaperr.LIBCMT ref: 002FD64B
ResumeThread.KERNEL32(00000000), ref: 002FD669

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 4cf4759cb49634acd59033e52fa00aa5cb0b2d081b03a0fbcda9d705780f55cf
Instruction ID: e656d101d87a23a6893425d747f4c934129626b58a8683312fcc81352a32264e
Opcode Fuzzy Hash: 4cf4759cb49634acd59033e52fa00aa5cb0b2d081b03a0fbcda9d705780f55cf
Instruction Fuzzy Hash: 5301DB365251187BD7126F65DC09B7FBB6EDF81374F104225F628D61D0CBB08860C751

Function 002D6DB1 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002D6DEF
GetStockObject.GDI32(00000011), ref: 002D6E03
SendMessageW.USER32(00000000,00000030,00000000), ref: 002D6E0D

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3b756824e243db4784fb0c2c8870dcb58aef79d0919e46fc3919e24766d20eb9
Instruction ID: 7bb098c926f29b28f3f9b870e7fa2cb3e34dad13552af75472ea070d218efbc7
Opcode Fuzzy Hash: 3b756824e243db4784fb0c2c8870dcb58aef79d0919e46fc3919e24766d20eb9
Instruction Fuzzy Hash: 6C118772611549BFEB164F90DC58EEBBBADEF083A4F004106FA0492260C7B59C70ABA0

Function 00303493 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002D10E8,00000000,00000000,?,0030343A,002D10E8,00000000,00000000,00000000,?,003036AB,00000006,FlsSetValue), ref: 003034C5
GetLastError.KERNEL32(?,0030343A,002D10E8,00000000,00000000,00000000,?,003036AB,00000006,FlsSetValue,00373248,FlsSetValue,00000000,00000364,?,00303266), ref: 003034D1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0030343A,002D10E8,00000000,00000000,00000000,?,003036AB,00000006,FlsSetValue,00373248,FlsSetValue,00000000), ref: 003034DF

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 35045b5ff8c0b2defa0bc5a7eda17fd2e4c0cae221c80a53f04bc1de26fcf5e4
Instruction ID: 9f578567c8cc493db0010a82a38f9f72571cda45f0157b30f219e4aaa8d96359
Opcode Fuzzy Hash: 35045b5ff8c0b2defa0bc5a7eda17fd2e4c0cae221c80a53f04bc1de26fcf5e4
Instruction Fuzzy Hash: BE012032713222ABC7334B7A9C54E577B5CEF05B60F250620F916DB1D0D721D901C6E0

Function 0033B8CC Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0033B4F7,?,00008000), ref: 0033B8E8
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0033B4F7,?,00008000), ref: 0033B90D
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0033B4F7,?,00008000), ref: 0033B917
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0033B4F7,?,00008000), ref: 0033B94A

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 59f92f4bd3ead98e9a36f8e9dc912cfaa21d2f8c7ba2bc9fdbede7d7ce9084c3
Instruction ID: 58eb8351257dda29b7052bc730adec1f60f73335974e4971038437fa24685f1c
Opcode Fuzzy Hash: 59f92f4bd3ead98e9a36f8e9dc912cfaa21d2f8c7ba2bc9fdbede7d7ce9084c3
Instruction Fuzzy Hash: 20110571D0452DEBCF029FA9E9897EEFB7CBF09721F11409ADA41B2250CBB09A508B55

Function 0036841C Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0036843B
ScreenToClient.USER32(?,?), ref: 00368453
ScreenToClient.USER32(?,?), ref: 00368477
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00368492

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: efa7c364c2959102bc677a71ff570dfb9066ed681128c627872c1407406ddd67
Instruction ID: 72ef3652d26fe8b8aed9cc88c9cc5cd8b9cee8cf54d6a0604d70c9e91bac03e9
Opcode Fuzzy Hash: efa7c364c2959102bc677a71ff570dfb9066ed681128c627872c1407406ddd67
Instruction Fuzzy Hash: E81144B9D0020AEFDB41CF99C8849EEBBF9FB08310F508166E915E3210D775AA55CF50

