Edit tour

Windows Analysis Report
nnn.exe

Overview

General Information

Sample name:	nnn.exe
Analysis ID:	1578009
MD5:	674524d2048c49e12fa30e6f42ead69a
SHA1:	d7a6349ab0c08e0825c7ab0b7e65c719ebcdc9a6
SHA256:	b03db0564666573fc8c78762884386005dd29e7f39d76e008e36dea70bc7f2e7
Tags:	exeuser-mamrmtsh
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

nnn.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\nnn.exe" MD5: 674524D2048C49E12FA30E6F42EAD69A)

RegSvcs.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\nnn.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pgsu.co.id", "Username": "joko.wahyono@pgsu.co.id", "Password": "Vecls16@Vezs           "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.4161444744.0000000002639000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.4160397848.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4160397848.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.4161444744.00000000025C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.4161444744.00000000025C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: nnn.exe PID: 7256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nnn.exe PID: 7256	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7308	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7308	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.nnn.exe.14c0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nnn.exe.14c0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.nnn.exe.14c0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31749:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31865:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31941:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a67:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.nnn.exe.14c0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nnn.exe.14c0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.nnn.exe.14c0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.5b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.5b0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.5b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33549:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33665:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33741:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33867:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 107.178.108.41, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7308, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.RegSvcs.exe.5b0000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pgsu.co.id", "Username": "joko.wahyono@pgsu.co.id", "Password": "Vecls16@Vezs "}

Multi AV Scanner detection for submitted file

Source: nnn.exe	Virustotal: Detection: 29%			Perma Link
Source: nnn.exe	ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: nnn.exe

Joe Sandbox ML: detected

Source: nnn.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: nnn.exe, 00000000.00000003.1726269624.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, nnn.exe, 00000000.00000003.1722135943.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: nnn.exe, 00000000.00000003.1726269624.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, nnn.exe, 00000000.00000003.1722135943.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EEDBBE
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF68EE FindFirstFileW,FindClose,	0_2_00EF68EE
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00EF698F
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EED076
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EED3A9
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EF9642
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EF979D
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00EF9B2B
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00EF5C97

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 107.178.108.41:587

Source: Joe Sandbox View

IP Address: 107.178.108.41 107.178.108.41

Source: Joe Sandbox View

ASN Name: IOFLOODUS IOFLOODUS

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 107.178.108.41:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EFCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00EFCE44

Source: global traffic

DNS traffic detected: DNS query: mail.pgsu.co.id

Source: RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.pgsu.co.id
Source: RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pgsu.co.id
Source: RegSvcs.exe, 00000001.00000002.4160575138.0000000000924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.or
Source: RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4163043040.00000000057EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4163043040.00000000057EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4160754639.0000000000977000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4163043040.00000000057EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4160754639.0000000000977000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4163043040.00000000057EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: nnn.exe, 00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4160397848.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.nnn.exe.14c0000.1.raw.unpack, cPKWk.cs

.Net Code: gdCwU6rsZ

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EFEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00EFEAFF

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EFED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00EFED6A

Source: C:\Users\user\Desktop\nnn.exe

0_2_00EFEAFF

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EEAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00EEAA57

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00F19576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F19576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.nnn.exe.14c0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.nnn.exe.14c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: nnn.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: nnn.exe, 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4c9415c7-e
Source: nnn.exe, 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8ed2a35b-3
Source: nnn.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f665ec9d-c
Source: nnn.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c341c1a8-2

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00EED5EB

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EE1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00EE1201

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EEE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00EEE8F6

Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00E88060	0_2_00E88060
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF2046	0_2_00EF2046
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EE8298	0_2_00EE8298
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EBE4FF	0_2_00EBE4FF
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EB676B	0_2_00EB676B
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00F14873	0_2_00F14873
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00E8CAF0	0_2_00E8CAF0
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EACAA0	0_2_00EACAA0
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00E9CC39	0_2_00E9CC39
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EB6DD9	0_2_00EB6DD9
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00E9D063	0_2_00E9D063
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00E891C0	0_2_00E891C0
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00E9B119	0_2_00E9B119
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA1394	0_2_00EA1394
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA1706	0_2_00EA1706
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA781B	0_2_00EA781B
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA19B0	0_2_00EA19B0
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00E9997D	0_2_00E9997D
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00E87920	0_2_00E87920
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA7A4A	0_2_00EA7A4A
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA7CA7	0_2_00EA7CA7
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA1C77	0_2_00EA1C77
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EB9EEE	0_2_00EB9EEE
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00F0BE44	0_2_00F0BE44
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA1F32	0_2_00EA1F32
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_01750478	0_2_01750478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00CA9380	1_2_00CA9380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00CA4AA0	1_2_00CA4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00CA9B48	1_2_00CA9B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00CACDC8	1_2_00CACDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00CA3E88	1_2_00CA3E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00CA41D0	1_2_00CA41D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00CAF4C0	1_2_00CAF4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_058EDD10	1_2_058EDD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_058EBCF8	1_2_058EBCF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_058E3F40	1_2_058E3F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_058E56C8	1_2_058E56C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_058E0040	1_2_058E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_058E8B72	1_2_058E8B72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_058E2AF0	1_2_058E2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_058E4FE8	1_2_058E4FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_058E3238	1_2_058E3238

Source: C:\Users\user\Desktop\nnn.exe	Code function: String function: 00EA0A30 appears 46 times
Source: C:\Users\user\Desktop\nnn.exe	Code function: String function: 00E9F9F2 appears 31 times

Source: nnn.exe, 00000000.00000003.1722728782.00000000040BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs nnn.exe
Source: nnn.exe, 00000000.00000003.1724847047.0000000003F13000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs nnn.exe
Source: nnn.exe, 00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef1a08a05-b195-4d04-8a01-a86b7545550f.exe4 vs nnn.exe

Source: nnn.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.nnn.exe.14c0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.nnn.exe.14c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.nnn.exe.14c0000.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nnn.exe.14c0000.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nnn.exe.14c0000.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nnn.exe.14c0000.1.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.nnn.exe.14c0000.1.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nnn.exe.14c0000.1.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.nnn.exe.14c0000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nnn.exe.14c0000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@3/1

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EF37B5 GetLastError,FormatMessageW,

0_2_00EF37B5

Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EE10BF AdjustTokenPrivileges,CloseHandle,		0_2_00EE10BF
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EE16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00EE16C3

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EF51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00EF51CD

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00F0A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F0A67C

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EF648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00EF648E

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00E842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E842A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\nnn.exe

File created: C:\Users\user\AppData\Local\Temp\aut489E.tmp

Jump to behavior

Source: nnn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\nnn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nnn.exe	Virustotal: Detection: 29%
Source: nnn.exe	ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\nnn.exe "C:\Users\user\Desktop\nnn.exe"
Source: C:\Users\user\Desktop\nnn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\nnn.exe"
Source: C:\Users\user\Desktop\nnn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\nnn.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nnn.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nnn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nnn.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\nnn.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\nnn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\nnn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nnn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nnn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nnn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nnn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nnn.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: nnn.exe

Static file information: File size 1179136 > 1048576

Source: nnn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nnn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nnn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nnn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nnn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nnn.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: nnn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: nnn.exe, 00000000.00000003.1726269624.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, nnn.exe, 00000000.00000003.1722135943.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: nnn.exe, 00000000.00000003.1726269624.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, nnn.exe, 00000000.00000003.1722135943.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp

Source: nnn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nnn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nnn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nnn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nnn.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA0A76 push ecx; ret		0_2_00EA0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_058E3AD7 push ebx; retf		1_2_058E3ADA

Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00E9F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E9F98E
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00F11C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F11C41

Source: C:\Users\user\Desktop\nnn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nnn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\nnn.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96380

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\nnn.exe

API/Special instruction interceptor: Address: 175009C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2054			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7757			Jump to behavior

Source: C:\Users\user\Desktop\nnn.exe

API coverage: 4.0 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EEDBBE
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF68EE FindFirstFileW,FindClose,	0_2_00EF68EE
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00EF698F
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EED076
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EED3A9
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EF9642
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EF979D
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00EF9B2B
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EF5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00EF5C97

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97745	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97395	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97105	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96848	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94434	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94307	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93735	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.4163043040.00000000057EC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EFEAA2 BlockInput,

0_2_00EFEAA2

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EB2622

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA4CE8 mov eax, dword ptr fs:[00000030h]	0_2_00EA4CE8
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_01750368 mov eax, dword ptr fs:[00000030h]	0_2_01750368
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_01750308 mov eax, dword ptr fs:[00000030h]	0_2_01750308
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_0174ECE8 mov eax, dword ptr fs:[00000030h]	0_2_0174ECE8

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EE0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00EE0B62

Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EB2622
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EA083F
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA09D5 SetUnhandledExceptionFilter,	0_2_00EA09D5
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00EA0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EA0C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\nnn.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\nnn.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 38C008

Jump to behavior

Source: C:\Users\user\Desktop\nnn.exe

0_2_00EE1201

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EC2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EC2BA5

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EEB226 SendInput,keybd_event,

0_2_00EEB226

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00F022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00F022DA

Source: C:\Users\user\Desktop\nnn.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\nnn.exe"

Jump to behavior

Source: C:\Users\user\Desktop\nnn.exe

0_2_00EE0B62

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EE1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00EE1663

Source: nnn.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: nnn.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EA0698 cpuid

0_2_00EA0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EF8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00EF8195

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EDD27A GetUserNameW,

0_2_00EDD27A

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00EBBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00EBBB6F

Source: C:\Users\user\Desktop\nnn.exe

Code function: 0_2_00E842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E842DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: nnn.exe, 00000000.00000002.1727184472.0000000001899000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: mcupdate.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.nnn.exe.14c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nnn.exe.14c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4161444744.0000000002639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4160397848.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4161444744.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nnn.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7308, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: nnn.exe	Binary or memory string: WIN_81
Source: nnn.exe	Binary or memory string: WIN_XP
Source: nnn.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: nnn.exe	Binary or memory string: WIN_XPe
Source: nnn.exe	Binary or memory string: WIN_VISTA
Source: nnn.exe	Binary or memory string: WIN_7
Source: nnn.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.nnn.exe.14c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nnn.exe.14c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4160397848.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4161444744.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nnn.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7308, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.nnn.exe.14c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nnn.exe.14c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4161444744.0000000002639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4160397848.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.4161444744.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nnn.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7308, type: MEMORYSTR

Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00F01204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00F01204
Source: C:\Users\user\Desktop\nnn.exe	Code function: 0_2_00F01806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F01806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	221 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	341 Security Software Discovery	SSH	4 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	221 Virtualization/Sandbox Evasion	Cached Domain Credentials	221 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nnn.exe	29%	Virustotal		Browse
nnn.exe	50%	ReversingLabs	Win32.Trojan.AutoitInject
nnn.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://pgsu.co.id	0%	Avira URL Cloud	safe
http://r10.i.lencr.or	0%	Avira URL Cloud	safe
http://mail.pgsu.co.id	0%	Avira URL Cloud	safe
http://r10.o.lencr.org0#	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pgsu.co.id	107.178.108.41	true	true		unknown
mail.pgsu.co.id	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pgsu.co.id	RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r10.o.lencr.org0#	RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4163043040.00000000057EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	nnn.exe, 00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4160397848.00000000005B2000.00000040.80000000.00040000.00000000.sdmp	false		high
http://mail.pgsu.co.id	RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r10.i.lencr.or	RegSvcs.exe, 00000001.00000002.4160575138.0000000000924000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4160754639.0000000000977000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4163043040.00000000057EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4160754639.0000000000977000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4163043040.00000000057EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://r10.i.lencr.org/0	RegSvcs.exe, 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4163043040.00000000057EC000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
107.178.108.41	pgsu.co.id	United States		53755	IOFLOODUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578009
Start date and time:	2024-12-19 04:59:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nnn.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 49 Number of non-executed functions: 304
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:00:02	API Interceptor	11925570x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
107.178.108.41	ssd.exe	Get hash	malicious	AgentTesla	Browse
	newrfq.exe	Get hash	malicious	AgentTesla	Browse
	mp.exe	Get hash	malicious	AgentTesla	Browse
	ttp.exe	Get hash	malicious	AgentTesla	Browse
	06.exe	Get hash	malicious	AgentTesla	Browse
	sdfg.exe	Get hash	malicious	AgentTesla	Browse
	pmm.exe	Get hash	malicious	AgentTesla	Browse
	Q7bAgeTZB8vmku7.exe	Get hash	malicious	AgentTesla	Browse
	QcgYuePXfjXfcUD.exe	Get hash	malicious	AgentTesla	Browse
	XXKPgtA6DfbWnGL.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IOFLOODUS	ssd.exe	Get hash	malicious	AgentTesla	Browse	107.178.108.41
	SqWzv6g2gV.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.161.43.18
	RXnQXC1eJa.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.161.43.18
	37O0XUq6Vp.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.161.43.18
	tO8laPAv1k.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.161.43.18
	nPcYcCBa00.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.161.43.18
	JLrciUppSu.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.161.43.18
	122046760.bat	Get hash	malicious	RHADAMANTHYS	Browse	104.161.43.18
	pkqLAMAv96.lnk	Get hash	malicious	RHADAMANTHYS	Browse	104.161.43.18
	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse	104.161.43.18

Process:	C:\Users\user\Desktop\nnn.exe
File Type:	data
Category:	dropped
Size (bytes):	151562
Entropy (8bit):	7.908808024915831
Encrypted:	false
SSDEEP:	3072:z6NVbwW4RTZDhRxABX56C+6VcuXXwFN6aHqNrq4gfURHZQ:2NVr8hGUB6Dt9qxcRHq
MD5:	3F11144B624779E9002C15AB41F6051E
SHA1:	4C38395DA3819D33637C0F72727D70CFC63A1D87
SHA-256:	13CAC0BD87D1194457A58234DB84AD400FC59AE24AC5A119A57CAEDA2D0CF1D4
SHA-512:	65DB4DFF74D4D38F7AF04B6BBF731C4FDCD89D1F6D199562F73019C8FC36CBC255E82DD4E46B52546A6D8A2050AA5B4F2DA145BEABE5FFEBFD0B99EB6B721112
Malicious:	false
Reputation:	low
Preview:	EA06......;.y...E...T....K.M..&eR.M.....X..jT.@..i.... .X....F.{...h.\|..+Q..-.I,.M;....J..y.......O%.Wg7(,..r.....".A..,f....o.:\......5..Ujt.D.H.M...lS>...^...d.`..J.G.........5.`....$.....#e4.P..z...B..$.....cw=...#. ..\. ._7^oD...~@..E..4...v..`B@.;f..g.`......U....2..,\|6..^eo..d...b)@..1@..4...P........Q.S.t.eR...:Z%..H.B<t.....K.B.,>O........Z.......K.N..,.........U..kU.../Q...8..#.Ig&o..T..)^..;......[_....\nV.kf.M;0....b..v.>~....bg.)].W..y...%fiI..g...{U.v!.;.NM..`hS.t......}.-:!...}.......S8..c..{R.... .....K4.Md^:F.p.4.X,._....g.....U.]er..I...kt.'.O....1...1 .,&.....p..n....~..M.7.8..l..........0...Xm.5.W'.........U./.....9..t>G..[....6._<..[.D.a&..3c..6.+..e..0..2.L....d.o......Zm@.P(...&...@6....eo..;..ZG..ka3.......L...q:T].......\|........~].......I.n}..P'.)...=.Pj6H.F'..N.uiP.v)...2c<...4JE.UR...Yln.2.m.RJ%J.8....xE..0...4..'7.P/.z,.-J.....D.P..U..m..Z.......xMj5z...,.L.J%Z.e..f..J.b._...L..H..h...L.P"q..viW.X@..E.E......

C:\Users\user\AppData\Local\Temp\parters

Download File

Process:	C:\Users\user\Desktop\nnn.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.62695684717245
Encrypted:	false
SSDEEP:	6144:97zoQGyY5le4gIk3sjJa+N/Stf1YWRnmRT9jCtcmdRxdLtm8i4KVUo4N1Oju:NzoxyYve4gIssjwc/Stf1YWRnmRT9jCB
MD5:	935B78428A4A27D67AE0DFA0BD11E615
SHA1:	81292227E5045274B982469F34A5ECE33917753E
SHA-256:	0DBF363D16D066A8CCF25C30B37BD36F91665A7706D32F0E2FC7691B2E018F5A
SHA-512:	5BBFD02B14AAF48083EA5993E162665198BA832893081FC8E9B4B9E6EC9DFBE9E833119F030A673023F15723CC29487BFF6D1C807352B2D6D540B9E39970AFBA
Malicious:	false
Reputation:	low
Preview:	...77DRECKZJ..RK.4WRAI2R.74DREGKZJA9RKH4WRAI2RH74DREGKZJA9RK.4WROV.\H.=.s.F..k.Q;8hD%=&;S?hTU<3k8/aK'%h]9r..ar%XP!\|HJA~JA9RKH4..AI~SK7..s#GKZJA9RK.4USJH9RH.7DRMGKZJA9L.K4WrAI2.K74D.EGkZJA;RKL4WRAI2RL74DREGKZJE9RIH4WRAI0R..4DBEG[ZJA9BKH$WRAI2RX74DREGKZJA9..K4.RAI2.K7rAREGKZJA9RKH4WRAI2RH.7D^EGKZJA9RKH4WRAI2RH74DREGKZJA9RKH4WRAI2RH74DREGKZJA9RkH4_RAI2RH74DREOkZJ.9RKH4WRAI2RfCQ<&EGK~.B9RkH4W.BI2PH74DREGKZJA9RKh4W2o;A +74D.@GKZ.B9RMH4W.BI2RH74DREGKZJ.9R.fF2>.2RD74DR.DKZHA9R.K4WRAI2RH74DRE.KZ.A9RKH4WRAI2RH74DR.DKZJA9.KH4URDI..J7.tSEDKZJ@9RMH4WRAI2RH74DREGKZJA9RKH4WRAI2RH74DREGKZJA9RKH4WR\...\|z.8yA8M...,.7..R.+.x;.G.<_..._....f<4..7.Kb..S...>.<R+@.....$Y4I#.=n63.U....t.&.\|.B<.=...?..%N..{..tk...J3....M..+[:\| 9B>-.g%4$5".H.8RKH4.......]<..jHUTu+...u[J...,EGK>JA9 KH46RAIuRH7[DRE)KZJ?9RK64WR.I2R.74DeEGK.JA9?KH4sRAILRH7.9]J...#2..KH4WRt..b.Z.....\|...#.6o5j...6.\|..W..D2.6z....Y."~._e_Bq..L[LE<PLL7[oO....6@V@EL^IM.\...s.o..q...#....0.ERKH4WR.I2.H74..E.KZJ.9.K.WRA..R.7.D...K