Function 003335B2 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003335D0
GetWindowThreadProcessId.USER32(?,00000000), ref: 003335E1
GetCurrentThreadId.KERNEL32 ref: 003335E8
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003335EF

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: a1081458071982ad081ab6b4b9d37b469e73a1c63a532d5d7402fe7e37f0ad9c
Instruction ID: 087ddb629dc8877bafa29b4a18cd993a0c1d5f98e27a928aa259086e57392350
Opcode Fuzzy Hash: a1081458071982ad081ab6b4b9d37b469e73a1c63a532d5d7402fe7e37f0ad9c
Instruction Fuzzy Hash: 43E06D71B01224BBEA221B629C4EEEB7F6CDB43BA1F408115F105D20909EE48A40C2B1

Function 00368E6B Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002D1E82: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D1EDC
Part of subcall function 002D1E82: SelectObject.GDI32(?,00000000), ref: 002D1EEB
Part of subcall function 002D1E82: BeginPath.GDI32(?), ref: 002D1F02
Part of subcall function 002D1E82: SelectObject.GDI32(?,00000000), ref: 002D1F2B

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00368E8F
LineTo.GDI32(?,?,?), ref: 00368E9C
EndPath.GDI32(?), ref: 00368EAC
StrokePath.GDI32(?), ref: 00368EBA

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7cab344fde0b8cdb2df94a2838ce587c265736111c9a38684661ceea2c6fb5cc
Instruction ID: e7caaa63d81f4e937d3c06cda4ad28e465c6c6464c169182dcbb975739fa00c0
Opcode Fuzzy Hash: 7cab344fde0b8cdb2df94a2838ce587c265736111c9a38684661ceea2c6fb5cc
Instruction Fuzzy Hash: CAF05E32501659BADB136F58AC09FCF3F6DAF0A710F04C100FA11210E187B55521DFA5

Function 002D20F0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002D210C
SetTextColor.GDI32(?,?), ref: 002D2116
SetBkMode.GDI32(?,00000001), ref: 002D2129
GetStockObject.GDI32(00000005), ref: 002D2131

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 6173824f018217fe4a08b0636554c792c50e755428266b93402fccfaaa0b42cd
Instruction ID: ac25e122fd9c3548efe9269d9874a1a27b606b8953c3fabc5b57854ca7ca178b
Opcode Fuzzy Hash: 6173824f018217fe4a08b0636554c792c50e755428266b93402fccfaaa0b42cd
Instruction Fuzzy Hash: F0E06531740280AADB225B74AC09BE83F14AB16336F04C315F7BA480E0C3F146959B11

Function 0032EA29 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0032EA29
GetDC.USER32(00000000), ref: 0032EA33
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0032EA53
ReleaseDC.USER32(?), ref: 0032EA74

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8645762838b93049091049370ab74c27286eee8d424642a7a4df72ff3d53e2f7
Instruction ID: 1a942e7484a7ede8cbcfe42064fdbb0871420cf3a8e13710b4e66b71aa4e3885
Opcode Fuzzy Hash: 8645762838b93049091049370ab74c27286eee8d424642a7a4df72ff3d53e2f7
Instruction Fuzzy Hash: 6AE01AB5D10200DFCF029FA1D808A6DBBB9FB08310F15C049E80AE3310C7B859019F10

Function 0032EA3D Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0032EA3D
GetDC.USER32(00000000), ref: 0032EA47
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0032EA53
ReleaseDC.USER32(?), ref: 0032EA74

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 863498fca5146ed206dca1237b2192ea04beb6dd5e9d197c6d684d213492a299
Instruction ID: a74a705e40e2fef2079b9b9803610704d26a1b02056f2b2d2c9cb0a7d3b2d2e9
Opcode Fuzzy Hash: 863498fca5146ed206dca1237b2192ea04beb6dd5e9d197c6d684d213492a299
Instruction Fuzzy Hash: C4E012B0E10200EFCF12AFA0D808A6DBBB9FB08310F11C049E90AE3310CBB89A019F10

Function 0034569E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 002D7A0C: _wcslen.LIBCMT ref: 002D7A11

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 003457EB

Strings

LPT, xrefs: 00345712
*, xrefs: 00345727

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 31c03eb826e13305e2d28da2d1e38bb2b3b63f7613a520a0ed21c2af877f2e02
Instruction ID: 85f727c4c5d4a42376d9e50815c7ef9f8c3fb0d9a350df5d187d58031166d831
Opcode Fuzzy Hash: 31c03eb826e13305e2d28da2d1e38bb2b3b63f7613a520a0ed21c2af877f2e02
Instruction Fuzzy Hash: 5E916A75E00604EFCB15DF54C484EA9BBF5AF48314F198099E84A9F3A2DB71EE85CB90

Function 003355BB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00335767

Strings

$:, xrefs: 0033580A
Container, xrefs: 003356D6

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ContainedObject
String ID: $:$Container
API String ID: 3565006973-2283022292
Opcode ID: e03df6561e6c6236edbac5112a47fc8e33bfb742b669950dd158e6bbc9145cf8
Instruction ID: 23a4d900515d2cbedd92478e5fe8f1717b0354e208100f27bfc2755325868ac5
Opcode Fuzzy Hash: e03df6561e6c6236edbac5112a47fc8e33bfb742b669950dd158e6bbc9145cf8
Instruction Fuzzy Hash: 14812874600601EFDB15DF58C885A6ABBF9FF48700F14856DE94A8F6A1DBB1E841CB60

Function 002FE69D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002FE72D

Strings

pow, xrefs: 002FE705, 002FE722

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4d846639a319a0fe8313056babe49d1c2edbb808a2e93cecb0fe252b4472756c
Instruction ID: 0e800805d2f6f457acbf49ce558000347c0fe6a2675c6aa17829222b1f1cf9e2
Opcode Fuzzy Hash: 4d846639a319a0fe8313056babe49d1c2edbb808a2e93cecb0fe252b4472756c
Instruction Fuzzy Hash: 82519D7192A10A86DF177B14CD1137AEBA8EF40780F254D78F1C5452F9EF348CE19A46

Function 002EB040 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

#, xrefs: 002EB06A

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 549b5d953273be9e595904ac3d7a04be7e4b51701907e9f23754420e4ef434dc
Instruction ID: 7bfbbe4b1f1cb56bc23a15fa023156c8f7642b96bae530941f97e2f1a088516d
Opcode Fuzzy Hash: 549b5d953273be9e595904ac3d7a04be7e4b51701907e9f23754420e4ef434dc
Instruction Fuzzy Hash: A4513535906296CFDB17DF28E4506FBBBA4EF15320FA44056EC919B2D0EB349D62CB50

Function 002EF5B9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 002EF5CA
GlobalMemoryStatusEx.KERNEL32(?), ref: 002EF5E3

Strings

@, xrefs: 002EF5D7

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 617bdbd65613ce41d9ec81771ed2a44900000758df6bdb90136026a1d08dc332
Instruction ID: b4745ad8d18dbea23915325b30f892a36c984764b4a9c6f5f3679ddf990153a1
Opcode Fuzzy Hash: 617bdbd65613ce41d9ec81771ed2a44900000758df6bdb90136026a1d08dc332
Instruction Fuzzy Hash: 5C5116B14187849BE320AF15DC86BAFBBECFB84340F81885DF598411A1DB719939CB66

Function 0034D922 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0034D95E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0034D968

Strings

|, xrefs: 0034D939

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1096b8419e7fe30a0003cdea8623eeceb2743d4ec5bb0954a4a866a855a42054
Instruction ID: 3e4df15906781358d9ec29e2fb9eeec301849922e2540caa7dde34b9adfdb9b1
Opcode Fuzzy Hash: 1096b8419e7fe30a0003cdea8623eeceb2743d4ec5bb0954a4a866a855a42054
Instruction Fuzzy Hash: AF312A71810109EBCF12EFA5DD85AEEBFB9FF14300F00005AF915AA266E7719966DF50

Function 00364C13 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00364CFB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00364D10