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.851802124828
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nnn.exe
File size:	1'179'136 bytes
MD5:	674524d2048c49e12fa30e6f42ead69a
SHA1:	d7a6349ab0c08e0825c7ab0b7e65c719ebcdc9a6
SHA256:	b03db0564666573fc8c78762884386005dd29e7f39d76e008e36dea70bc7f2e7
SHA512:	9d80559a64b453f02ec432553f9d781317924cd24e962af2ee2c024829441d45ae64381aeca4b6d7a5d819959c177fe35a7fb4398327684c126d3b2ab254c9ff
SSDEEP:	24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8aUEveu5+TS:5TvC/MTQYxsWR7aUEB+T
TLSH:	AF45BF0373918022FE9BD9331B56E615DBBD6E160123AF5F1B981D7AB9F0060173EA63
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	0131719696496713

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67635812 [Wed Dec 18 23:17:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FFAC0D93EC3h
jmp 00007FFAC0D937CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FFAC0D939ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FFAC0D9397Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FFAC0D9656Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FFAC0D965B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FFAC0D965A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x493ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11e000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x493ac	0x49400	4cc117b02db774d06e62296d264fcdce	False	0.764515118387372	data	7.186464582872443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11e000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd46a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd47d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 4838 x 4838 px/m	English	Great Britain	0.06979770495682007
RT_MENU	0xe4ff8	0x50	data	English	Great Britain	0.9
RT_STRING	0xe5048	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xe55dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xe5c68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xe60f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xe66f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe6d50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe71b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe7310	0x35b7f	data			1.0003454058746268
RT_GROUP_ICON	0x11ce90	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11cea4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11ceb8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11cecc	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11cee0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11cfbc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 05:00:06.134247065 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:06.254090071 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:06.254273891 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:07.444377899 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:07.445389032 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:07.565089941 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:07.825557947 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:07.825783968 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:07.945614100 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:08.208023071 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:08.216794014 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:08.336509943 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:08.609569073 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:08.609622955 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:08.609663963 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:08.609668970 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:08.658283949 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:08.801166058 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:08.920731068 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:09.181873083 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:09.201853991 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:09.321832895 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:09.581747055 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:09.582634926 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:09.702219009 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:09.963105917 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:09.963409901 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:10.082983971 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:10.347291946 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:10.347621918 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:10.467459917 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:10.727585077 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:10.728064060 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:10.847822905 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:11.177880049 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:11.178102016 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:11.297769070 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:11.557923079 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:11.558649063 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:11.558832884 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:11.558832884 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:11.558832884 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:00:11.678662062 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:11.678731918 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:11.678766966 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:11.678796053 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:12.011750937 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:00:12.063622952 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:01:43.267781019 CET	49730	587	192.168.2.4	107.178.108.41
Dec 19, 2024 05:01:43.387484074 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:01:43.649033070 CET	587	49730	107.178.108.41	192.168.2.4
Dec 19, 2024 05:01:43.655827999 CET	49730	587	192.168.2.4	107.178.108.41

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 05:00:03.255337000 CET	49394	53	192.168.2.4	1.1.1.1
Dec 19, 2024 05:00:04.251239061 CET	49394	53	192.168.2.4	1.1.1.1
Dec 19, 2024 05:00:05.267054081 CET	49394	53	192.168.2.4	1.1.1.1
Dec 19, 2024 05:00:06.064115047 CET	53	49394	1.1.1.1	192.168.2.4
Dec 19, 2024 05:00:06.064176083 CET	53	49394	1.1.1.1	192.168.2.4
Dec 19, 2024 05:00:06.064205885 CET	53	49394	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 05:00:03.255337000 CET	192.168.2.4	1.1.1.1	0xf712	Standard query (0)	mail.pgsu.co.id	A (IP address)	IN (0x0001)	false
Dec 19, 2024 05:00:04.251239061 CET	192.168.2.4	1.1.1.1	0xf712	Standard query (0)	mail.pgsu.co.id	A (IP address)	IN (0x0001)	false
Dec 19, 2024 05:00:05.267054081 CET	192.168.2.4	1.1.1.1	0xf712	Standard query (0)	mail.pgsu.co.id	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 05:00:06.064115047 CET	1.1.1.1	192.168.2.4	0xf712	No error (0)	mail.pgsu.co.id	pgsu.co.id		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 05:00:06.064115047 CET	1.1.1.1	192.168.2.4	0xf712	No error (0)	pgsu.co.id		107.178.108.41	A (IP address)	IN (0x0001)	false
Dec 19, 2024 05:00:06.064176083 CET	1.1.1.1	192.168.2.4	0xf712	No error (0)	mail.pgsu.co.id	pgsu.co.id		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 05:00:06.064176083 CET	1.1.1.1	192.168.2.4	0xf712	No error (0)	pgsu.co.id		107.178.108.41	A (IP address)	IN (0x0001)	false
Dec 19, 2024 05:00:06.064205885 CET	1.1.1.1	192.168.2.4	0xf712	No error (0)	mail.pgsu.co.id	pgsu.co.id		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 05:00:06.064205885 CET	1.1.1.1	192.168.2.4	0xf712	No error (0)	pgsu.co.id		107.178.108.41	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 19, 2024 05:00:07.444377899 CET	587	49730	107.178.108.41	192.168.2.4	220-grogolvps.padinet.com ESMTP Exim 4.98 #2 Thu, 19 Dec 2024 11:00:07 +0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 19, 2024 05:00:07.445389032 CET	49730	587	192.168.2.4	107.178.108.41	EHLO 835180
Dec 19, 2024 05:00:07.825557947 CET	587	49730	107.178.108.41	192.168.2.4	250-grogolvps.padinet.com Hello 835180 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=1000 RCPTMAX=50000 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 19, 2024 05:00:07.825783968 CET	49730	587	192.168.2.4	107.178.108.41	STARTTLS
Dec 19, 2024 05:00:08.208023071 CET	587	49730	107.178.108.41	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	22:59:58
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\nnn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nnn.exe"
Imagebase:	0xe80000
File size:	1'179'136 bytes
MD5 hash:	674524D2048C49E12FA30E6F42EAD69A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1726912638.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:00:01
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nnn.exe"
Imagebase:	0x1e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4161444744.0000000002639000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4161444744.000000000260E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4160397848.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4160397848.00000000005B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4161444744.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4161444744.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	2.8%
Total number of Nodes:	1990
Total number of Limit Nodes:	52

Executed Functions

Function 00E842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E8430D

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

GetCurrentProcess.KERNEL32(?,00F1CB64,00000000,?,?), ref: 00E84422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00E84429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E84454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E84466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E84474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00E8447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00E844A0

Strings

kernel32.dll, xrefs: 00E8444F
GetNativeSystemInfo, xrefs: 00E84460
|O, xrefs: 00EC36F8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 2bbdddd6a260fb97ff36812543c23a4a1c16860e394ceaac1f3ee122f710e6fa
Instruction ID: 7c5143cadead0cc38d8bcb3cc8792a0ab19bf43b6acc153b571e8aa8ebf2278e
Opcode Fuzzy Hash: 2bbdddd6a260fb97ff36812543c23a4a1c16860e394ceaac1f3ee122f710e6fa
Instruction Fuzzy Hash: E8A109A18093CCCFC711D7B87C607D57FA4BF3634AB08A89DD289B3662D2216509FB61

Function 00E842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E850AA,?,?,00000000,00000000), ref: 00E842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E850AA,?,?,00000000,00000000), ref: 00E842C9
LoadResource.KERNEL32(?,00000000,?,?,00E850AA,?,?,00000000,00000000,?,?,?,?,?,?,00E84F20), ref: 00EC35BE
SizeofResource.KERNEL32(?,00000000,?,?,00E850AA,?,?,00000000,00000000,?,?,?,?,?,?,00E84F20), ref: 00EC35D3
LockResource.KERNEL32(00E850AA,?,?,00E850AA,?,?,00000000,00000000,?,?,?,?,?,?,00E84F20,?), ref: 00EC35E6

Strings

SCRIPT, xrefs: 00E842BF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: cb8fb15b5493bf404823137f1cdcdfa596574221ca499e106b8b5360be044b52
Instruction ID: a171543af4690ed93fd532478b1e9ef21c388951bd311694cd314efe69be315e
Opcode Fuzzy Hash: cb8fb15b5493bf404823137f1cdcdfa596574221ca499e106b8b5360be044b52
Instruction Fuzzy Hash: 5511ACB0240309BFD722AB65DC48FA77BB9EBC9B55F108169F40AE62A0DB71D8009660

Function 00EEDBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,"R), ref: 00EEDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00EEDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00EEDBEE
FindClose.KERNEL32(00000000), ref: 00EEDBFA

Strings

"R, xrefs: 00EEDBCA

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID: "R
API String ID: 2695905019-1746183819
Opcode ID: 8f779e0729fe2b9794303380af241f38dce9ae2b41f63c614fe7941d7a3ace93
Instruction ID: b2f5408e92280e119150d6d7e8134a50412e47f41f34d281d4f70d6fbc6d5851
Opcode Fuzzy Hash: 8f779e0729fe2b9794303380af241f38dce9ae2b41f63c614fe7941d7a3ace93
Instruction Fuzzy Hash: 50F0E53085895C6782206B7CAC0D8EAB76C9E01378B219702F836D20F0EBB15D64D6D6

Function 00EC2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00E82B6B

Part of subcall function 00E83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F51418,?,00E82E7F,?,?,?,00000000), ref: 00E83A78

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00F42224), ref: 00EC2C10
ShellExecuteW.SHELL32(00000000,?,?,00F42224), ref: 00EC2C17

Strings

runas, xrefs: 00EC2C0B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 40b36b71ae78d840f4d6a33fe3a5ab89635744c13e074bb5edaac9e286efa997
Instruction ID: 30f95a4977973a426db68fce03385f2efab597d50af28012a5ab1eec15631c3f
Opcode Fuzzy Hash: 40b36b71ae78d840f4d6a33fe3a5ab89635744c13e074bb5edaac9e286efa997
Instruction Fuzzy Hash: 1C11D6315083056AC704FF70D851EBEBBE4AB91745F44342DF64E720E3CF259A4AA752

Function 00E8D730 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E8D807
timeGetTime.WINMM ref: 00E8DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8DB28
TranslateMessage.USER32(?), ref: 00E8DB7B
DispatchMessageW.USER32(?), ref: 00E8DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8DB9F
Sleep.KERNEL32(0000000A), ref: 00E8DBB1

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 0f4ed526f085a6cea38b2319cb5aaaf59ea706f45e1d1c90ef7795177d5a4c4c
Instruction ID: f7aaba9fc0867f717b1e88739617615836d75578b5fc9d80864ad5931e0a2369
Opcode Fuzzy Hash: 0f4ed526f085a6cea38b2319cb5aaaf59ea706f45e1d1c90ef7795177d5a4c4c
Instruction Fuzzy Hash: F742FF30608341AFD728EB24CC44BAAB7E0FF85318F14A65EE55DA73D1D7B0A845DB82

Function 00E82CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E82D07
RegisterClassExW.USER32(00000030), ref: 00E82D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E82D42
InitCommonControlsEx.COMCTL32(?), ref: 00E82D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E82D6F
LoadIconW.USER32(000000A9), ref: 00E82D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E82D94

Strings

+, xrefs: 00E82CF0
TaskbarCreated, xrefs: 00E82D37
0, xrefs: 00E82CE9
AutoIt v3 GUI, xrefs: 00E82D23

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5a41d85c0a20967af79f75443e99d32f32f061b51e85c65d631131acba0b7d4b
Instruction ID: dc9081884853eb00f15e9130fdce910869deb48f24791844c928cafbe381bc09
Opcode Fuzzy Hash: 5a41d85c0a20967af79f75443e99d32f32f061b51e85c65d631131acba0b7d4b
Instruction Fuzzy Hash: C821C0B594131CAFDB00DFA4E889BDDBBB4FB08701F01811AF611A62A0D7B55544EF91

Function 00EB8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 00EB903A, 00EB8FD0, 00EB8FF2

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3963672497
Opcode ID: c98949c2988f813fde068a35a0ff9857f8e1c697f2f671bac4f105ad659da3cc
Instruction ID: b20468182793d2102172766b4e9e337ac9a1dbf3537024f7e6a116adfc2efae3
Opcode Fuzzy Hash: c98949c2988f813fde068a35a0ff9857f8e1c697f2f671bac4f105ad659da3cc
Instruction Fuzzy Hash: 5CC1E474A04249AFDB11EFA8D841BEEBBF4AF49314F185159F614BB393CB309941CB61

Function 00EC065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EC039A: CreateFileW.KERNELBASE(00000000,00000000,?,00EC0704,?,?,00000000,?,00EC0704,00000000,0000000C), ref: 00EC03B7

GetLastError.KERNEL32 ref: 00EC076F
__dosmaperr.LIBCMT ref: 00EC0776
GetFileType.KERNELBASE(00000000), ref: 00EC0782
GetLastError.KERNEL32 ref: 00EC078C
__dosmaperr.LIBCMT ref: 00EC0795
CloseHandle.KERNEL32(00000000), ref: 00EC07B5
CloseHandle.KERNEL32(?), ref: 00EC08FF
GetLastError.KERNEL32 ref: 00EC0931
__dosmaperr.LIBCMT ref: 00EC0938

Strings

H, xrefs: 00EC08BD

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 65bb2cda94358ff4ddfd7fbd69029cdbf7154b87b6bd089f78db07eef2fcbb9c
Instruction ID: df31f2a81efd6d46a08f57eeaa6d9763410f0ea1d985ca42b051cbb0d03fb23b
Opcode Fuzzy Hash: 65bb2cda94358ff4ddfd7fbd69029cdbf7154b87b6bd089f78db07eef2fcbb9c
Instruction Fuzzy Hash: A0A12532A002088FDF19AF68D951BAE7BE0EB46324F14515DF815AF2A1DB329913DB91

Function 00E8344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F51418,?,00E82E7F,?,?,?,00000000), ref: 00E83A78

Part of subcall function 00E83357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E83379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E8356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EC318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EC31CE
RegCloseKey.ADVAPI32(?), ref: 00EC3210
_wcslen.LIBCMT ref: 00EC3277
_wcslen.LIBCMT ref: 00EC3286

Strings

\, xrefs: 00EC328C
\Include\, xrefs: 00E83527
Include, xrefs: 00EC3184, 00EC31C5
Software\AutoIt v3\AutoIt, xrefs: 00E83560

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 494bf31ed9e31790b11ee98d9f88a8434a0977405507fa9b277584168c47dd7f
Instruction ID: 35a6cce0efda4fea8ba6e446df9f846f9fffe8dd8ec704996049cd4e62540af1
Opcode Fuzzy Hash: 494bf31ed9e31790b11ee98d9f88a8434a0977405507fa9b277584168c47dd7f
Instruction Fuzzy Hash: 4F71C0714083059EC704EF65DC819ABBBE8FF8A740F40562EF649A71B1EB319A48DB52

Function 00E82B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E82B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00E82B9D
LoadIconW.USER32(00000063), ref: 00E82BB3
LoadIconW.USER32(000000A4), ref: 00E82BC5
LoadIconW.USER32(000000A2), ref: 00E82BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E82BEF
RegisterClassExW.USER32(?), ref: 00E82C40

Part of subcall function 00E82CD4: GetSysColorBrush.USER32(0000000F), ref: 00E82D07
Part of subcall function 00E82CD4: RegisterClassExW.USER32(00000030), ref: 00E82D31
Part of subcall function 00E82CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E82D42
Part of subcall function 00E82CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E82D5F
Part of subcall function 00E82CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E82D6F
Part of subcall function 00E82CD4: LoadIconW.USER32(000000A9), ref: 00E82D85
Part of subcall function 00E82CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E82D94

Strings

AutoIt v3, xrefs: 00E82C2F
#, xrefs: 00E82C16
0, xrefs: 00E82C0F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 47e938b6b2a22d40ef605803b839e663e27693cb22c2be5b25310deaaaa5f66d
Instruction ID: ca3e3018075aa390411999b7983d1dc80f74e5833b09e457fb344828cfb62086
Opcode Fuzzy Hash: 47e938b6b2a22d40ef605803b839e663e27693cb22c2be5b25310deaaaa5f66d
Instruction Fuzzy Hash: 41215E70E4031CAFDB109FA5EC65BAE7FB4FB48B51F01415AF604A66A0D3B12940EF90

Function 00E83170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E8316A,?,?), ref: 00E831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00E8316A,?,?), ref: 00E83204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E83227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E8316A,?,?), ref: 00E83232
CreatePopupMenu.USER32 ref: 00E83246
PostQuitMessage.USER32(00000000), ref: 00E83267

Strings

TaskbarCreated, xrefs: 00E8322D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 84aa61e52c52440e27c721453dc839d9948cd68b00c56ad3f279b026ce6df10c
Instruction ID: e1ea18cc51a4aeaa1f439c50b153dbaddb48b574a8801c999cfaf6372d89279e
Opcode Fuzzy Hash: 84aa61e52c52440e27c721453dc839d9948cd68b00c56ad3f279b026ce6df10c
Instruction Fuzzy Hash: 8D414B31240308ABDB153B789D1DBFD3A59F706F09F046119FB0EB51E2D7B1AA41A7A1

Function 0174F458 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0174F529
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0174F74F

Memory Dump Source

Source File: 00000000.00000002.1727069683.000000000174C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0174C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174c000_nnn.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: d93589165188e97dc6094775575c2a24ea4f7e108728dd31b3dbe63f16d79e19
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 95A1F874E00209EBDB14CFA8C994BAEFBB5FF48304F208199E611BB291D7759A41CF95

Function 00E82C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E82C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E82CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E81CAD,?), ref: 00E82CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E81CAD,?), ref: 00E82CCF

Strings

AutoIt v3, xrefs: 00E82C89, 00E82C8E, 00E82C8F
edit, xrefs: 00E82CAC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a648c142c68f59e505f13e4ef55c705515facfd7b8e571af58c41d2bdf56f6c9
Instruction ID: 674c4e1776c30cc57da9db59ae40bfa08f8473b7a5152ccbc36402bf0da6746d
Opcode Fuzzy Hash: a648c142c68f59e505f13e4ef55c705515facfd7b8e571af58c41d2bdf56f6c9
Instruction Fuzzy Hash: CDF0B7755813987AEB211717AC18FB73EBDE7C6F61B02405EFA00A65A0C6626850EAB4

Function 0174F228 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0174F118: Sleep.KERNELBASE(000001F4), ref: 0174F129

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0174F34F

Strings

2RH74DREGKZJA9RKH4WRAI, xrefs: 0174F3B2, 0174F3B5

Memory Dump Source

Source File: 00000000.00000002.1727069683.000000000174C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0174C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174c000_nnn.jbxd

Similarity

API ID: CreateFileSleep
String ID: 2RH74DREGKZJA9RKH4WRAI
API String ID: 2694422964-2648278133
Opcode ID: 1e22f49baacddfc2c86f71f393057abab0ca676b6ee03ac2d206785de90c66fd
Instruction ID: be47135d203a22be8b0a294da8a01f199b45571773d91c592ad8bfdeb78081df
Opcode Fuzzy Hash: 1e22f49baacddfc2c86f71f393057abab0ca676b6ee03ac2d206785de90c66fd
Instruction Fuzzy Hash: A651C370D04289DBEF11DBA8C859BEEFBB4AF19304F004199E2087B2C1D7B91B44CB66

Function 00EF2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EF2C05
DeleteFileW.KERNEL32(?), ref: 00EF2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EF2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EF2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EF2CC0

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 746b7fd6dc06fbf850a33226e636ce6ba0364cf168a017f5499ff7be5e330cdb
Instruction ID: 9e193032a7f88af0b703ba1ff65a8e2b51d1338ec1d70f6879d44e5e29155316
Opcode Fuzzy Hash: 746b7fd6dc06fbf850a33226e636ce6ba0364cf168a017f5499ff7be5e330cdb
Instruction Fuzzy Hash: 3FB13D7290011DABDF11EBA4CC85EEEBBBDEF49350F1050AAF609F6151EB319A448B61

Function 00EB5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO, xrefs: 00EB5BA8, 00EB5C6C

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: a511482d45667dd96f8b332f3eba26e2f2ee7bcbc8ae635dca77e4af467e065d
Instruction ID: 7ad9559d7db4585837eec8fa9204c3c6a3369178b62ba129d91d7dc4b937a653
Opcode Fuzzy Hash: a511482d45667dd96f8b332f3eba26e2f2ee7bcbc8ae635dca77e4af467e065d
Instruction Fuzzy Hash: 8A5191729006099BCB11AFA4C885FEFBFF9AF49314F14215AF405BB291D73199019BA1

Function 00E83B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E83B0F,SwapMouseButtons,00000004,?), ref: 00E83B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E83B0F,SwapMouseButtons,00000004,?), ref: 00E83B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E83B0F,SwapMouseButtons,00000004,?), ref: 00E83B83

Strings

Control Panel\Mouse, xrefs: 00E83B3E

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 72ca1f873657b8b48de6267b7f6a90a6df0610b3aa15c46a00b60fda8cef1f9e
Instruction ID: 1b13d9f4718bbcfc3836fa7c41ca0a910c21bdab0fd455a23e3b0dab9d99d47c
Opcode Fuzzy Hash: 72ca1f873657b8b48de6267b7f6a90a6df0610b3aa15c46a00b60fda8cef1f9e
Instruction Fuzzy Hash: 67112AB5510208FFDB20DFA5DC44AEEBBB9EF04B84B109459A809E7110E2319F40A7A0

Function 0174E118 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0174E945
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0174E969
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0174E98B

Memory Dump Source

Source File: 00000000.00000002.1727069683.000000000174C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0174C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174c000_nnn.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: f6a867bba1f0c2b81a0962b99700d7548835fbe693c7f95eaffb83ad81719f76
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: FA62EC30A142589BEB24CFA4C854BDEB776FF58300F1091A9D10DEB394EB799E81CB59

Function 00E8DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00ED32B7

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 473fc311d5e95ddf3bfba15efad96ed795f8628becd8c2277bad7a1ed3747342
Instruction ID: e3cac6b98da647a17a67c3b4d940f5d7c64b116869949703aed03598b885400c
Opcode Fuzzy Hash: 473fc311d5e95ddf3bfba15efad96ed795f8628becd8c2277bad7a1ed3747342
Instruction Fuzzy Hash: 98C26971A00215CFCB24EF68C881AADB7F1FB09314F24956AE919BB3A1D375ED41CB91

Function 00E83923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EC33A2

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E83A04

Strings

Line: , xrefs: 00EC33EB

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 0de5e720906431fbf2133cd03ddf4239b302456ce7f376ac5c472d8ba4942ba7
Instruction ID: 46300efbda7ecdaca63c802952e0c29a8df2890dba7e9cd8ce41fd198ab4c09f
Opcode Fuzzy Hash: 0de5e720906431fbf2133cd03ddf4239b302456ce7f376ac5c472d8ba4942ba7
Instruction Fuzzy Hash: EF31C371508304AAD725FB20DC45BEBB7D8AB84B14F00692EF69DA2091EB74A649C7C2

Function 00E9FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00EA0668

Part of subcall function 00EA32A4: RaiseException.KERNEL32(?,?,?,00EA068A,?,00F51444,?,?,?,?,?,?,00EA068A,00E81129,00F48738,00E81129), ref: 00EA3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00EA0685

Strings

Unknown exception, xrefs: 00EA0692

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 2b93c92e630efdb226c1f6836a7389f2ba39191ffce21abaf022da273f54005c
Instruction ID: 76a92a9bb0db1e7e346a004267e6f5a2173d4d5a283ddfb80464e4f7e9973dcb
Opcode Fuzzy Hash: 2b93c92e630efdb226c1f6836a7389f2ba39191ffce21abaf022da273f54005c
Instruction Fuzzy Hash: 1AF0C23490020D778F00B6B4D856DAE7BAC5E4A358B605131F814FE9E2EF71FA66C5D1

Function 00EF3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00EF302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00EF3044

Strings

aut, xrefs: 00EF3038

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 485be7ee63fc9e0d1f83b324680a85d4374bb6033cb724bf3775a043ea2fc2a1
Instruction ID: b1dae01cee86c5264dfcd6383f3634925e040678e4a6e32d9a6c4b7a5db013ce
Opcode Fuzzy Hash: 485be7ee63fc9e0d1f83b324680a85d4374bb6033cb724bf3775a043ea2fc2a1
Instruction Fuzzy Hash: 61D05EB254032867DA20A7A4AC0EFCB3A6CDB05750F0002A1BA55E2091DAF4D984CAD1

Function 00F07F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00F082F5
TerminateProcess.KERNEL32(00000000), ref: 00F082FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00F084DD

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: f0a84502bc07d791de548810d3df824830b004db7c675684d2f847995c046937
Instruction ID: d91c0fce233ded46076ddb35746a47d44266acc6ff0974087c512cbdbbaf715c
Opcode Fuzzy Hash: f0a84502bc07d791de548810d3df824830b004db7c675684d2f847995c046937
Instruction Fuzzy Hash: 26128D71A083019FC714DF28C484B2ABBE1BF84364F14895DE8899B392CB31ED46DF92

Function 00E810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E81BF4
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E81BFC
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E81C07
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E81C12
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E81C1A
Part of subcall function 00E81BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E81C22

Part of subcall function 00E81B4A: RegisterWindowMessageW.USER32(00000004,?,00E812C4), ref: 00E81BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E8136A
OleInitialize.OLE32 ref: 00E81388
CloseHandle.KERNEL32(00000000,00000000), ref: 00EC24AB

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1077661e27d8df96c015ff05f6f81820fd39fc6403c80547cc1c5844c45aff60
Instruction ID: 86abb9199ff8b4ffa4178647cf9fc86db1778f7719c88ff6eb88c8a0a536ab38
Opcode Fuzzy Hash: 1077661e27d8df96c015ff05f6f81820fd39fc6403c80547cc1c5844c45aff60
Instruction Fuzzy Hash: 3471EDB49013088FC794EF79A9417953AE4BB89347B58962AD60ED7362FB306845EF40

Function 00EEC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E83A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EEC259
KillTimer.USER32(?,00000001,?,?), ref: 00EEC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EEC270

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 43afb788b6d237f5111a05f0fccf6614704838b9c97f8a42cbeb65e8fc6554fb
Instruction ID: 2571cf161b2af8446e86bb491b0fb8dcf4273164e591020ef786d138a0647d99
Opcode Fuzzy Hash: 43afb788b6d237f5111a05f0fccf6614704838b9c97f8a42cbeb65e8fc6554fb
Instruction Fuzzy Hash: 5631D470904788AFEB229B648855BE6BBECAB0A308F10109DD29EA7251C3745A85CB51

Function 00EB86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00EB85CC,?,00F48CC8,0000000C), ref: 00EB8704
GetLastError.KERNEL32(?,00EB85CC,?,00F48CC8,0000000C), ref: 00EB870E
__dosmaperr.LIBCMT ref: 00EB8739

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 3119f523233a74476db04b6e7b21110df89245cd764a72c5e53a8974aa89e1b6
Instruction ID: de3054e506043aa4cef2aa8fe58051476163af55b8f9ad8731568ce35111f0d7
Opcode Fuzzy Hash: 3119f523233a74476db04b6e7b21110df89245cd764a72c5e53a8974aa89e1b6
Instruction Fuzzy Hash: D901083360562026D6647234AA457EF67CD4B8277CF392129E814BB3D6DEA08C81D590

Function 00E8DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E8DB7B
DispatchMessageW.USER32(?), ref: 00E8DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E8DB9F
Sleep.KERNEL32(0000000A), ref: 00E8DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00ED1CC9

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: ff59c5bfc061aa99ce71c01a70824f5a6bbdd6d39ed375c22904112d301e3143
Instruction ID: 250cdc0129f8819b17eefd01e131e93e7dd9d28f464b3283d12dd95ac4de981b
Opcode Fuzzy Hash: ff59c5bfc061aa99ce71c01a70824f5a6bbdd6d39ed375c22904112d301e3143
Instruction Fuzzy Hash: 79F082306483449BEB34DB70CC49FEA73ADEB44315F105919E60EE30C0DB70A488DB55

Function 00EF2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00EF2CD4,?,?,?,00000004,00000001), ref: 00EF2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00EF2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EF3006
CloseHandle.KERNEL32(00000000,?,00EF2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EF300D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 1e9bf152af2a17ebd3087ab0c0e48c3adebe604eede22a58e82343c75988b168
Instruction ID: 7530d09d6eb2a15fb1f6cb651623b7c1c9bfc27e4cd52ce764b449df6df2e29f
Opcode Fuzzy Hash: 1e9bf152af2a17ebd3087ab0c0e48c3adebe604eede22a58e82343c75988b168
Instruction Fuzzy Hash: A9E086322C022877E2302765BC0DFDB3A1CD786B75F118210F769750D186A0160152E8

Function 00E91310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E917F6

Strings

CALL, xrefs: 00E917C6

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 1a42ea8a29ad7d601eea231ee9e80e53f18e10602d41d1636254495ee1330564
Instruction ID: e997a6c3a35e9588c5e34038ce9ae514bbbd4522c9f23325f40217b875877d48
Opcode Fuzzy Hash: 1a42ea8a29ad7d601eea231ee9e80e53f18e10602d41d1636254495ee1330564
Instruction Fuzzy Hash: D3226C706083429FCB14DF14C480A6ABBF1FF89314F19999DF496AB3A2D771E845CB92

Function 00EF6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EF6F6B

Part of subcall function 00E84ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00EF6F5A, 00EF6F63

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 2d7c5a310ddcbc59c85f861aed8045cf042d37caf4f036693ba95bf8a4ad01ab
Instruction ID: 6571c5d8e0acb794d2569c55f638333cea83c1ea789710dd3899ff3c977a151a
Opcode Fuzzy Hash: 2d7c5a310ddcbc59c85f861aed8045cf042d37caf4f036693ba95bf8a4ad01ab
Instruction Fuzzy Hash: 42B170712082058FDB14FF20C49197EB7E5AF94304F14996DF59EA72A2EB30ED49CB92

Function 00E82DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00EC2C8C

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

Part of subcall function 00E82DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E82DC4

Strings

X, xrefs: 00EC2C5A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: b993dd09a8cf8b36296bec006840525053d4052fe89f664e6c224af7c8c90df4
Instruction ID: efc2f9ab7c2c7f2fd95938c4fa48f595b35607ee43d1ef29573aeff78f889c09
Opcode Fuzzy Hash: b993dd09a8cf8b36296bec006840525053d4052fe89f664e6c224af7c8c90df4
Instruction Fuzzy Hash: F9219371A002589BDF01EF94C845BEE7BF8AF49715F00905DE50DFB241DBB45A498BA1

Function 00EF2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00EF2587

Strings

EA06, xrefs: 00EF25B9

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 17935d170330e1f9ddf7caac1cd7ee639d883e145ae1fa02ad77fc23ecd8c179
Instruction ID: e209e487a4c4b156fe1bb6e4847bb70405b2f440b0e37d6d3e87292178ee09b9
Opcode Fuzzy Hash: 17935d170330e1f9ddf7caac1cd7ee639d883e145ae1fa02ad77fc23ecd8c179
Instruction Fuzzy Hash: F401B5729042587EDF18C7A8C856EFEBBF8DB06305F00459EE652E6181E5B8E7088B61

Function 00E83837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E83908

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: da28d94d12a4cf1a7099a79998155e9482be22dfc53343313ba0cdfee41f0894
Instruction ID: 30e32cd0f1cf04271226eb35720157eef61f8bc352b131d54f697ad7bf9fe6e0
Opcode Fuzzy Hash: da28d94d12a4cf1a7099a79998155e9482be22dfc53343313ba0cdfee41f0894
Instruction Fuzzy Hash: 6D31C3705047059FD720EF34D895797BBE4FB49709F00092EF69DA3290E771AA44CB52

Function 0174E115 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0174E945
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0174E969
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0174E98B

Memory Dump Source

Source File: 00000000.00000002.1727069683.000000000174C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0174C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174c000_nnn.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 523ce152be0e611a9c6b58913641df07a9eda0702e94eb11cfcd7d62b0c41171
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 7F12CD24E24658C6EB24DF64D8507DEB232FF68300F1094E9910DEB7A5E77A4F81CB5A

Function 00E9FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00E9FD1F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: bc62e59d367e4ba869ffbfcbbe3d5e2c5441d3bb8617ea00b925c2b0208157b0
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2431D275A00109DBCB18CF59D480AA9FBA6FF49304B24E6A5E809EB756D731EDC1CBC4

Function 00E84ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E84E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E9C
Part of subcall function 00E84E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E84EAE
Part of subcall function 00E84E90: FreeLibrary.KERNEL32(00000000,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84EFD

Part of subcall function 00E84E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E62
Part of subcall function 00E84E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E84E74
Part of subcall function 00E84E59: FreeLibrary.KERNEL32(00000000,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E87

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: b5883783b95909491c15fc08a091420bc7b26eebab158333dd90ff94ad83e156
Instruction ID: 73a944a5fb168e80df535322341807277b19bd43de0a1f24a12dcb35a44aa39d
Opcode Fuzzy Hash: b5883783b95909491c15fc08a091420bc7b26eebab158333dd90ff94ad83e156
Instruction Fuzzy Hash: 2E11C172700206AACB14BB60D902FAD77E5EF40714F10A42EF64EBA1D1EE719A459790

Function 00EB8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00EB8440

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2c8aade0e153c04de5333c13dc1de2315d20e6ffcecd031c174ef03ec98bfe60
Instruction ID: 910ae7e2fef82e891e457a6dcc0bb69edd7d21b5ba129ee7067f7a80830554a1
Opcode Fuzzy Hash: 2c8aade0e153c04de5333c13dc1de2315d20e6ffcecd031c174ef03ec98bfe60
Instruction Fuzzy Hash: 3211067590420AAFCB05DF58EA41ADF7BF9EF48314F104059F818AB312DA31DA11CBA5

Function 00EB5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EB4C7D: RtlAllocateHeap.NTDLL(00000008,00E81129,00000000,?,00EB2E29,00000001,00000364,?,?,?,00EAF2DE,00EB3863,00F51444,?,00E9FDF5,?), ref: 00EB4CBE

_free.LIBCMT ref: 00EB506C

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: 0b8e7350566b953dd8bbfcbb1960e1904af0e9459bd2d9117d9b14d59f37ce5e
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: C50126732047056BE3219E659881ADBFBE8FB89370F25091DE294A32C0EA30A905C6B4

Function 00EAE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: c151f39cc51abbfaac46ae00f63411847774a7ee2b708e64beb2bd52431a7f62
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: D3F0F432510A14A6D6353A699C05B9B33DC9FD7334F102B59F525BA3D2DB70F80186A5

Function 00EB4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00E81129,00000000,?,00EB2E29,00000001,00000364,?,?,?,00EAF2DE,00EB3863,00F51444,?,00E9FDF5,?), ref: 00EB4CBE

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 36e75ac671b51678a7ae16d41bb3c4b9d369a486a3c185a00e88b2b96bee8f21
Instruction ID: 2d3864af718183b85ffde846d57e2cb58f3ac8139377542b6bd9bcb9618aeef1
Opcode Fuzzy Hash: 36e75ac671b51678a7ae16d41bb3c4b9d369a486a3c185a00e88b2b96bee8f21
Instruction Fuzzy Hash: AFF0BB7164222866FB215F629C05FD7BFC8BF41B65B196121F919BA1D3CA70EC0059E0

Function 00EB3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b125f32be4c55ec52c5bd31bb454ce63861f3df7f419743f4d7f06ba4702d955
Instruction ID: f288e896b89ef67e64d087ef2d489cb63d1bcefb2c071f84436bf3451518c7be
Opcode Fuzzy Hash: b125f32be4c55ec52c5bd31bb454ce63861f3df7f419743f4d7f06ba4702d955
Instruction Fuzzy Hash: 09E0E53114022466D72526BB9C02BDB36C8BF827B4F162230BC04BA4E1DB50ED0181E2

Function 00EB4D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EB4D9C

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: ad506300b8c279fa2e0f70a75b23349d858882bea1a9c5277d5964c48bb1298e
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 95E092761003059F8720CF6CD400AC2B7F4EF843247208929E99DE3311D331E812CB80

Function 00E84F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84F6D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ddd9430bf3f331ed71350a80f29c0016836b3c87050f5d8056a8a434fa99f166
Instruction ID: 2d0418afe28c06b49a146ad4f6a841081362e8c7508d324bc400e8aa9092f929
Opcode Fuzzy Hash: ddd9430bf3f331ed71350a80f29c0016836b3c87050f5d8056a8a434fa99f166
Instruction Fuzzy Hash: 0DF030B1205752CFDB34AF64D490852B7E4FF1431D315A97EE2DEA2651C7319844DF50

Function 00E82DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E82DC4

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0bfbff7e68eb68b6ea0bb00c12d0a2d92c9f2f13560251695c60ad2b32d3aec1
Instruction ID: 38e3dacaa5d581c33be39ccb732d8467556c649c8c1c9b4a26442451110918d5
Opcode Fuzzy Hash: 0bfbff7e68eb68b6ea0bb00c12d0a2d92c9f2f13560251695c60ad2b32d3aec1
Instruction Fuzzy Hash: 99E0CD726002245BC710A2989C05FDA77DDDFC8794F0540B5FD0DE7248D970ED808690

Function 00EF2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00EF26B5

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: b583fe73eb9ba45501d93193ceb2f316804941ccc733c955bf6c1c82f7220284
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: D7E04FB0609B005FDF3D5A28A8517B677E89F4A304F04186EF79BD2352E67278458A4D

Function 00E82B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E83837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E83908