Strings

', xrefs: 00364C6A

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 47a5f5a671c9726bace6a6b89585e6b6feb6524334a139262e57366abe9064db
Instruction ID: fe72e38be51faf70fad4ae885aa9df2e918f68860ac5f83d6a082c429cf151ef
Opcode Fuzzy Hash: 47a5f5a671c9726bace6a6b89585e6b6feb6524334a139262e57366abe9064db
Instruction Fuzzy Hash: C7314A74E0130AAFDB15CFA9C980BDA7BB9FF49300F109169E905AB395D770A941CF90

Function 003638C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00363956
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00363961

Strings

Combobox, xrefs: 00363923

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: abf69035c55ad878af841a626967d81d847a3e131599220ad7c022561d1f7f81
Instruction ID: 34f280ed6a1aada747d6250fcc9c813752526a6e15bb15999f4081f4f258775a
Opcode Fuzzy Hash: abf69035c55ad878af841a626967d81d847a3e131599220ad7c022561d1f7f81
Instruction Fuzzy Hash: DE119072700208AFEF128F54DC81FFB3BAEEB993A4F118125F95897294D7719D518BA0

Function 0034D54C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0034D5AB
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0034D5D4

Strings

<local>, xrefs: 0034D594

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: e85a98bb91a503815c1052d0eb6b2b108fe352882ac3fb9bf8efdf428b15bc93
Instruction ID: c63d8a0a799a15de5bee4d4bb2214cd6b0bdd8c7d6600f14a6bdef5e9b3a5e31
Opcode Fuzzy Hash: e85a98bb91a503815c1052d0eb6b2b108fe352882ac3fb9bf8efdf428b15bc93
Instruction Fuzzy Hash: 4511A371605235B9D7264A668C49EF7BE9CEB237A8F00425AB119CB180DB60A940D6F0

Function 00363B03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00363B85
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00363B94

Strings

edit, xrefs: 00363B69

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 23c74f08770152a2e473cbd61a619c21bdcc1965d32242481073cad68e3b7f34
Instruction ID: 30de591635d4581893c965492b94d1fcf009296879abf805b8caca51c765865d
Opcode Fuzzy Hash: 23c74f08770152a2e473cbd61a619c21bdcc1965d32242481073cad68e3b7f34
Instruction Fuzzy Hash: 33118C71600108ABEF128E64DC84AFB3BADEF05378F518314F965971E8C771DC519BA0

Function 003374A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

CharUpperBuffW.USER32(?,?,?), ref: 003374D2
_wcslen.LIBCMT ref: 003374DE

Strings

STOP, xrefs: 003374D8, 003374DD

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e6612cfc629e7b9505b6ecde34ae708f0e1abf2ffcc2ed8e52bb454dbe964770
Instruction ID: 0614f235d0a4b4a62da861da0ff22452969baa1a94bc58f39cb904b5ede7e34e
Opcode Fuzzy Hash: e6612cfc629e7b9505b6ecde34ae708f0e1abf2ffcc2ed8e52bb454dbe964770
Instruction Fuzzy Hash: 9C010472A1412A8ADB369FBDDC808BF77B9AA51314F110928E42597291EB34DC10C650

Function 00332558 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

Part of subcall function 003344BB: GetClassNameW.USER32(?,?,000000FF), ref: 003344DE

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003325C6

Strings

ListBox, xrefs: 00332590
ComboBox, xrefs: 00332565

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 207df625b10b27c6213158bcf2d0729a5b6b4621d8570f7a97f0ee7ecd5541b7
Instruction ID: 00eb62cc1a1cb1eb29d6ed339ccc63226e7ebc59ee9f5271be1757ada174a964
Opcode Fuzzy Hash: 207df625b10b27c6213158bcf2d0729a5b6b4621d8570f7a97f0ee7ecd5541b7
Instruction Fuzzy Hash: 9601DD71A011156BDB06EBA4CCA19FFB768EB06350F100916F472573C2EE35A918CB50

Function 00332452 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

Part of subcall function 003344BB: GetClassNameW.USER32(?,?,000000FF), ref: 003344DE