Part of subcall function 00E8D730: GetInputState.USER32 ref: 00E8D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00E82B6B

Part of subcall function 00E830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E8314E

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2d65a59419c3202283733df99bf1d9adaa1c762b8e13af598bc5709c184d38a7
Instruction ID: 156647871b1602c03f113fa5a85847309ebb3d8ffa66e9f2b7e2234ae0beaf16
Opcode Fuzzy Hash: 2d65a59419c3202283733df99bf1d9adaa1c762b8e13af598bc5709c184d38a7
Instruction Fuzzy Hash: 02E0862170424806CA08BB74A8525BDF7D99BD2756F40353EF64EB71E3CE2549494352

Function 00EC039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00EC0704,?,?,00000000,?,00EC0704,00000000,0000000C), ref: 00EC03B7

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a53b64cbcf100b8a5715fd72bf8ba6f5c62ff87e7c1a7b0047f73aebeb157a6a
Instruction ID: 3b91d21c470b8b76c699d12721301452dd52698c001a00d0b7d690470abde19f
Opcode Fuzzy Hash: a53b64cbcf100b8a5715fd72bf8ba6f5c62ff87e7c1a7b0047f73aebeb157a6a
Instruction Fuzzy Hash: 7BD06C3208010DBBDF028F84DD06EDA3BAAFB48714F018000BE1866020C732E821AB90

Function 00E81CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00E81CBC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: df33790c980f8244a0b265299ee47125fb353cfc42b698fda71aa558929eda51
Instruction ID: a62342313c9bb40367302a4a05cdc849472804e2a971c86240189e5b38af912c
Opcode Fuzzy Hash: df33790c980f8244a0b265299ee47125fb353cfc42b698fda71aa558929eda51
Instruction Fuzzy Hash: D9C092362C030CAFF2198B80BC5AF507765B349B02F098401F709A95F3D7A22820FA90

Function 0174F118 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0174F129

Memory Dump Source

Source File: 00000000.00000002.1727069683.000000000174C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0174C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174c000_nnn.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 22d679e0bb8ec3984bbb2a73402fcc18e7fdc8ce4999f2cfa775cfdedae1e954
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 82E0E67498010DDFDB00EFB8D54969E7BB4EF04301F100161FD01D2281D7309D508A62

Non-executed Functions

Function 00F19576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F1961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F1965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F1969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F196C9
SendMessageW.USER32 ref: 00F196F2
GetKeyState.USER32(00000011), ref: 00F1978B
GetKeyState.USER32(00000009), ref: 00F19798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F197AE
GetKeyState.USER32(00000010), ref: 00F197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F197E9
SendMessageW.USER32 ref: 00F19810
SendMessageW.USER32(?,00001030,?,00F17E95), ref: 00F19918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F1992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F19941
SetCapture.USER32(?), ref: 00F1994A
ClientToScreen.USER32(?,?), ref: 00F199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F199D6
ReleaseCapture.USER32 ref: 00F199E1
GetCursorPos.USER32(?), ref: 00F19A19
ScreenToClient.USER32(?,?), ref: 00F19A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F19A80
SendMessageW.USER32 ref: 00F19AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F19AEB
SendMessageW.USER32 ref: 00F19B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F19B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F19B4A
GetCursorPos.USER32(?), ref: 00F19B68
ScreenToClient.USER32(?,?), ref: 00F19B75
GetParent.USER32(?), ref: 00F19B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F19BFA
SendMessageW.USER32 ref: 00F19C2B
ClientToScreen.USER32(?,?), ref: 00F19C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F19CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F19CDE
SendMessageW.USER32 ref: 00F19D01
ClientToScreen.USER32(?,?), ref: 00F19D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F19D82

Part of subcall function 00E99944: GetWindowLongW.USER32(?,000000EB), ref: 00E99952

GetWindowLongW.USER32(?,000000F0), ref: 00F19E05

Strings

@GUI_DRAGID, xrefs: 00F1997D
F, xrefs: 00F19D07

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: c43365b659742c0f02762f67f2adc844d93e5c2b9f3f55c1665f5012b408a424
Instruction ID: 25c97b66cfd2952d78dbd0a7b59993272126776a0bf6b2867885fe1f2b65eb0b
Opcode Fuzzy Hash: c43365b659742c0f02762f67f2adc844d93e5c2b9f3f55c1665f5012b408a424
Instruction Fuzzy Hash: CE429031508205EFD724CF24CC64BEABBE5FF88320F154619F699972A1D7B1E890EB91

Function 00F14873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00F148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00F14908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00F14927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00F1494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00F1495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00F1497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00F149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00F149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00F14A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F14A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00F14A7E
IsMenu.USER32(?), ref: 00F14A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F14AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F14B20
GetWindowLongW.USER32(?,000000F0), ref: 00F14B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00F14BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00F14C82
wsprintfW.USER32 ref: 00F14CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F14CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F14CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F14D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F14D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00F14D5A

Strings

%d/%02d/%02d, xrefs: 00F14CA8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: a4cb6bd72034592f3ce7c566b9cca21659b0e5d630febb6ea1576135f52b1977
Instruction ID: 02a5ba752a97b4efba23af09c0814e00eca1ff28326c09b38898c9b770b49a62
Opcode Fuzzy Hash: a4cb6bd72034592f3ce7c566b9cca21659b0e5d630febb6ea1576135f52b1977
Instruction Fuzzy Hash: 2012E271A40218ABEB248F24CC49FEE7BF8EF85720F144119F519EB2E1D774A981EB50

Function 00E9F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00E9F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EDF474
IsIconic.USER32(00000000), ref: 00EDF47D
ShowWindow.USER32(00000000,00000009), ref: 00EDF48A
SetForegroundWindow.USER32(00000000), ref: 00EDF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EDF4AA
GetCurrentThreadId.KERNEL32 ref: 00EDF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EDF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EDF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00EDF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00EDF4DE
SetForegroundWindow.USER32(00000000), ref: 00EDF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF4F6
keybd_event.USER32(00000012,00000000), ref: 00EDF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF50B
keybd_event.USER32(00000012,00000000), ref: 00EDF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF519
keybd_event.USER32(00000012,00000000), ref: 00EDF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EDF528
keybd_event.USER32(00000012,00000000), ref: 00EDF52D
SetForegroundWindow.USER32(00000000), ref: 00EDF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00EDF557

Strings

Shell_TrayWnd, xrefs: 00EDF46F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 17cbd8ff0e50409cdf148b13b148ccb5969c1374de52032fe300b27f4ec511b3
Instruction ID: fd81f19cd94dd1dda75e16e525114354601f3d41c8e45d13657a1498ba837f94
Opcode Fuzzy Hash: 17cbd8ff0e50409cdf148b13b148ccb5969c1374de52032fe300b27f4ec511b3
Instruction Fuzzy Hash: 56315D71A8021CBEEB216BB55C4AFFF7E6DEB44B50F154026FA05F61D1C6B09D01BAA0

Function 00EE1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00EE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE170D
Part of subcall function 00EE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE173A
Part of subcall function 00EE16C3: GetLastError.KERNEL32 ref: 00EE174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00EE1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00EE12A8
CloseHandle.KERNEL32(?), ref: 00EE12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EE12D1
GetProcessWindowStation.USER32 ref: 00EE12EA
SetProcessWindowStation.USER32(00000000), ref: 00EE12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EE1310

Part of subcall function 00EE10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EE11FC), ref: 00EE10D4
Part of subcall function 00EE10BF: CloseHandle.KERNEL32(?,?,00EE11FC), ref: 00EE10E9

Strings

default, xrefs: 00EE130B
, xrefs: 00EE125A
winsta0, xrefs: 00EE12CC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 856fc6050188c437fd0009e081919bbd04981192018428333c6ceefd45c2282e
Instruction ID: ae03c043973e2d6c4db039a10cde9aa4eaf90974f333e2c3619a81056cef361a
Opcode Fuzzy Hash: 856fc6050188c437fd0009e081919bbd04981192018428333c6ceefd45c2282e
Instruction Fuzzy Hash: 03819D7190028DAFDF219FA5DC49FEE7BB9EF08704F149169F920B62A0D7708984DB61

Function 00EE0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EE1114
Part of subcall function 00EE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1120
Part of subcall function 00EE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE112F
Part of subcall function 00EE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1136
Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EE114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EE0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EE0C00
GetLengthSid.ADVAPI32(?), ref: 00EE0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00EE0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EE0C6D
GetLengthSid.ADVAPI32(?), ref: 00EE0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EE0C8C
HeapAlloc.KERNEL32(00000000), ref: 00EE0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EE0CB4
CopySid.ADVAPI32(00000000), ref: 00EE0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EE0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EE0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EE0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0D45
HeapFree.KERNEL32(00000000), ref: 00EE0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0D55
HeapFree.KERNEL32(00000000), ref: 00EE0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0D65
HeapFree.KERNEL32(00000000), ref: 00EE0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EE0D78
HeapFree.KERNEL32(00000000), ref: 00EE0D7F

Part of subcall function 00EE1193: GetProcessHeap.KERNEL32(00000008,00EE0BB1,?,00000000,?,00EE0BB1,?), ref: 00EE11A1
Part of subcall function 00EE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EE0BB1,?), ref: 00EE11A8
Part of subcall function 00EE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EE0BB1,?), ref: 00EE11B7

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1995b1140a89b59f5463be17c4eb62022f4c5b16b8462a2c371522e2b4760e8b
Instruction ID: be2ab79495d98e2c47f607b48b80bbf737f1498d4f6c8f8caf6d51ed91956c4b
Opcode Fuzzy Hash: 1995b1140a89b59f5463be17c4eb62022f4c5b16b8462a2c371522e2b4760e8b
Instruction Fuzzy Hash: C871777294024EAFDF10DFA6DC44BEEBBB8AF08304F158115E914F6291D7B5AA45CBA0

Function 00EFEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00F1CC08), ref: 00EFEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EFEB37
GetClipboardData.USER32(0000000D), ref: 00EFEB43
CloseClipboard.USER32 ref: 00EFEB4F
GlobalLock.KERNEL32(00000000), ref: 00EFEB87
CloseClipboard.USER32 ref: 00EFEB91
GlobalUnlock.KERNEL32(00000000), ref: 00EFEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00EFEBC9
GetClipboardData.USER32(00000001), ref: 00EFEBD1
GlobalLock.KERNEL32(00000000), ref: 00EFEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00EFEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00EFEC38
GetClipboardData.USER32(0000000F), ref: 00EFEC44
GlobalLock.KERNEL32(00000000), ref: 00EFEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EFEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EFEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EFECD2
GlobalUnlock.KERNEL32(00000000), ref: 00EFECF3
CountClipboardFormats.USER32 ref: 00EFED14
CloseClipboard.USER32 ref: 00EFED59

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 121ee79edffe0212cded4040c945465c16eb7bcebf66d2de754f714565960703
Instruction ID: 9e1b3448ef11e20916e188f0aee668f65578004a5644456f536a0f3e09277a1f
Opcode Fuzzy Hash: 121ee79edffe0212cded4040c945465c16eb7bcebf66d2de754f714565960703
Instruction Fuzzy Hash: 0161D1342043099FD310EF24C884FBA77E4AF84708F15951DF55AA72A2DB31E905DBA2

Function 00EF698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EF69BE
FindClose.KERNEL32(00000000), ref: 00EF6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EF6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EF6A75

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00EF6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00EF6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00EF6B6A
%03d, xrefs: 00EF6DA2
%4d, xrefs: 00EF6BB1
%02d, xrefs: 00EF6C00, 00EF6C0A, 00EF6C5A, 00EF6CAA, 00EF6CFA, 00EF6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00EF6B32

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 31150759839fe6d9335886d39a930826ece12d32eb5e98a173f9512d5c25a11a
Instruction ID: 7e3559e19b7767146a3885c46c01ae423b673c606282ae9e3ae8f76b0c1ae974
Opcode Fuzzy Hash: 31150759839fe6d9335886d39a930826ece12d32eb5e98a173f9512d5c25a11a
Instruction Fuzzy Hash: 07D15E72908304AFC714EBA0C891EBBB7ECAF98704F04591DF589E6191EB74DA44CB62

Function 00EF9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EF9663
GetFileAttributesW.KERNEL32(?), ref: 00EF96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00EF96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00EF96D3
FindClose.KERNEL32(00000000), ref: 00EF96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00EF96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF974A
SetCurrentDirectoryW.KERNEL32(00F46B7C), ref: 00EF9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EF9772
FindClose.KERNEL32(00000000), ref: 00EF977F
FindClose.KERNEL32(00000000), ref: 00EF978F

Strings

*.*, xrefs: 00EF96F5

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: dc8b01e93705825d6520f4764b707fd5755359b043b55c2af7d2e44bd8d9b95f
Instruction ID: f07da18c1e3b13b682ad32f4d48238657ead9f0fbcc53e663bc42654d8a00457
Opcode Fuzzy Hash: dc8b01e93705825d6520f4764b707fd5755359b043b55c2af7d2e44bd8d9b95f
Instruction Fuzzy Hash: 8931F13258021D6BCB14AFB4DC08BEE37ACAF49325F118056FA54F20E1EB35DE409AA1

Function 00EF979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EF97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00EF9819
FindClose.KERNEL32(00000000), ref: 00EF9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00EF9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF9890
SetCurrentDirectoryW.KERNEL32(00F46B7C), ref: 00EF98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EF98B8
FindClose.KERNEL32(00000000), ref: 00EF98C5
FindClose.KERNEL32(00000000), ref: 00EF98D5

Part of subcall function 00EEDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EEDB00

Strings

*.*, xrefs: 00EF983B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 4833a210d43e8a5f0b3879539da3b380d5489029eeb4e03388d5646a6ab2bf4a
Instruction ID: b6d4cf9a320d0dd5594b0363b239bc004218f415f89594922c56aa97fa5b7f6c
Opcode Fuzzy Hash: 4833a210d43e8a5f0b3879539da3b380d5489029eeb4e03388d5646a6ab2bf4a
Instruction Fuzzy Hash: 5731033254029D6ADB18AFB4DC48BEE37AC9F4A364F108056F990F20A1DB31DE849B60

Function 00EF8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EF8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00EF8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EF8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EF8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EF838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8395

Strings

*.*, xrefs: 00EF839B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: da7a21c86fd7d352316a034b1ff2c0ea71ef54170fdf9f320ffb0a8a97d8b26d
Instruction ID: e0435a21387a94a44464f2b5e164976c9bc7f8ff5d818a1d35c4d6672ae9930b
Opcode Fuzzy Hash: da7a21c86fd7d352316a034b1ff2c0ea71ef54170fdf9f320ffb0a8a97d8b26d
Instruction Fuzzy Hash: 1B616E725043499FD710EF60C8409AFB3E9FF89314F04991EFA99A7261DB31E945CB92

Function 00EED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

Part of subcall function 00EEE199: GetFileAttributesW.KERNEL32(?,00EECF95), ref: 00EEE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00EED1DD
MoveFileW.KERNEL32(?,?), ref: 00EED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EED237

Part of subcall function 00EED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00EED21C,?,?), ref: 00EED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00EED253
FindClose.KERNEL32(00000000), ref: 00EED264

Strings

\*.*, xrefs: 00EED0CD, 00EED0D6, 00EED0EB

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d594b0e0fbfa88780329cc24b311433cbca0759574df421abefd613c8444a8dd
Instruction ID: 5f41002ea4d4dd1509c4d6c219ab7c6805489e6c73ced5c36a37658a91f0ab52
Opcode Fuzzy Hash: d594b0e0fbfa88780329cc24b311433cbca0759574df421abefd613c8444a8dd
Instruction Fuzzy Hash: 3661793180918D9BCF05EBE1DE829FDB7B5AF54304F249065E40A731A2EB316F09DB60

Function 00EFED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EFED91
EmptyClipboard.USER32 ref: 00EFED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00EFEDAC
CloseClipboard.USER32 ref: 00EFEEA3

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: abef708485b1f9b8a420f0add5eeb85b271ee8165cad3db0b89e2cb543dbcb35
Instruction ID: 20cf7a5cfbbf7d0d70f2c5756d9e69e0442e8a6da95cbf3d2b58afeee70f21bb
Opcode Fuzzy Hash: abef708485b1f9b8a420f0add5eeb85b271ee8165cad3db0b89e2cb543dbcb35
Instruction Fuzzy Hash: CA41AB31204215AFE320DF25E888B69BBE1AF44318F15D099E559ABB72C736FC41DBD0

Function 00EEE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE170D
Part of subcall function 00EE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE173A
Part of subcall function 00EE16C3: GetLastError.KERNEL32 ref: 00EE174A

ExitWindowsEx.USER32(?,00000000), ref: 00EEE932

Strings

SeShutdownPrivilege, xrefs: 00EEE902
@, xrefs: 00EEE925
, xrefs: 00EEE920
, xrefs: 00EEE95C

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 1730d38af81eeb2e2bd948742d5261513c54c1c67c1519f34ef6e4a7b84ec414
Instruction ID: c017533923f6ab3562377ae55df284e377a3055e16a9096791ddd8691d0b103e
Opcode Fuzzy Hash: 1730d38af81eeb2e2bd948742d5261513c54c1c67c1519f34ef6e4a7b84ec414
Instruction Fuzzy Hash: 9401267261025DABEB1462B6AC86FFB72DC9B44744F155461FC02F32D3E6A29C4491A0

Function 00F01204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F01276
WSAGetLastError.WSOCK32 ref: 00F01283
bind.WSOCK32(00000000,?,00000010), ref: 00F012BA
WSAGetLastError.WSOCK32 ref: 00F012C5
closesocket.WSOCK32(00000000), ref: 00F012F4
listen.WSOCK32(00000000,00000005), ref: 00F01303
WSAGetLastError.WSOCK32 ref: 00F0130D
closesocket.WSOCK32(00000000), ref: 00F0133C

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 3f9d4ea21b84a1b7f467d127aefa06456ba8b2251d670db5f139d52194d641c2
Instruction ID: 6abee52d0251eb45ae38b02c1e7c170a83a879d5f788f781c2c28ca8dbf8e906
Opcode Fuzzy Hash: 3f9d4ea21b84a1b7f467d127aefa06456ba8b2251d670db5f139d52194d641c2
Instruction Fuzzy Hash: 01417271A001049FD710DF68C484B69BBE6BF46328F19819CE85A9F2D2C771ED81EBE1

Function 00EED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

Part of subcall function 00EEE199: GetFileAttributesW.KERNEL32(?,00EECF95), ref: 00EEE19A

FindFirstFileW.KERNEL32(?,?), ref: 00EED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EED481
FindClose.KERNEL32(00000000), ref: 00EED498
FindClose.KERNEL32(00000000), ref: 00EED4A1

Strings

\*.*, xrefs: 00EED3F2

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 42e16697ae19414089b986e7123380a6e692db30e36ee8ef1c1c9d905789463e
Instruction ID: 51d283b23fc7306229d80379b280cd94e4ab2578799922a7e59c0b0242d0b751
Opcode Fuzzy Hash: 42e16697ae19414089b986e7123380a6e692db30e36ee8ef1c1c9d905789463e
Instruction Fuzzy Hash: 9F31703100C3899BC305FF64D8518EF77E8AEA1314F446A2DF4E9A3191EB30AA09D763

Function 00EBE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00EBE645

Strings

1#INF, xrefs: 00EBF852
1#QNAN, xrefs: 00EBF84B
1#IND, xrefs: 00EBF83D
1#SNAN, xrefs: 00EBF844

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c2ee4bc664117fbbe9b732e329b8dcd05c20c79d0df2af2ed591a7258ac65abe
Instruction ID: 3785b77bba91a86b9d9bf3489ff9052c890031790b1f45412a9e32ad43939319
Opcode Fuzzy Hash: c2ee4bc664117fbbe9b732e329b8dcd05c20c79d0df2af2ed591a7258ac65abe
Instruction Fuzzy Hash: 6EC23972E086298FDB29CE28DD407EAB7B5EB49305F1451EAD84DF7241E774AE818F40

Function 00EF648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EF64DC
CoInitialize.OLE32(00000000), ref: 00EF6639
CoCreateInstance.OLE32(00F1FCF8,00000000,00000001,00F1FB68,?), ref: 00EF6650
CoUninitialize.OLE32 ref: 00EF68D4

Strings

.lnk, xrefs: 00EF64BA, 00EF6524, 00EF65E0

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9566d42eecdafc81248f6bef985b47590c9151239b79a5d950c0b4c1d83d72ad
Instruction ID: a9ec2e64228b0a15f1cadd2d502bda30e02961624994ab82e8f664c27693be8b
Opcode Fuzzy Hash: 9566d42eecdafc81248f6bef985b47590c9151239b79a5d950c0b4c1d83d72ad
Instruction Fuzzy Hash: 18D16B71608305AFC304EF24C88196BB7E8FF95308F14596DF599AB292DB71ED05CB92

Function 00F022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00F022E8

Part of subcall function 00EFE4EC: GetWindowRect.USER32(?,?), ref: 00EFE504

GetDesktopWindow.USER32 ref: 00F02312
GetWindowRect.USER32(00000000), ref: 00F02319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00F02355
GetCursorPos.USER32(?), ref: 00F02381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F023DF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 10fdd29d134368f3a1e0faf9c83b118d9b983eb30af3f8a755254409aca918f8
Instruction ID: e121a8c984f9ff1d007d5d804bfc35441f6b44c74e7b4e98e2e0315a046f0bc1
Opcode Fuzzy Hash: 10fdd29d134368f3a1e0faf9c83b118d9b983eb30af3f8a755254409aca918f8
Instruction Fuzzy Hash: 1D31C272504319AFD720DF55C849B9BBBEAFF84314F004919F985A7191DB34E908DBE2

Function 00EF9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00EF9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00EF9C8B

Part of subcall function 00EF3874: GetInputState.USER32 ref: 00EF38CB
Part of subcall function 00EF3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00EF9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00EF9C75

Strings

*.*, xrefs: 00EF9B5D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 425f6430b880de2b839f95f4328b958d74dc8db519e797ca32b4d4418ceeeec3
Instruction ID: c221c77514fef94ffbf6b174d4cb5d265e9a709a6d1b89c36fa54d0562ae5a10
Opcode Fuzzy Hash: 425f6430b880de2b839f95f4328b958d74dc8db519e797ca32b4d4418ceeeec3
Instruction Fuzzy Hash: 04415E7194420E9BCF14EF64C845BEEBBF4EF05314F245055E959B2192EB319E84CFA1

Function 00E88060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00EC5DF0
ixcftuixc8tuixcftuixcftuixc7tuixc5tuixc0tuixc7tuixc3tuixc3tuixcctuixc0tuixcetuixc9tuixcbtuixc8tuixc0tuixc0tuixc0tuixc0tuixc0tuixc0, xrefs: 00E8839B, 00E883A6
VUUU, xrefs: 00E883E8
ERCP, xrefs: 00E8813C
VUUU, xrefs: 00E8843C
VUUU, xrefs: 00E883FA

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$ixcftuixc8tuixcftuixcftuixc7tuixc5tuixc0tuixc7tuixc3tuixc3tuixcctuixc0tuixcetuixc9tuixcbtuixc8tuixc0tuixc0tuixc0tuixc0tuixc0tuixc0
API String ID: 0-2588434273
Opcode ID: 2d200e978b8de8b86d04c711091cc8074e930fd5491bdd7173f224d8d409e899
Instruction ID: c883a702ff3b46e730e0fd21acf26b3f7e1771f5ed32f6530f399d6801b94165
Opcode Fuzzy Hash: 2d200e978b8de8b86d04c711091cc8074e930fd5491bdd7173f224d8d409e899
Instruction Fuzzy Hash: FFA27E71A0061ACBDF24DF58CA40BEEB7B1BF54314F6491AADC19B7281EB319D82DB50

Function 00E9997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E99A4E
GetSysColor.USER32(0000000F), ref: 00E99B23
SetBkColor.GDI32(?,00000000), ref: 00E99B36

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 525d5c49e10aa83a35507fd483f89490ae7f3ce5b48f1a6fea706e6961582acb
Instruction ID: 9316d78f3b546d21bb0b11813cfbb126ec829c74b8773d4da863e88bfce48416
Opcode Fuzzy Hash: 525d5c49e10aa83a35507fd483f89490ae7f3ce5b48f1a6fea706e6961582acb
Instruction Fuzzy Hash: 1CA12870108504BFEB289B2C8C58EFF369DEB42349B15210EF552F6793EA65DD42E272

Function 00F01806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F0307A
Part of subcall function 00F0304E: _wcslen.LIBCMT ref: 00F0309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F0185D
WSAGetLastError.WSOCK32 ref: 00F01884
bind.WSOCK32(00000000,?,00000010), ref: 00F018DB
WSAGetLastError.WSOCK32 ref: 00F018E6
closesocket.WSOCK32(00000000), ref: 00F01915

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 6f433edd84c2398d12ac1ce3d6a1b043fb0009abb500760e302bde49a32ce262
Instruction ID: b9cd8a232a19bb27a4843591ea0f5d07d953aab902752881edb4f6cf561ee0b6
Opcode Fuzzy Hash: 6f433edd84c2398d12ac1ce3d6a1b043fb0009abb500760e302bde49a32ce262
Instruction Fuzzy Hash: 75519171A40200AFEB10AF24C886F6A77E5AB45718F58C098FA596F2D3C771AD41DBA1

Function 00F11C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F11CC0
IsWindowEnabled.USER32 ref: 00F11CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00F11CDB
IsIconic.USER32 ref: 00F11CE9
IsZoomed.USER32 ref: 00F11CF7

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2f2fb696af3dbad703979c483d9af521bfbe175201e8c2bfcfcee40ef5b3cf2a
Instruction ID: 9541e190c4101ef1c9d533c8c2ff777879624f81539783d1fe679040370e3e45
Opcode Fuzzy Hash: 2f2fb696af3dbad703979c483d9af521bfbe175201e8c2bfcfcee40ef5b3cf2a
Instruction Fuzzy Hash: 0D21D631B802155FD7208F1AD844BDA7BE5FF85324B198058E9498B351CB71DC82EBD0

Function 00EA4CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00EB28E9,(,00EA4CBE,00000000,00F488B8,0000000C,00EA4E15,(,00000002,00000000,?,00EB28E9,00000003,00EB2DF7,?,?), ref: 00EA4D09
TerminateProcess.KERNEL32(00000000,?,00EB28E9,00000003,00EB2DF7,?,?,?,00EAE6D1,?,00F48A48,00000010,00E84F4A,?,?,00000000), ref: 00EA4D10
ExitProcess.KERNEL32 ref: 00EA4D22

Strings

(, xrefs: 00EA4CEA

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: (
API String ID: 1703294689-2063206799
Opcode ID: 3d90856dc74c9d00fc399c1c3b7ed73c98fa235cba5bccbc1a8235030783c6fa
Instruction ID: c5a47610bc3bf693330f48a32b753aabe93f6e6693a0f044598becc8ce804ec7
Opcode Fuzzy Hash: 3d90856dc74c9d00fc399c1c3b7ed73c98fa235cba5bccbc1a8235030783c6fa
Instruction Fuzzy Hash: 34E046B1040108ABCF11AF24DD0AA883B69EB86785F018014FD14AA162CB75EE42EA80

Function 00F0A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F0A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00F0A6BA

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Process32NextW.KERNEL32(00000000,?), ref: 00F0A79C
CloseHandle.KERNEL32(00000000), ref: 00F0A7AB

Part of subcall function 00E9CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00EC3303,?), ref: 00E9CE8A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: a47a78850c98d3057d12a211fd1612edb9b7954af9ae05155dfa58edd2d30055
Instruction ID: 7b146743f9bc791d617b12bde52b0f05e6d6f1af55e94e201a197a80dd9765ce
Opcode Fuzzy Hash: a47a78850c98d3057d12a211fd1612edb9b7954af9ae05155dfa58edd2d30055
Instruction Fuzzy Hash: 08518F71508300AFD714EF24C885E6BBBE8FF89754F04991DF589A7292EB30D904DB92

Function 00EEAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00EEAAAC
SetKeyboardState.USER32(00000080), ref: 00EEAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00EEAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00EEAB88

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 44455814dce26ff860e2c7d37a639c5197d7e6159d53009e9c9d090811ee20de
Instruction ID: c9723d0041a603ed385dd9f980320331274cc82ffbc0ce0a229642d320e528e6
Opcode Fuzzy Hash: 44455814dce26ff860e2c7d37a639c5197d7e6159d53009e9c9d090811ee20de
Instruction Fuzzy Hash: 98312A30A4028CAEFB348A66CC05BFA77E6AB54314F0C522EF185B61D1D375A985D7A2

Function 00EBBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EBBB7F

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

GetTimeZoneInformation.KERNEL32 ref: 00EBBB91
WideCharToMultiByte.KERNEL32(00000000,?,00F5121C,000000FF,?,0000003F,?,?), ref: 00EBBC09
WideCharToMultiByte.KERNEL32(00000000,?,00F51270,000000FF,?,0000003F,?,?,?,00F5121C,000000FF,?,0000003F,?,?), ref: 00EBBC36

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 56015b7c28deb701a20f3bcc0200420c0910740f90f7fc837f30c617ea965fb4
Instruction ID: eccb6559cb813640ce1923227aaec2aed45235af348abdbf997b40df93c43611
Opcode Fuzzy Hash: 56015b7c28deb701a20f3bcc0200420c0910740f90f7fc837f30c617ea965fb4
Instruction Fuzzy Hash: AC31C070944209EFCB10DF68DC809AEBBB8BF45310B14566AE150EB2A1D7B0AE41EB50

Function 00EFCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00EFCE89
GetLastError.KERNEL32(?,00000000), ref: 00EFCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00EFCEFE

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 763a683aae17e16754289925b9c9393efc21a869975b02376d398fd98b77ef5a
Instruction ID: 6d14b896b8c0dc6924b0392ef32e3b63cc536cba2f229f9a08d2a08b3eb77b00
Opcode Fuzzy Hash: 763a683aae17e16754289925b9c9393efc21a869975b02376d398fd98b77ef5a
Instruction Fuzzy Hash: CE21BD7164030D9BDB20CF65CA48BB6B7F8EF40318F30941EE646E2151E770EE049BA0

Function 00EE8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EE82AA

Strings

|, xrefs: 00EE82DA
(, xrefs: 00EE82F0

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 1a2bd3279d770a7d999b6a1dc77e3ff75d1f7865c53d37a88112d4fab060d4fd
Instruction ID: cbe9c6409d12d672991cd77f7df0203cc33ec8a9eefd5259ab6d82fcae699fe2
Opcode Fuzzy Hash: 1a2bd3279d770a7d999b6a1dc77e3ff75d1f7865c53d37a88112d4fab060d4fd
Instruction Fuzzy Hash: 63324774A007459FCB28CF19C580AAAB7F0FF48714B15D56EE49AEB3A1EB70E941CB40

Function 00EF5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EF5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00EF5D17
FindClose.KERNEL32(?), ref: 00EF5D5F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f4828c7b541407e2bb82b6eb01835744f9ab7afb1b0b424da6b0a9924b24ce96
Instruction ID: 98f5071b9f616d207d3fc691bbb1d8578282508f3d92f788d7a06e28fbf282d3
Opcode Fuzzy Hash: f4828c7b541407e2bb82b6eb01835744f9ab7afb1b0b424da6b0a9924b24ce96
Instruction Fuzzy Hash: C151BA35604A059FC704DF28C484AA6B7E4FF4A318F14955EEA5A9B3A1CB31ED00CBA1

Function 00EB2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00EB271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00EB2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00EB2731

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f918bafef36be527b0f005c0a452ef1acad2de2fc0cedefc074dd9dbeaeaef69
Instruction ID: 1c39e16b3e98c97b084ddc2f181aadb02aa3963e686fa382f22ec344eb06033c
Opcode Fuzzy Hash: f918bafef36be527b0f005c0a452ef1acad2de2fc0cedefc074dd9dbeaeaef69
Instruction Fuzzy Hash: 0631C47494122C9BCB21DF68DC887D9B7B8AF08310F5051EAE91CA6260EB309F858F44

Function 00EF51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EF5238
SetErrorMode.KERNEL32(00000000), ref: 00EF52A1

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: de88d1498a6733c9b63c5ed1a9c045e26595c2e69966c9a844e332bd22dfe425
Instruction ID: 0dd49143572d1a0b9a4747a5135035c238f2eb0bac13de2618b8244564a28a58
Opcode Fuzzy Hash: de88d1498a6733c9b63c5ed1a9c045e26595c2e69966c9a844e332bd22dfe425
Instruction Fuzzy Hash: D3313E75A00518DFDB00DF54D884EADBBF5FF49318F198099E909AB362DB31E856CBA0

Function 00EE16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00EA0668
Part of subcall function 00E9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00EA0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE173A
GetLastError.KERNEL32 ref: 00EE174A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 1935d9b251b5871bacc6c056651a770d1255e0db6137dff1ea50044d929fe9c1
Instruction ID: 82051b837072e179718a16ba927e14fc19607ac1fc4ab202bc40ad9850895467
Opcode Fuzzy Hash: 1935d9b251b5871bacc6c056651a770d1255e0db6137dff1ea50044d929fe9c1
Instruction Fuzzy Hash: 1911C1B2410308AFD7189F54DC86EAAB7F9EB04714B20956EE056A7241EB70BC81CA60

Function 00EED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00EED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EED650

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9485b91224298285cb38b90cc6a85e0d3ee7ae5d373eb91b52bac40fd75cb5dc
Instruction ID: 35c86952bf9042dcda955f22a179845d755c6252a7f5b1f624118eb2650fea03
Opcode Fuzzy Hash: 9485b91224298285cb38b90cc6a85e0d3ee7ae5d373eb91b52bac40fd75cb5dc
Instruction Fuzzy Hash: 54117CB1E45228BBDB108F95AC44FEFBBBCEB45B50F108111F914F7290C2704A018BE1

Function 00EE1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00EE168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EE16A1
FreeSid.ADVAPI32(?), ref: 00EE16B1

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d33b5b275e1a4f9072fbf452dac10a75df4a7ed521c720415280385d4e679849
Instruction ID: 14d552d19965e33dae89ec394d0e3eb4ab442e653d2ce850637209af871a3f6a
Opcode Fuzzy Hash: d33b5b275e1a4f9072fbf452dac10a75df4a7ed521c720415280385d4e679849
Instruction Fuzzy Hash: 0AF0F47199030DFBDB00DFE49C89EAEBBBCEB08604F5085A5E501E2181E774AA449A90

Function 00EDD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00EDD28C

Strings

X64, xrefs: 00EDD2A8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: a0f853ff5b96f3478080f650d3bb88214ccc620ad334b0380b4bdaaf3b94a7ca
Instruction ID: 7b22138190abef8c32ea2f605a068f7d0993faed6343b88b38196f68f376a1b4
Opcode Fuzzy Hash: a0f853ff5b96f3478080f650d3bb88214ccc620ad334b0380b4bdaaf3b94a7ca
Instruction Fuzzy Hash: 38D0CAB480922DEACF94CBA0EC88DDAB3BCFB08345F105292F546F2100DB3096499F20

Function 00EACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 1e71b40a1cfbb33dc88290d822204e8fc1b06e524a6539c2b7e37303f0407acc
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 47020A71E002199FDF14CFA9C9806ADFBF1EF49324F25916AD819FB280D731AA41CB94

Function 00EF68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EF6918
FindClose.KERNEL32(00000000), ref: 00EF6961

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 089cd1df342759593fb9f1b9e588712875b8421327454854aabb51a6ce5cecfd
Instruction ID: 06ff71a191ac7afeeef5ce922fb1e2681fa90089c83643d492ecd9e289ec559e
Opcode Fuzzy Hash: 089cd1df342759593fb9f1b9e588712875b8421327454854aabb51a6ce5cecfd
Instruction Fuzzy Hash: DC11D0316042049FD710DF29D484A26BBE1FF85328F15C699E5699F2A2C770EC05CB90

Function 00EF37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00F04891,?,?,00000035,?), ref: 00EF37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00F04891,?,?,00000035,?), ref: 00EF37F4

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cdafbc39ae490badc5cdcda63ab18d20084593eaa4d28738aba46dccbdc5819e
Instruction ID: 3e95d6a9a992053f6d6b30381b1808349b4dd7df1b5f1ed911586915181e3fd5
Opcode Fuzzy Hash: cdafbc39ae490badc5cdcda63ab18d20084593eaa4d28738aba46dccbdc5819e
Instruction Fuzzy Hash: 7FF0E5B070422C2AE72027769C4DFEB7AAEEFC5761F0001A6F609E22C1D9A09944C7F0

Function 00EEB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00EEB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00EEB270

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 0d56755e0f50b2917cab9b5587f6b92d2ec1d005da504b4e4913aaeb5513e680
Instruction ID: 9d318b921a1419f40347280234ca1d3011c2524f6f0954bfc7ffd36fe0588e3d
Opcode Fuzzy Hash: 0d56755e0f50b2917cab9b5587f6b92d2ec1d005da504b4e4913aaeb5513e680
Instruction Fuzzy Hash: 94F01D7184428DABDB059FA1C805BEE7BB4FF08309F049009F955A51A1C77986119F94

Function 00EE10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EE11FC), ref: 00EE10D4
CloseHandle.KERNEL32(?,?,00EE11FC), ref: 00EE10E9

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 5e755c1c002cacd39e10c4a9cf1ef79be204d74117102f4260016079a6c40cec
Instruction ID: cc54777f5b15d65292a4e57716aed9b3b1a865baff452651615c18f4a8f90c86
Opcode Fuzzy Hash: 5e755c1c002cacd39e10c4a9cf1ef79be204d74117102f4260016079a6c40cec
Instruction Fuzzy Hash: 3FE0BF72058614AFFB252B51FC05EB777E9EB04320F25D82DF5A5D04B1DB626C90EB50