SendMessageW.USER32(?,00000180,00000000,?), ref: 003324C0

Strings

ListBox, xrefs: 0033248A
ComboBox, xrefs: 0033245F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c688c438aa3eca599b554f6d4109fde6c5a5a0d0fc028e8d57835c12b1c9360a
Instruction ID: b8fa2273265a92dded728b92972ff7fc760b0a1eee19feef0a3629c6a2a268b1
Opcode Fuzzy Hash: c688c438aa3eca599b554f6d4109fde6c5a5a0d0fc028e8d57835c12b1c9360a
Instruction Fuzzy Hash: 5601A271B411156ACB16EBA1C992FFF77AC9B15340F101426B842673C2EA59AE188AB1

Function 003324D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002DC110: _wcslen.LIBCMT ref: 002DC11A

Part of subcall function 003344BB: GetClassNameW.USER32(?,?,000000FF), ref: 003344DE

SendMessageW.USER32(?,00000182,?,00000000), ref: 00332542

Strings

ListBox, xrefs: 0033250E
ComboBox, xrefs: 003324E3

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f0278e28cc48b767589bcdf23992e2ff716c1992950ecd01349b2e708fe7a4e3
Instruction ID: f90442a0783b8c8ec6c3e146401b7775a5e0ed9a53cccd2344ad5d833a9bb1f5
Opcode Fuzzy Hash: f0278e28cc48b767589bcdf23992e2ff716c1992950ecd01349b2e708fe7a4e3
Instruction Fuzzy Hash: 8B01D671A401056ADB02E7A4C992FFFB7AC9B16340F200426B453B3382EA29DF1886B1

Function 0032E96F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0032E98D
_wcslen.LIBCMT ref: 0032E9CB

Strings

3, 3, 15, 3, xrefs: 0032E975

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 15, 3
API String ID: 176396367-1239129305
Opcode ID: 9dc4078882d83f5169c0a0092368aa1846fc82c6993071cac35ec856f1c31cd3
Instruction ID: b82b3303c6c5da37e34feb9583d8e6e9c40f33bc846b65d719f38452e04884a5
Opcode Fuzzy Hash: 9dc4078882d83f5169c0a0092368aa1846fc82c6993071cac35ec856f1c31cd3
Instruction Fuzzy Hash: 80F0F62561013855CBE2A7B0A88AFBE7398AF48740F2154BBE409C7150FF64CDD4CB80

Function 0033138F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0033139D

Strings

Error allocating memory., xrefs: 00331396
AutoIt, xrefs: 00331391

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: bdbc4a8f206d98d710ccac076e57b6073b61fcf87b415d7b19a4f36ab632d8db
Instruction ID: 743a6559c2f069f0244ed79be1f11e0f105274764b093d426564c56cc9c0c9c0
Opcode Fuzzy Hash: bdbc4a8f206d98d710ccac076e57b6073b61fcf87b415d7b19a4f36ab632d8db
Instruction Fuzzy Hash: 2BE0D83235432C22D21137947C47FD9BA844F04B61F11442BFB48598C34BE124A04A98

Function 002F1162 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002EFAF1: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002F1191,?,?,?,002D100A), ref: 002EFAF6

IsDebuggerPresent.KERNEL32(?,?,?,002D100A), ref: 002F1195
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002D100A), ref: 002F11A4

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002F119F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: dd17d4ad4d6a2aa1f8786e4e583b2b0d049cc2bdc4e5ca53813bd5ed446a072c
Instruction ID: 624e35ff11928808d009e96777ce163c4c5fef7f25a5d4654ee53687eb9c0311
Opcode Fuzzy Hash: dd17d4ad4d6a2aa1f8786e4e583b2b0d049cc2bdc4e5ca53813bd5ed446a072c
Instruction Fuzzy Hash: CCE06D70610711CFD3619F29E944757BBE8AB04344F44CE2DE94AC6751DBF4D4648FA1

Function 002EEE32 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002EEE6F

Strings

X5:, xrefs: 002EEE64
P5:, xrefs: 002EEE4F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Init_thread_footer
String ID: P5:$X5:
API String ID: 1385522511-677207189
Opcode ID: dd95d9a3c5c21990bec5d876c99c6bd69070235248bd5626ef1d59fe4c178421
Instruction ID: d56798180fe54c70c5e28dc8789c291bfb58b755d1849493686246a4657a8813
Opcode Fuzzy Hash: dd95d9a3c5c21990bec5d876c99c6bd69070235248bd5626ef1d59fe4c178421
Instruction Fuzzy Hash: 6AE08635DA1C95DBDF169B2CA841A98B398EF4B730F590165F2018B1A29B303A619A98