Function 00E8CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00ED0C40

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 870c291054c2520f3d0f85bd4c8915bd20c7d13e78be74df7cbca26c61b60a92
Instruction ID: 50be15c066e839033dd1234602775ec8625569b1ad2a1fc7bcde6b634c900b88
Opcode Fuzzy Hash: 870c291054c2520f3d0f85bd4c8915bd20c7d13e78be74df7cbca26c61b60a92
Instruction Fuzzy Hash: B2326E709002189BDF14EF90D981BEDB7B5FF06308F28605AE90EBB291D775AD46CB61

Function 00EB676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00EB6766,?,?,00000008,?,?,00EBFEFE,00000000), ref: 00EB6998

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: bb9be40ae88e2e5908989610216440ab03b2d7afe8eb1cb01c883d573b16d636
Instruction ID: 356af82c5a5cc5dd723fe91474da706cce09f9e8fc79d7f940638158b911c00d
Opcode Fuzzy Hash: bb9be40ae88e2e5908989610216440ab03b2d7afe8eb1cb01c883d573b16d636
Instruction Fuzzy Hash: 2FB16E31510609DFDB19CF28C486BA67BE0FF45368F259658E899DF2A1C739D981CB40

Function 00E9B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00ED851F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f2567e3282913a43dc99c6325c6a67254825a5bfb2fba13839b088178a4dd2e8
Instruction ID: 461fc6031b69b7d6359308a73d0042447152a2710dc6f946b54e46fa53260d96
Opcode Fuzzy Hash: f2567e3282913a43dc99c6325c6a67254825a5bfb2fba13839b088178a4dd2e8
Instruction Fuzzy Hash: 81125C719002299BCF24CF58D9816EEB7F5FF48710F1491AAE849FB251EB309E81DB90

Function 00EFEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EFEABD

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f505187f4da11b7f395f0096eb797c8e349f9698e4ae1b0d2857c4266fd3d40f
Instruction ID: c66d2cf3b7a901e7e4c1a54ce98d7e4882b09cf31d3df63c818ac3fef088bdea
Opcode Fuzzy Hash: f505187f4da11b7f395f0096eb797c8e349f9698e4ae1b0d2857c4266fd3d40f
Instruction Fuzzy Hash: B5E01A312002089FD710EF59D804E9ABBE9AF997A4F009416FD4DE7361DA70A8408BA0

Function 00EA09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00EA03EE), ref: 00EA09DA

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4eab8b112c6a99fa05bc2ce36af79dd347f6b3e981549fcefe0c299c25921a4a
Instruction ID: ac866a93df09ee54d1d6616d06794de1e56d0242e63ae79d0facbfe78babb7a6
Opcode Fuzzy Hash: 4eab8b112c6a99fa05bc2ce36af79dd347f6b3e981549fcefe0c299c25921a4a
Instruction Fuzzy Hash:

Function 00EA781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00EA798B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 96a4f67583ffa95e072c4ba21c3d865360fb2e5336c26c0cc0839c3537e35ae3
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: A051436260C6156ADB3CC5288D5A7BF67D99B8F308F18350AD8C2FF282C619FE45D352

Function 00EB6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8b8f68ef44b8ffb5b897009495af20389a7ee8a3193c81c5c23216c696753e
Instruction ID: b2657488f37fc72974b64d1171bd9d6b8e3407b15ae251721ac4443f0a76bcba
Opcode Fuzzy Hash: 2f8b8f68ef44b8ffb5b897009495af20389a7ee8a3193c81c5c23216c696753e
Instruction Fuzzy Hash: 3B322222D29F014DD7739634CC22376A289AFB73C5F15E737E86AB5DA9EB28C4835100

Function 00E9CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9bd739e36719f30ad77f53a632cd879de1a4e9d4f84d55df17b407266d3be2
Instruction ID: e563c62d3b35f5ac498ccafd9e4f4152f9168647154e5e7799246f89172f9f27
Opcode Fuzzy Hash: bb9bd739e36719f30ad77f53a632cd879de1a4e9d4f84d55df17b407266d3be2
Instruction Fuzzy Hash: E4320831A401078BCF24DA68C4906BDBBA1EB45388F38A967D95AFB391D230DD83DB41

Function 00E87920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977964617864b263a55e65a5d13b8341fa2c89beaeb32e62eca5fbd8c68cce42
Instruction ID: 3769f9ca82d9bd39b7f6c1011459592abc1cb6bb4b817830e87be9c8e855a544
Opcode Fuzzy Hash: 977964617864b263a55e65a5d13b8341fa2c89beaeb32e62eca5fbd8c68cce42
Instruction Fuzzy Hash: 4222BE71A046099FDF14DF64C941AAEB3F2FF48304F246129E85AB7291EB36E951CB50

Function 00E891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20400b1ebc79c5a2d7603b4d40308f1967bc0f56abf48a8093918fc070e5c0aa
Instruction ID: 758dc4e25ad4ef77c7a8b25ee8fae9e64468c43aa98ac37e0dce859e3b23b58b
Opcode Fuzzy Hash: 20400b1ebc79c5a2d7603b4d40308f1967bc0f56abf48a8093918fc070e5c0aa
Instruction Fuzzy Hash: 900282B0E00209EBDF14DF64D981BADB7F1FF54304F159169E81AAB391EB31AA11CB91

Function 00EB9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd868e8557ec1ad01e8de25fb289feeafeba3b405a55bc679bb3a83aa03c912
Instruction ID: 2e0fd37f3c6e1cb234e9bf986eb39e293c6c3e16346c165de47c7cce0f86ba9c
Opcode Fuzzy Hash: 8bd868e8557ec1ad01e8de25fb289feeafeba3b405a55bc679bb3a83aa03c912
Instruction Fuzzy Hash: 20B12460D2AF444DC72396398831336B74CAFBB2C5F91D71BFC2674D22EB268A835140

Function 00EA1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 7af11f8247339c38701cee4ab28ad94b688b4f0bd6b4191e93dae62808d30367
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 209167722080E34ADB2D4639857407EFFE15A973B6B1A17DDD4F2EE1C1FE20A954D620

Function 00EA19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9dd0e684476f1395a0f2d2ef844faf5ed375e3da0affb8a4aabbac401e676237
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0891B4322090A34EDB2D427A857407EFFE14A973A6B1A17DDD4F2EE1C1FD24E554D620

Function 00EA7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8f924fa14035ea9dc808f6acb6e84f64abafb6ee69225ae822a2ca312a4300
Instruction ID: 7aa9786640288d54b2e974fa75089aa5a464e4273d946f0ef71fccda3dc462de
Opcode Fuzzy Hash: 9c8f924fa14035ea9dc808f6acb6e84f64abafb6ee69225ae822a2ca312a4300
Instruction Fuzzy Hash: C26158B120870966DA34DA288D95BFF63D6DF8F708F143919E8C2FF281D611BE428365

Function 00EA7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f187afd4c7d570bfd0dc3580005d0877652f89a424ed931f68b4a47ebf2f1ed7
Instruction ID: d983c8e516a79ea74182eb3834417905e93937d0d34eb50336eaf2e2ab2a8403
Opcode Fuzzy Hash: f187afd4c7d570bfd0dc3580005d0877652f89a424ed931f68b4a47ebf2f1ed7
Instruction Fuzzy Hash: 2261577160870956DE38CA284DA5BBF23D4AF4F708F14795DE9C3FF281EA12BD428255

Function 00EA1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e83a88d21180a7683f52268cc95f84444d19215dcd46a8c6faef8d4fdc4d84f9
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: FC8185326080A30DDB6D423A853407EFFE15A973A5B1A27DEE4F2DF1C1EE24E554E620

Function 01750478 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727069683.000000000174C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0174C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174c000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 08f788a89c043e841a67db8c7d2839992e85bdc4e847fb314291b59decc0b049
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 1B41C471D1051CDBDF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB80

Function 00EF2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bf723f9a3c92f3d16638302ff49e0a26796a1d8b33d6b3a1350720856ae0fa
Instruction ID: 8564b1720c0d8ef5fa79e731ae127ecdc18c36da3dff850a87b9d6aeee54dceb
Opcode Fuzzy Hash: f7bf723f9a3c92f3d16638302ff49e0a26796a1d8b33d6b3a1350720856ae0fa
Instruction Fuzzy Hash: 6A21E7323206158BDB28CF79C82367E73E5A764310F14862EE5A7D73D0DE39A904DB80

Function 00E9D063 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2279f33e6fc92b13980bfeb94ac58b6175621d3adc6e95f2a867b317778a5135
Instruction ID: c45181b31fd6ad21836f885c3b6c83bd4b38d521cb84f01a31c8deb5347d3d8c
Opcode Fuzzy Hash: 2279f33e6fc92b13980bfeb94ac58b6175621d3adc6e95f2a867b317778a5135
Instruction Fuzzy Hash: 2A11835208DFEBABDB4292B90CBE588BF70881602079847EFC5C446EC7EB8C405BD756

Function 01750368 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727069683.000000000174C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0174C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174c000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 0a7976559691b72424d29560802fba7154afbc20398247121ffd7d7370da01fc
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 4A019278A11109EFCB84DF98C5909AEF7B5FF48310F208599EC19A7306D730AE51DB80

Function 01750308 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727069683.000000000174C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0174C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174c000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 5527038ad8de5753a783f2c98c56f686d3116f5d8b95978b72810742df02c708
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: CF014278A01109EFCB84DF98C5909AEF7F5FB48310F208599ED19A7746D770AE41DB90

Function 0174ECE8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727069683.000000000174C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0174C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174c000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00F02ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F02B30
DeleteObject.GDI32(00000000), ref: 00F02B43
DestroyWindow.USER32 ref: 00F02B52
GetDesktopWindow.USER32 ref: 00F02B6D
GetWindowRect.USER32(00000000), ref: 00F02B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00F02CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00F02CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02CF8
GetClientRect.USER32(00000000,?), ref: 00F02D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F02D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D80
GlobalLock.KERNEL32(00000000), ref: 00F02D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02D98
GlobalUnlock.KERNEL32(00000000), ref: 00F02DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02DA8
GlobalFree.KERNEL32(00000000), ref: 00F02DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F1FC38,00000000), ref: 00F02DDB
GlobalFree.KERNEL32(00000000), ref: 00F02DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00F02E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00F02E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F02E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F0303F

Strings

AutoIt v3, xrefs: 00F02CF2
, xrefs: 00F02FC5
static, xrefs: 00F02D3A, 00F02E91
DISPLAY, xrefs: 00F02EA2

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a36f4c915e468581435d8fefa2e60cb687bbfb3eb346ae3f51a2adeae56e084b
Instruction ID: a250e71c8861fde0a47e05e8562e92984947b408f334881c5c918d6e3217d701
Opcode Fuzzy Hash: a36f4c915e468581435d8fefa2e60cb687bbfb3eb346ae3f51a2adeae56e084b
Instruction Fuzzy Hash: 9A027F71940209AFDB14DF64CC89EAE7BB9FF49711F118158F919AB2A1C770ED01EBA0

Function 00F170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F1712F
GetSysColorBrush.USER32(0000000F), ref: 00F17160
GetSysColor.USER32(0000000F), ref: 00F1716C
SetBkColor.GDI32(?,000000FF), ref: 00F17186
SelectObject.GDI32(?,?), ref: 00F17195
InflateRect.USER32(?,000000FF,000000FF), ref: 00F171C0
GetSysColor.USER32(00000010), ref: 00F171C8
CreateSolidBrush.GDI32(00000000), ref: 00F171CF
FrameRect.USER32(?,?,00000000), ref: 00F171DE
DeleteObject.GDI32(00000000), ref: 00F171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00F17230
FillRect.USER32(?,?,?), ref: 00F17262
GetWindowLongW.USER32(?,000000F0), ref: 00F17284

Part of subcall function 00F173E8: GetSysColor.USER32(00000012), ref: 00F17421
Part of subcall function 00F173E8: SetTextColor.GDI32(?,?), ref: 00F17425
Part of subcall function 00F173E8: GetSysColorBrush.USER32(0000000F), ref: 00F1743B
Part of subcall function 00F173E8: GetSysColor.USER32(0000000F), ref: 00F17446
Part of subcall function 00F173E8: GetSysColor.USER32(00000011), ref: 00F17463
Part of subcall function 00F173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F17471
Part of subcall function 00F173E8: SelectObject.GDI32(?,00000000), ref: 00F17482
Part of subcall function 00F173E8: SetBkColor.GDI32(?,00000000), ref: 00F1748B
Part of subcall function 00F173E8: SelectObject.GDI32(?,?), ref: 00F17498
Part of subcall function 00F173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00F174B7
Part of subcall function 00F173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F174CE
Part of subcall function 00F173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00F174DB

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: d19b9298f7c9dd9b9df66f2819596236b5d30f07210a4564e9e81fe1f50a9aad
Instruction ID: 1c635f4732394e9cf36632859ff69f17ddaedd6bce1edf8dff4818a195d6a58a
Opcode Fuzzy Hash: d19b9298f7c9dd9b9df66f2819596236b5d30f07210a4564e9e81fe1f50a9aad
Instruction Fuzzy Hash: 91A1BF72448305BFDB00AF60DC48A9B7BB9FB49320F144A19F966A61E0D730E940EF91

Function 00E98D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00E98E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00ED6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00ED6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00ED6F43

Part of subcall function 00E98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E98BE8,?,00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00E98FC5

SendMessageW.USER32(?,00001053), ref: 00ED6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00ED6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00ED6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00ED6FB7

Strings

0, xrefs: 00ED6DCF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0c0778d27c4d3ade43b56b73cccc335d7416e5d32d8429c26cf1f04b850cf22d
Instruction ID: ef9d22b2d2ec2fb79674b5a39713de829583835e297e91c10fef68dc207c7cff
Opcode Fuzzy Hash: 0c0778d27c4d3ade43b56b73cccc335d7416e5d32d8429c26cf1f04b850cf22d
Instruction Fuzzy Hash: C112CC30200205DFDB25CF24C954BAAB7F1FB49308F14A46AF599EB261CB31EC52EB91

Function 00F02711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F0273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F0286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00F028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00F028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00F02900
GetClientRect.USER32(00000000,?), ref: 00F0290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00F02955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F02964
GetStockObject.GDI32(00000011), ref: 00F02974
SelectObject.GDI32(00000000,00000000), ref: 00F02978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00F02988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F02991
DeleteDC.GDI32(00000000), ref: 00F0299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00F02A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F02A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F02A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00F02A77
GetStockObject.GDI32(00000011), ref: 00F02A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F02A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00F02A97

Strings

AutoIt v3, xrefs: 00F028F8
static, xrefs: 00F0294F, 00F02A71
DISPLAY, xrefs: 00F0295A
msctls_progress32, xrefs: 00F02A13

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 710e730317a7a86c3f7f4bda50593d30741d41f08bafe56d8b3ab89f73636b60
Instruction ID: eeacaa49f431ac5e5f6a97abb1aa40c1d309d62ee126e2c8ff683bc29d0066f1
Opcode Fuzzy Hash: 710e730317a7a86c3f7f4bda50593d30741d41f08bafe56d8b3ab89f73636b60
Instruction Fuzzy Hash: 50B14971A40219AFEB14DFA8CC49FAA7BA9FB48711F108115FA18E72D0D770ED40DBA0

Function 00EF4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF4AED
GetDriveTypeW.KERNEL32(?,00F1CB68,?,\\.\,00F1CC08), ref: 00EF4BCA
SetErrorMode.KERNEL32(00000000,00F1CB68,?,\\.\,00F1CC08), ref: 00EF4D36

Strings

1394, xrefs: 00EF4C9F
Fixed, xrefs: 00EF4C09
Removable, xrefs: 00EF4C10, 00EF4C15
Virtual, xrefs: 00EF4CE5
iSCSI, xrefs: 00EF4CC2
Network, xrefs: 00EF4C02
\\.\, xrefs: 00EF4B3F
USB, xrefs: 00EF4CB4
SCSI, xrefs: 00EF4C8A
SSD, xrefs: 00EF4C4A
Unknown, xrefs: 00EF4BED, 00EF4C83
SATA, xrefs: 00EF4CD0
SAS, xrefs: 00EF4CC9
CDROM, xrefs: 00EF4BFB
RAID, xrefs: 00EF4CBB
SSA, xrefs: 00EF4CA6
PhysicalDrive, xrefs: 00EF4B76
MMC, xrefs: 00EF4CDE
RAMDisk, xrefs: 00EF4BF4
ATAPI, xrefs: 00EF4C91
ATA, xrefs: 00EF4C98
FileBackedVirtual, xrefs: 00EF4CEC
Fibre, xrefs: 00EF4CAD

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 77d61d0204948aedf09393397abd55602f46f34f152844d8f79e9c164c7695de
Instruction ID: a06b5a3b4c400a46b71bddafab982a0d7d8c78dde5699adfa1b86ea3e34ec21d
Opcode Fuzzy Hash: 77d61d0204948aedf09393397abd55602f46f34f152844d8f79e9c164c7695de
Instruction Fuzzy Hash: 7161E6B1A0520D9BDB04DF14C981ABABBB0AB45714B247015FE0AFB2D2DB36DD41EB53

Function 00F173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F17421
SetTextColor.GDI32(?,?), ref: 00F17425
GetSysColorBrush.USER32(0000000F), ref: 00F1743B
GetSysColor.USER32(0000000F), ref: 00F17446
CreateSolidBrush.GDI32(?), ref: 00F1744B
GetSysColor.USER32(00000011), ref: 00F17463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F17471
SelectObject.GDI32(?,00000000), ref: 00F17482
SetBkColor.GDI32(?,00000000), ref: 00F1748B
SelectObject.GDI32(?,?), ref: 00F17498
InflateRect.USER32(?,000000FF,000000FF), ref: 00F174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00F174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F1752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F17554
InflateRect.USER32(?,000000FD,000000FD), ref: 00F17572
DrawFocusRect.USER32(?,?), ref: 00F1757D
GetSysColor.USER32(00000011), ref: 00F1758E
SetTextColor.GDI32(?,00000000), ref: 00F17596
DrawTextW.USER32(?,00F170F5,000000FF,?,00000000), ref: 00F175A8
SelectObject.GDI32(?,?), ref: 00F175BF
DeleteObject.GDI32(?), ref: 00F175CA
SelectObject.GDI32(?,?), ref: 00F175D0
DeleteObject.GDI32(?), ref: 00F175D5
SetTextColor.GDI32(?,?), ref: 00F175DB
SetBkColor.GDI32(?,?), ref: 00F175E5

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 4bc031b7976a0be69ec902bd96d35843a9319b8469c50caeae6aec92aafe2525
Instruction ID: cdbf0abcdbc58a3db01a3c73cd6e580fd89d9c71554e5a0c8d9377eaa3bf9345
Opcode Fuzzy Hash: 4bc031b7976a0be69ec902bd96d35843a9319b8469c50caeae6aec92aafe2525
Instruction Fuzzy Hash: F7615C72D44218BFDF019FA4DC49AEEBFB9EB08320F158115F915BB2A1D7719940EB90

Function 00F10FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F11128
GetDesktopWindow.USER32 ref: 00F1113D
GetWindowRect.USER32(00000000), ref: 00F11144
GetWindowLongW.USER32(?,000000F0), ref: 00F11199
DestroyWindow.USER32(?), ref: 00F111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F1120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F1121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00F11232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00F11245
IsWindowVisible.USER32(00000000), ref: 00F112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00F112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00F112D0
GetWindowRect.USER32(00000000,?), ref: 00F112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00F1130E
GetMonitorInfoW.USER32(00000000,?), ref: 00F11328
CopyRect.USER32(?,?), ref: 00F1133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00F113AA

Strings

0, xrefs: 00F110D3
(, xrefs: 00F1131B
tooltips_class32, xrefs: 00F111E6

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 136dc6032fd23a209604891834b65777ad066a0e7a914529b770687c0e64b18f
Instruction ID: bf683c02e1915530f34a85d730cefe7ece555aa4914eada41d3c6e1539989696
Opcode Fuzzy Hash: 136dc6032fd23a209604891834b65777ad066a0e7a914529b770687c0e64b18f
Instruction Fuzzy Hash: 42B16F71A04341AFD714DF64C885BAABBE5FF88750F00891CFA9DAB2A1C771D844DB91

Function 00E98891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E98968
GetSystemMetrics.USER32(00000007), ref: 00E98970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E9899B
GetSystemMetrics.USER32(00000008), ref: 00E989A3
GetSystemMetrics.USER32(00000004), ref: 00E989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E98A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E98A3C
GetClientRect.USER32(00000000,000000FF), ref: 00E98A5A
GetStockObject.GDI32(00000011), ref: 00E98A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E98A81

Part of subcall function 00E9912D: GetCursorPos.USER32(?), ref: 00E99141
Part of subcall function 00E9912D: ScreenToClient.USER32(00000000,?), ref: 00E9915E
Part of subcall function 00E9912D: GetAsyncKeyState.USER32(00000001), ref: 00E99183
Part of subcall function 00E9912D: GetAsyncKeyState.USER32(00000002), ref: 00E9919D

SetTimer.USER32(00000000,00000000,00000028,00E990FC), ref: 00E98AA8

Strings

AutoIt v3 GUI, xrefs: 00E98A20

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 0f1df2212a7e09c2741a809d5b451cbd2be7c35e283e28c83050ada94472dfba
Instruction ID: 0f850a8c1a684748289678ea149977c8dfeb178d167652a6f66328da7dac70a2
Opcode Fuzzy Hash: 0f1df2212a7e09c2741a809d5b451cbd2be7c35e283e28c83050ada94472dfba
Instruction Fuzzy Hash: 73B18C31A402099FDF14DFA8CD45BEE3BB5FB48315F11522AFA15AB2A0DB74E841DB90

Function 00EE0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EE1114
Part of subcall function 00EE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1120
Part of subcall function 00EE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE112F
Part of subcall function 00EE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1136
Part of subcall function 00EE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EE114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EE0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EE0E29
GetLengthSid.ADVAPI32(?), ref: 00EE0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00EE0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EE0E96
GetLengthSid.ADVAPI32(?), ref: 00EE0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00EE0EB5
HeapAlloc.KERNEL32(00000000), ref: 00EE0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EE0EDD
CopySid.ADVAPI32(00000000), ref: 00EE0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EE0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EE0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EE0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0F6E
HeapFree.KERNEL32(00000000), ref: 00EE0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0F7E
HeapFree.KERNEL32(00000000), ref: 00EE0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE0F8E
HeapFree.KERNEL32(00000000), ref: 00EE0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00EE0FA1
HeapFree.KERNEL32(00000000), ref: 00EE0FA8

Part of subcall function 00EE1193: GetProcessHeap.KERNEL32(00000008,00EE0BB1,?,00000000,?,00EE0BB1,?), ref: 00EE11A1
Part of subcall function 00EE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00EE0BB1,?), ref: 00EE11A8
Part of subcall function 00EE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00EE0BB1,?), ref: 00EE11B7

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7fb8805db076c21629c5762cd0369cf183a2b548b8768f4bef1b22015ced24de
Instruction ID: aac8de64b3d74f253462dd9912c77dccc816422c4701a4393be23e2c033fa14e
Opcode Fuzzy Hash: 7fb8805db076c21629c5762cd0369cf183a2b548b8768f4bef1b22015ced24de
Instruction Fuzzy Hash: 72717B72A4024EABDF209FA6DC44BEEBBB8BF08304F058115F959F6191D7709E55CBA0

Function 00F0C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F1CC08,00000000,?,00000000,?,?), ref: 00F0C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00F0C5A4
_wcslen.LIBCMT ref: 00F0C5F4
_wcslen.LIBCMT ref: 00F0C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00F0C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00F0C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00F0C84D
RegCloseKey.ADVAPI32(?), ref: 00F0C881
RegCloseKey.ADVAPI32(00000000), ref: 00F0C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00F0C960

Strings

REG_BINARY, xrefs: 00F0C913
REG_MULTI_SZ, xrefs: 00F0C6F5
REG_QWORD, xrefs: 00F0C8C3
REG_SZ, xrefs: 00F0C644
REG_EXPAND_SZ, xrefs: 00F0C5CD
REG_DWORD, xrefs: 00F0C804

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 4fafcc7824d02ea443e5377d352a558e35e44ffd85e2e44d4706fe1df4efbb7c
Instruction ID: 4576173ac8d5c82f432a0fc919ac9d5ecbe0f51ed466067f0081f925557769e4
Opcode Fuzzy Hash: 4fafcc7824d02ea443e5377d352a558e35e44ffd85e2e44d4706fe1df4efbb7c
Instruction Fuzzy Hash: 48126A356042019FD714EF14C881A2AB7E5FF88724F19895CF89EAB3A2DB31ED41DB91

Function 00F1091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F109C6
_wcslen.LIBCMT ref: 00F10A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F10A54
_wcslen.LIBCMT ref: 00F10A8A
_wcslen.LIBCMT ref: 00F10B06
_wcslen.LIBCMT ref: 00F10B81

Part of subcall function 00E9F9F2: _wcslen.LIBCMT ref: 00E9F9FD

Part of subcall function 00EE2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EE2BFA

Strings

GETSELECTED, xrefs: 00F10C4E
GETTEXT, xrefs: 00F10C97
COLLAPSE, xrefs: 00F10B01, 00F10B1C
SELECT, xrefs: 00F10D11
UNCHECK, xrefs: 00F10D3E
GETTOTALCOUNT, xrefs: 00F109F2, 00F10A17
CHECK, xrefs: 00F10A85, 00F10AA0
ISCHECKED, xrefs: 00F10CE1
EXISTS, xrefs: 00F10B7C, 00F10B97
GETITEMCOUNT, xrefs: 00F10C1E
EXPAND, xrefs: 00F10BF8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 1814247841c76698b6ec4e36fe5b5bdcead8600fa57426e5eb5f8e825a94da50
Instruction ID: 56a5e9542fae7b6f196ab5b8e0680aed2d98f47f95d21df4f185352ba2d4894e
Opcode Fuzzy Hash: 1814247841c76698b6ec4e36fe5b5bdcead8600fa57426e5eb5f8e825a94da50
Instruction Fuzzy Hash: E7E1AD326083419FC714EF24C45096AB7E2BFD8314B14895CF89AAB3A2DB71EDC5DB91

Function 00F0C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
_wcslen.LIBCMT ref: 00F0C9F1
_wcslen.LIBCMT ref: 00F0CA68
_wcslen.LIBCMT ref: 00F0CA9E
_wcslen.LIBCMT ref: 00F0CAF9
_wcslen.LIBCMT ref: 00F0CB2F
_wcslen.LIBCMT ref: 00F0CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00F0CA62, 00F0CA67
HKLM, xrefs: 00F0CA98, 00F0CA9D
HKU, xrefs: 00F0CBF0
HKCU, xrefs: 00F0CBCE
HKCC, xrefs: 00F0CBAC
HKCR, xrefs: 00F0CB29, 00F0CB2E
HKEY_CLASSES_ROOT, xrefs: 00F0CAF3, 00F0CAF8
HKEY_CURRENT_USER, xrefs: 00F0CBBD
HKEY_USERS, xrefs: 00F0CBDF
HKEY_CURRENT_CONFIG, xrefs: 00F0CB79, 00F0CB7E

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a6bfcf23fa3613b266022ace5067df7b650e789528ea652c131c2f048a91137a
Instruction ID: c9f651fdb2e4794d7d0f69c3b3ba2478a3a07fa7546187f49953fba17498f485
Opcode Fuzzy Hash: a6bfcf23fa3613b266022ace5067df7b650e789528ea652c131c2f048a91137a
Instruction Fuzzy Hash: D5710473A0016A8BCB20EF6CCC516BB3791ABA1760B654724FC56AB2C5E734DD44B3E0

Function 00F1833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F1835A
_wcslen.LIBCMT ref: 00F1836E
_wcslen.LIBCMT ref: 00F18391
_wcslen.LIBCMT ref: 00F183B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00F1361A,?), ref: 00F1844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F18487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F18501
FreeLibrary.KERNEL32(?), ref: 00F1850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F1851D
DestroyIcon.USER32(?), ref: 00F1852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F18549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F18555

Strings

.exe, xrefs: 00F18388
.dll, xrefs: 00F183AB
.icl, xrefs: 00F18368

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b6eb51a06825f529ea9bfdca1013c5e2a4963368870fd17ec9971c04d9588583
Instruction ID: 832693c603a1e862b37c3ff45812b26cb7c56d2d79c5642f6ce0c477bc356519
Opcode Fuzzy Hash: b6eb51a06825f529ea9bfdca1013c5e2a4963368870fd17ec9971c04d9588583
Instruction Fuzzy Hash: 1A61D171940209BAEB14DF64CD41BFE77A8FF48761F108609F815EA0D1DFB4A991E7A0

Function 00E87778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 00EC5169
#notrayicon, xrefs: 00E877E7
#OnAutoItStartRegister, xrefs: 00E87817
Cannot parse #include, xrefs: 00EC5279
Bad directive syntax error, xrefs: 00EC519A
#pragma compile, xrefs: 00E877D3
#cs, xrefs: 00E87873, 00E878C5
#requireadmin, xrefs: 00E877FF
#comments-start, xrefs: 00E8785F, 00E878B1
#comments-end, xrefs: 00E878D9
Unterminated group of comments, xrefs: 00EC528C
#include, xrefs: 00E87847
", xrefs: 00EC5153
#include-once, xrefs: 00E8782F
#ce, xrefs: 00E878ED

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 331647051a6af73314e381cce07a79c2dd9e7e596863c61a80fb885bc48a124d
Instruction ID: 0dd8919f1db7979dcd660e1e2706312f124f963039a23bf3363d85203c6849c2
Opcode Fuzzy Hash: 331647051a6af73314e381cce07a79c2dd9e7e596863c61a80fb885bc48a124d
Instruction Fuzzy Hash: 9281F271A44605ABDB20BF60CD42FEE77F8AF15300F146029F84CBA196EB72E951D7A1

Function 00EF3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00EF3EF8
_wcslen.LIBCMT ref: 00EF3F03
_wcslen.LIBCMT ref: 00EF3F5A
_wcslen.LIBCMT ref: 00EF3F98
GetDriveTypeW.KERNEL32(?), ref: 00EF3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF4087

Strings

set cd door , xrefs: 00EF4028
type cdaudio alias cd wait, xrefs: 00EF4001
wait, xrefs: 00EF4044
close cd wait, xrefs: 00EF4072
closed, xrefs: 00EF3F08, 00EF3F2D, 00EF3F46, 00EF3F7E, 00EF3F97
close, xrefs: 00EF3EFE, 00EF3F18
open , xrefs: 00EF3FE5
open, xrefs: 00EF3F54, 00EF3F59

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: fbdb9541488c651befb48f0851d2588aa0c7c29833694a235fe16a501b134b48
Instruction ID: 607196999970730444681aecae85de1b6d958f4d4471371eef7ab22bb52980d7
Opcode Fuzzy Hash: fbdb9541488c651befb48f0851d2588aa0c7c29833694a235fe16a501b134b48
Instruction Fuzzy Hash: F37190726042069FC310EF34C8818BBB7E4EF95758F10592DFA99A7291EB31DE45CB52

Function 00EE5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00EE5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EE5A40
SetWindowTextW.USER32(?,?), ref: 00EE5A57
GetDlgItem.USER32(?,000003EA), ref: 00EE5A6C
SetWindowTextW.USER32(00000000,?), ref: 00EE5A72
GetDlgItem.USER32(?,000003E9), ref: 00EE5A82
SetWindowTextW.USER32(00000000,?), ref: 00EE5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EE5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EE5AC3
GetWindowRect.USER32(?,?), ref: 00EE5ACC
_wcslen.LIBCMT ref: 00EE5B33
SetWindowTextW.USER32(?,?), ref: 00EE5B6F
GetDesktopWindow.USER32 ref: 00EE5B75
GetWindowRect.USER32(00000000), ref: 00EE5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00EE5BD3
GetClientRect.USER32(?,?), ref: 00EE5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00EE5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EE5C2F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: b14a00c3c9758462aae766fcb85f2f76efd90b0da5ceba728699d9041f52c647
Instruction ID: 4dd6764e77ca8b2561ac5130962f2b1dcfeaa62bcfa0f5c5fa60e6fc6a59e4aa
Opcode Fuzzy Hash: b14a00c3c9758462aae766fcb85f2f76efd90b0da5ceba728699d9041f52c647
Instruction Fuzzy Hash: 37717C32900B49AFDB20DFA9CE85AAEBBF5FF48708F105518E146B35A0D775E940DB50

Function 00EA00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00EA00C6

Part of subcall function 00EA00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F5070C,00000FA0,5ECDC24C,?,?,?,?,00EC23B3,000000FF), ref: 00EA011C
Part of subcall function 00EA00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00EC23B3,000000FF), ref: 00EA0127
Part of subcall function 00EA00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00EC23B3,000000FF), ref: 00EA0138
Part of subcall function 00EA00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00EA014E
Part of subcall function 00EA00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00EA015C
Part of subcall function 00EA00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00EA016A
Part of subcall function 00EA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EA0195
Part of subcall function 00EA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00EA01A0

___scrt_fastfail.LIBCMT ref: 00EA00E7

Part of subcall function 00EA00A3: __onexit.LIBCMT ref: 00EA00A9

Strings

kernel32.dll, xrefs: 00EA0133
WakeAllConditionVariable, xrefs: 00EA0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00EA0122
SleepConditionVariableCS, xrefs: 00EA0154
InitializeConditionVariable, xrefs: 00EA0148

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 53ace4fe6217860530e074f69ac18997f2d12ae959375877db81533d1fde4654
Instruction ID: edc2012803edf273d4f751db3280fdd1f84e65f8e0e1db0d74293c126e911e57
Opcode Fuzzy Hash: 53ace4fe6217860530e074f69ac18997f2d12ae959375877db81533d1fde4654
Instruction Fuzzy Hash: 7B212632A857156BE7105B64BC46BEA37E4EB0EB61F01512AFD01FB291DF60E800AA91

Function 00EE30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EE318D
_wcslen.LIBCMT ref: 00EE31F8

Strings

TEXT, xrefs: 00EE347C
CLASSNN, xrefs: 00EE31F3, 00EE3204
CLASS, xrefs: 00EE3188, 00EE31A5
REGEXPCLASS, xrefs: 00EE3255, 00EE3266
NAME, xrefs: 00EE3335, 00EE3346
INSTANCE, xrefs: 00EE3453

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 72a0dad7c4805bf0e857dcb67ea7c69a7e5fb29656d218b1d8740e377e35dcff
Instruction ID: 0666854599ba77fa66e6620aa9160e5e1763e9284115f90b109af9fe1e1d8280
Opcode Fuzzy Hash: 72a0dad7c4805bf0e857dcb67ea7c69a7e5fb29656d218b1d8740e377e35dcff
Instruction Fuzzy Hash: 5EE13A31A0055AABCB18DFB5C449BEEFBB0FF44714F54A129E466F7281DB30AE858790

Function 00EF44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00F1CC08), ref: 00EF4527
_wcslen.LIBCMT ref: 00EF453B
_wcslen.LIBCMT ref: 00EF4599
_wcslen.LIBCMT ref: 00EF45F4
_wcslen.LIBCMT ref: 00EF463F
_wcslen.LIBCMT ref: 00EF46A7

Part of subcall function 00E9F9F2: _wcslen.LIBCMT ref: 00E9F9FD

GetDriveTypeW.KERNEL32(?,00F46BF0,00000061), ref: 00EF4743

Strings

unknown, xrefs: 00EF4708
fixed, xrefs: 00EF4635, 00EF463A
all, xrefs: 00EF4531, 00EF4536
network, xrefs: 00EF469D, 00EF46A2
removable, xrefs: 00EF45EA, 00EF45EF
ramdisk, xrefs: 00EF46F1
cdrom, xrefs: 00EF458F, 00EF4594

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ffc1eaa3d1c701c7f5832859676886974c0218f7e27ba343bb395188a74b2ce7
Instruction ID: 0796e59135ab7fbe18b9f646085574d58d1b7f7dd6aac9c0063d99ada643b2af
Opcode Fuzzy Hash: ffc1eaa3d1c701c7f5832859676886974c0218f7e27ba343bb395188a74b2ce7
Instruction Fuzzy Hash: 04B123B16083069BC710EF28C89097BB7E4AFD6724F50691DF69AE72D1D730D944CB52

Function 00F0AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F0B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B1D4
_wcslen.LIBCMT ref: 00F0B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F0B236
_wcslen.LIBCMT ref: 00F0B332

Part of subcall function 00EF05A7: GetStdHandle.KERNEL32(000000F6), ref: 00EF05C6

_wcslen.LIBCMT ref: 00F0B34B
_wcslen.LIBCMT ref: 00F0B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F0B3B6
GetLastError.KERNEL32(00000000), ref: 00F0B407
CloseHandle.KERNEL32(?), ref: 00F0B439
CloseHandle.KERNEL32(00000000), ref: 00F0B44A
CloseHandle.KERNEL32(00000000), ref: 00F0B45C
CloseHandle.KERNEL32(00000000), ref: 00F0B46E
CloseHandle.KERNEL32(?), ref: 00F0B4E3

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 3e5996d8bb41d1d7d8866402ba710a0e092427d68364b738e6a6cded769546ec
Instruction ID: f97f58c3ad29e7062be0653d74edceb421c98e1de1c5ee726c0ea5451b242c5f
Opcode Fuzzy Hash: 3e5996d8bb41d1d7d8866402ba710a0e092427d68364b738e6a6cded769546ec
Instruction Fuzzy Hash: 92F1A071A043409FC715EF24C881B6EBBE5AF85724F14855DF8999B2E2DB31EC40EB52

Function 00E8326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F51990), ref: 00EC2F8D
GetMenuItemCount.USER32(00F51990), ref: 00EC303D
GetCursorPos.USER32(?), ref: 00EC3081
SetForegroundWindow.USER32(00000000), ref: 00EC308A
TrackPopupMenuEx.USER32(00F51990,00000000,?,00000000,00000000,00000000), ref: 00EC309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EC30A9

Strings

0, xrefs: 00E8327D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: cf9ef4a5ddaeedd4d5bc60e354806213126cdaab65a4391fb1eb1e1b806d455b
Instruction ID: 7361cdbfdab9a4f5a182631032c92c89dd92f5b655ad84c545f429f38a346883
Opcode Fuzzy Hash: cf9ef4a5ddaeedd4d5bc60e354806213126cdaab65a4391fb1eb1e1b806d455b
Instruction Fuzzy Hash: CC711A71644249BEEB219F28CD49FDABF69FF05724F20421EF618761E0C7B2A911D790

Function 00F16CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F16DEB

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F16E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F16E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F16E94
DestroyWindow.USER32(?), ref: 00F16EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E80000,00000000), ref: 00F16EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F16EFD
GetDesktopWindow.USER32 ref: 00F16F16
GetWindowRect.USER32(00000000), ref: 00F16F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F16F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F16F4D

Part of subcall function 00E99944: GetWindowLongW.USER32(?,000000EB), ref: 00E99952

Strings

tooltips_class32, xrefs: 00F16E58, 00F16EDD
0, xrefs: 00F16D98

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f5f8fff5b03ec2770cf1c28c205b3ee45d89be793f0a941a65f42691b08f61d3
Instruction ID: 409871da581dc3a9bfe09e268741608a3a00f4c48861acb16e96ef4318a9ed97
Opcode Fuzzy Hash: f5f8fff5b03ec2770cf1c28c205b3ee45d89be793f0a941a65f42691b08f61d3
Instruction Fuzzy Hash: 3D718670644348AFEB21CF18D848BAABBE9FB88314F04451DF999C7260D770E946EF52

Function 00F1911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

DragQueryPoint.SHELL32(?,?), ref: 00F19147

Part of subcall function 00F17674: ClientToScreen.USER32(?,?), ref: 00F1769A
Part of subcall function 00F17674: GetWindowRect.USER32(?,?), ref: 00F17710
Part of subcall function 00F17674: PtInRect.USER32(?,?,00F18B89), ref: 00F17720

SendMessageW.USER32(?,000000B0,?,?), ref: 00F191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F19225
SendMessageW.USER32(?,000000B0,?,?), ref: 00F1923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F19255
SendMessageW.USER32(?,000000B1,?,?), ref: 00F19277
DragFinish.SHELL32(?), ref: 00F1927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F19371

Strings

@GUI_DRAGFILE, xrefs: 00F19320
@GUI_DRAGID, xrefs: 00F192E9
@GUI_DROPID, xrefs: 00F1929E

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 86a8d7225b311414213eb48c5a241c135d50049f7ffe9eb78d430a8fc035c675
Instruction ID: ccf13c29ba4d2d31158e7f46158bbc40577a65b1722473807741359a2a2d89ce
Opcode Fuzzy Hash: 86a8d7225b311414213eb48c5a241c135d50049f7ffe9eb78d430a8fc035c675
Instruction Fuzzy Hash: 8861AC71108305AFD701EF60DC95DAFBBE8EF89350F04092EF599A31A1DB709A48DB92

Function 00EFC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EFC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EFC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EFC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EFC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EFC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EFC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EFC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EFC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EFC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EFC5F0
InternetCloseHandle.WININET(00000000), ref: 00EFC5FB

Strings

, xrefs: 00EFC575

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 3701b00c0b4566cf30dc16632df2c6fd8cb2dd9e3d0b8dfde94c6e200c534439
Instruction ID: 554f4cdda617792b0b815191ee9674bf7b7be9d0792175788398363035f4bb04
Opcode Fuzzy Hash: 3701b00c0b4566cf30dc16632df2c6fd8cb2dd9e3d0b8dfde94c6e200c534439
Instruction Fuzzy Hash: 84514EB154020DBFDB218F60CA48ABB7BFCFF08758F209419FA45A6150DB74E944EBA0

Function 00F1856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00F18592
GetFileSize.KERNEL32(00000000,00000000), ref: 00F185A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00F185AD
CloseHandle.KERNEL32(00000000), ref: 00F185BA
GlobalLock.KERNEL32(00000000), ref: 00F185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00F185D7
GlobalUnlock.KERNEL32(00000000), ref: 00F185E0
CloseHandle.KERNEL32(00000000), ref: 00F185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00F185F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F1FC38,?), ref: 00F18611
GlobalFree.KERNEL32(00000000), ref: 00F18621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00F18641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00F18671
DeleteObject.GDI32(00000000), ref: 00F18699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F186AF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: fe4dde5608e8a9a3b1793f742cd0d14f0c14d659eb5abf9ad098fb9ddef6a7e5
Instruction ID: df1dde1c9ccefc2827b136aaf460e4c568556cf94e43706bdea0295a116ba91a
Opcode Fuzzy Hash: fe4dde5608e8a9a3b1793f742cd0d14f0c14d659eb5abf9ad098fb9ddef6a7e5
Instruction Fuzzy Hash: 42413971640208AFDB118FA5CD48EEA7BB9EF89761F158058F909E7260DB309D41EB60

Function 00EF14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00EF1502
VariantCopy.OLEAUT32(?,?), ref: 00EF150B
VariantClear.OLEAUT32(?), ref: 00EF1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00EF15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00EF1657
VariantInit.OLEAUT32(?), ref: 00EF1708
SysFreeString.OLEAUT32(?), ref: 00EF178C
VariantClear.OLEAUT32(?), ref: 00EF17D8
VariantClear.OLEAUT32(?), ref: 00EF17E7
VariantInit.OLEAUT32(00000000), ref: 00EF1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00EF1625
Default, xrefs: 00EF16AF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 4882c0b1afecb6c3c48fc43c7c8d8aa1eb5e1512401030b22fe64ade6a788dac
Instruction ID: aa88a01a2d0c7a1d62eaedd215342d4a3250c2a361726398768639696b2c0b8b
Opcode Fuzzy Hash: 4882c0b1afecb6c3c48fc43c7c8d8aa1eb5e1512401030b22fe64ade6a788dac
Instruction Fuzzy Hash: 30D1D031A0421DDBDF04AF65D885BB9B7F6BF45700F14909AEA4ABB181DB30DC41DBA2

Function 00F0B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00F0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0C9F1
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA68
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F0B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00F0B80A
RegCloseKey.ADVAPI32(?), ref: 00F0B87E
RegCloseKey.ADVAPI32(?), ref: 00F0B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00F0B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F0B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00F0B922
FreeLibrary.KERNEL32(00000000), ref: 00F0B983
RegCloseKey.ADVAPI32(00000000), ref: 00F0B994

Strings

RegDeleteKeyExW, xrefs: 00F0B8FE
advapi32.dll, xrefs: 00F0B8ED

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 380dfeb00884f15c0eefd92785894764198e03b47ab7a9698f0a8b3bc5a02651
Instruction ID: bf7c59b1931484d0ce6533eef08b60179bda2e1d0d3beb64579ce846fd28b8a1
Opcode Fuzzy Hash: 380dfeb00884f15c0eefd92785894764198e03b47ab7a9698f0a8b3bc5a02651
Instruction Fuzzy Hash: 41C1AD31608201AFD714DF14C494F2ABBE5FF84318F18859CF59A9B2A2CB75EC46EB91

Function 00F0255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F025E8
CreateCompatibleDC.GDI32(?), ref: 00F025F4
SelectObject.GDI32(00000000,?), ref: 00F02601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00F0266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00F026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00F026D0
SelectObject.GDI32(?,?), ref: 00F026D8
DeleteObject.GDI32(?), ref: 00F026E1
DeleteDC.GDI32(?), ref: 00F026E8
ReleaseDC.USER32(00000000,?), ref: 00F026F3

Strings

(, xrefs: 00F0268D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3381684c9bde3116be3e2d6f1f3b1c02b252aa043f674ebf946f874dee52e33c
Instruction ID: e75d547ca76ecbb5ab1cc844e2a3ef0161dcc3ea0be15a3cceb5056602503c70
Opcode Fuzzy Hash: 3381684c9bde3116be3e2d6f1f3b1c02b252aa043f674ebf946f874dee52e33c
Instruction Fuzzy Hash: FE61D275D00219EFCF04CFA4DC84AAEBBB5FF48310F248529E959A7250D775A941EFA0

Function 00EBDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00EBDAA1

Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD659
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD66B
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD67D
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD68F
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6A1
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6B3
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6C5
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6D7
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6E9
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD6FB
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD70D
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD71F
Part of subcall function 00EBD63C: _free.LIBCMT ref: 00EBD731

_free.LIBCMT ref: 00EBDA96

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EBDAB8
_free.LIBCMT ref: 00EBDACD
_free.LIBCMT ref: 00EBDAD8
_free.LIBCMT ref: 00EBDAFA
_free.LIBCMT ref: 00EBDB0D
_free.LIBCMT ref: 00EBDB1B
_free.LIBCMT ref: 00EBDB26
_free.LIBCMT ref: 00EBDB5E
_free.LIBCMT ref: 00EBDB65
_free.LIBCMT ref: 00EBDB82
_free.LIBCMT ref: 00EBDB9A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a1ae2dd21dbbea5f58c9de608ef49d8bbfd0451138eb8444615682589a741f73
Instruction ID: cb69b2dff3487c4c8bb0b8f9fdab21ffc1bf143fee6eb52e029d5616423c5323
Opcode Fuzzy Hash: a1ae2dd21dbbea5f58c9de608ef49d8bbfd0451138eb8444615682589a741f73
Instruction Fuzzy Hash: A3316D31608704AFEB22AA38EC85BD7B7E8FF40314F156819E548F7191EF31AC408720

Function 00EE365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EE369C
_wcslen.LIBCMT ref: 00EE36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EE3797
GetClassNameW.USER32(?,?,00000400), ref: 00EE380C
GetDlgCtrlID.USER32(?), ref: 00EE385D
GetWindowRect.USER32(?,?), ref: 00EE3882
GetParent.USER32(?), ref: 00EE38A0
ScreenToClient.USER32(00000000), ref: 00EE38A7
GetClassNameW.USER32(?,?,00000100), ref: 00EE3921
GetWindowTextW.USER32(?,?,00000400), ref: 00EE395D

Strings

%s%u, xrefs: 00EE3734

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 1124c6e0e070bf42526acf04fbb3c01b12fd157a582279497c29bb0474498b81
Instruction ID: 589c05424b8c5bddd15046319e1e904b205b1b2150225e07af058e09cc2a6f54
Opcode Fuzzy Hash: 1124c6e0e070bf42526acf04fbb3c01b12fd157a582279497c29bb0474498b81
Instruction Fuzzy Hash: 9B91D27120064AAFD708DF36C889BEAB7E8FF84314F009519F999E3191DB31EA45CB91

Function 00EE4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00EE4994
GetWindowTextW.USER32(?,?,00000400), ref: 00EE49DA
_wcslen.LIBCMT ref: 00EE49EB
CharUpperBuffW.USER32(?,00000000), ref: 00EE49F7
_wcsstr.LIBVCRUNTIME ref: 00EE4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00EE4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00EE4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00EE4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00EE4B20
GetWindowRect.USER32(?,?), ref: 00EE4B8B

Strings

ThumbnailClass, xrefs: 00EE4A6F, 00EE4AF1

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: ad005fb8d370309149c6a39ff88c2d2da16a06dbc29b37a5abda447dd0229bfd
Instruction ID: 3dade7433127bb047e73be435848defe56e682f6496fb588042019fc0048216d
Opcode Fuzzy Hash: ad005fb8d370309149c6a39ff88c2d2da16a06dbc29b37a5abda447dd0229bfd
Instruction Fuzzy Hash: 6391A4B10042499FDB04DF16C985BAA77E8FF84318F049469FD89AA0D6EB34ED45CBA1

Function 00F0CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F0CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00F0CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F0CD48

Part of subcall function 00F0CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00F0CCAA
Part of subcall function 00F0CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00F0CCBD
Part of subcall function 00F0CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F0CCCF
Part of subcall function 00F0CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F0CD05
Part of subcall function 00F0CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F0CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F0CCF3

Strings

RegDeleteKeyExW, xrefs: 00F0CCC9
advapi32.dll, xrefs: 00F0CCB8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 43de736e869db5f6004937be9ec32e5b52aaee046e60cf14eb08faef8a683a21
Instruction ID: 06d76154d3b4cf39562af43eff1b00df2cef3b748ba71819da497c0b52b6aa18
Opcode Fuzzy Hash: 43de736e869db5f6004937be9ec32e5b52aaee046e60cf14eb08faef8a683a21
Instruction Fuzzy Hash: 92317C71E4212CBBDB209B50DC88EFFBB7CEF05750F014265E915E2280DB349A45BAE0

Function 00EF3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EF3D40
_wcslen.LIBCMT ref: 00EF3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EF3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EF3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00EF3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EF3E55
CloseHandle.KERNEL32(00000000), ref: 00EF3E60
CloseHandle.KERNEL32(00000000), ref: 00EF3E6B

Strings

\, xrefs: 00EF3D77
\??\%s, xrefs: 00EF3D5B
:, xrefs: 00EF3D82

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 75db0b16a6cea772dea37b4bc03cd5edf2ba2f97f155800f4fc858dfd55a4357
Instruction ID: 7e780797bfc33b306351743cee9a7bb5ca6b4ada26d129f1b7f755bc89be4867
Opcode Fuzzy Hash: 75db0b16a6cea772dea37b4bc03cd5edf2ba2f97f155800f4fc858dfd55a4357
Instruction Fuzzy Hash: 6F31A17194025DABDB209FA0DC49FEF37BDEF89744F1050A9F605E6060EB7097448B64

Function 00EEE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00EEE6B4

Part of subcall function 00E9E551: timeGetTime.WINMM(?,?,00EEE6D4), ref: 00E9E555

Sleep.KERNEL32(0000000A), ref: 00EEE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00EEE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EEE727
SetActiveWindow.USER32 ref: 00EEE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EEE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00EEE773
Sleep.KERNEL32(000000FA), ref: 00EEE77E
IsWindow.USER32 ref: 00EEE78A
EndDialog.USER32(00000000), ref: 00EEE79B

Strings

BUTTON, xrefs: 00EEE719

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 966e3491e531ae3e60ff1fd084b7a58fa1e92402d537a0adc1942ea40e120e04
Instruction ID: d34c1bc952492fd4ee07f9740ff74e540eecb4ffada131b67abff97863c017ea
Opcode Fuzzy Hash: 966e3491e531ae3e60ff1fd084b7a58fa1e92402d537a0adc1942ea40e120e04
Instruction Fuzzy Hash: E521A87024038DAFEB005F32EC89B653B69F75674EF116425F609A22B1DB71AC01BB55

Function 00EEE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EEEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EEEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EEEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EEEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EEEAA7

Strings

play PlayMe wait, xrefs: 00EEEA91
close PlayMe, xrefs: 00EEEA6E, 00EEEA9B
play PlayMe, xrefs: 00EEEAA2
alias PlayMe, xrefs: 00EEEA36
open , xrefs: 00EEEA0C
status PlayMe mode, xrefs: 00EEEA58

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c895cd1aa00567edda7358cc1e81a92c625fd4f61a9f8d20bb8b02e1a9df3186
Instruction ID: 92c6a11c2e2bfcdb92517d1da7b31e42bea7feffc1f8561e2759f5342b1921c1
Opcode Fuzzy Hash: c895cd1aa00567edda7358cc1e81a92c625fd4f61a9f8d20bb8b02e1a9df3186
Instruction Fuzzy Hash: 41114271A5025979D720B762DC4ADFB7ABCEBD2B04F001429B819F21D1EAB04945C6B2

Function 00EE5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00EE5CE2
GetWindowRect.USER32(00000000,?), ref: 00EE5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00EE5D59
GetDlgItem.USER32(?,00000002), ref: 00EE5D69
GetWindowRect.USER32(00000000,?), ref: 00EE5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00EE5DCF
GetDlgItem.USER32(?,000003E9), ref: 00EE5DDD
GetWindowRect.USER32(00000000,?), ref: 00EE5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00EE5E31
GetDlgItem.USER32(?,000003EA), ref: 00EE5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EE5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00EE5E67

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7eecec60a8ec50532260493010543a69d6440be9e8f8669e51890c06ed56355c
Instruction ID: 9c4fca5011ebf02ebf04154111ad8ed9525578d1d76685b4adaba6186c5d0c1e
Opcode Fuzzy Hash: 7eecec60a8ec50532260493010543a69d6440be9e8f8669e51890c06ed56355c
Instruction Fuzzy Hash: 37512F71B40609AFDF18CF69DD89AAEBBB5FB48314F158129F519E7290D7709E00CB90

Function 00E98BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E98BE8,?,00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00E98FC5

DestroyWindow.USER32(?), ref: 00E98C81
KillTimer.USER32(00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00E98D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00ED6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00ED69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E98BBA,00000000,?), ref: 00ED69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E98BBA,00000000), ref: 00ED69D4
DeleteObject.GDI32(00000000), ref: 00ED69E6

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 232ab1cf66081559ce5e938f9a32d43651ee7c92b58770aaf0fa43301e253b18
Instruction ID: 5409aa8d43f43e10cab98db0a91874c280b7eac288908625c354fbd53927932a
Opcode Fuzzy Hash: 232ab1cf66081559ce5e938f9a32d43651ee7c92b58770aaf0fa43301e253b18
Instruction Fuzzy Hash: 7C619C30502708DFDF259F14CA58B69B7F1FB4131AF14A51AE182AB6B0CB71BD81EB91

Function 00E99838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00E99944: GetWindowLongW.USER32(?,000000EB), ref: 00E99952

GetSysColor.USER32(0000000F), ref: 00E99862

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a84659da984bf2fbdbb0ae607840d1af85f9a0b2a289bac8c537803fe85d8f61
Instruction ID: dd223bab938b471153a013caa64386ebd4f2f369545820670178058f462b9a7b
Opcode Fuzzy Hash: a84659da984bf2fbdbb0ae607840d1af85f9a0b2a289bac8c537803fe85d8f61
Instruction Fuzzy Hash: EE41BF31140604AFDF345B3C9C84BB93BA5EB06324F15560