Function 003438AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 003438C2
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 003438D7

Strings

aut, xrefs: 003438CB

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 8dbe84eec28eb88a0f3e758dda2caaf4a16b4e37553139a76a8344befa4e6ce6
Instruction ID: ace5e4eca02ea96f3a0aba8795b46be95b6560e63904b87a53e7af59a11a42f0
Opcode Fuzzy Hash: 8dbe84eec28eb88a0f3e758dda2caaf4a16b4e37553139a76a8344befa4e6ce6
Instruction Fuzzy Hash: A1D05E72A0032867DA20A764DC0EFCB7A6CDB48710F0006A1FA55920E1DBF0DA85CBE0

Function 003629FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00362A06
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00362A19

Part of subcall function 0033F152: Sleep.KERNEL32 ref: 0033F1CA

Strings

Shell_TrayWnd, xrefs: 003629FF

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ce568d7c2af41ba98c0e8af876b0c2fab27993ee06ed3e3399ffd9754295179b
Instruction ID: 670c3b4b08fac4fc92dd984294db45ab64bc46c7b24336351d70bfd95ae6ef03
Opcode Fuzzy Hash: ce568d7c2af41ba98c0e8af876b0c2fab27993ee06ed3e3399ffd9754295179b
Instruction Fuzzy Hash: AED01236B95311BBEA65B770FC4FFE6AA589F54B10F504835F34EAE2D0C9E06800C654

Function 00362A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00362A46
PostMessageW.USER32(00000000), ref: 00362A4D

Part of subcall function 0033F152: Sleep.KERNEL32 ref: 0033F1CA

Strings

Shell_TrayWnd, xrefs: 00362A3F

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 80a30ef331438afdfc83970880751778fa508a1d65c4f72d46d7da49e21a6a09
Instruction ID: f547355955e17caee9b6aef49e7acaad7ade832693e8af656ecb90420645be06
Opcode Fuzzy Hash: 80a30ef331438afdfc83970880751778fa508a1d65c4f72d46d7da49e21a6a09
Instruction Fuzzy Hash: A1D0C932B85311AAEA66A770EC4AFE6AA589B55B10F504825F34AAA2D0C9E068008658

Function 0030C21D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0030C2B3
GetLastError.KERNEL32 ref: 0030C2C1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0030C31C

Memory Dump Source

Source File: 0000000B.00000002.2516941007.00000000002D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 002D0000, based on PE: true

Associated: 0000000B.00000002.2516914828.00000000002D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.000000000036D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517011995.0000000000393000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517072837.000000000039D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.2517097916.00000000003A5000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d0000_Cooper.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 566a1c37cdc3a288a1617dda12b0d8a900e45b50a186ef48527517e4259b7857
Instruction ID: 8d3bb53c4c4dce8f0df048d0c8435d70aebc090ac2ef12bf2a8b289a4746a950
Opcode Fuzzy Hash: 566a1c37cdc3a288a1617dda12b0d8a900e45b50a186ef48527517e4259b7857
Instruction Fuzzy Hash: 7241E835622205AFDF238F64C864ABF7BA9EF02310F2693A9F8555B1D1DB348D01CB50

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 99awhy8l.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\578678\Cooper.pif

C:\Users\user\AppData\Local\Temp\578678\y

C:\Users\user\AppData\Local\Temp\Bond

C:\Users\user\AppData\Local\Temp\Exotic

C:\Users\user\AppData\Local\Temp\Hill

C:\Users\user\AppData\Local\Temp\Impacts

C:\Users\user\AppData\Local\Temp\Impacts.bat

C:\Users\user\AppData\Local\Temp\Myth

C:\Users\user\AppData\Local\Temp\Relief

C:\Users\user\AppData\Local\Temp\Seo

C:\Users\user\AppData\Local\Temp\Serious

C:\Users\user\AppData\Local\Temp\Von

C:\Users\user\AppData\Local\Temp\Webpage

Static File Info

Windows Analysis Report
99awhy8l.exe

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre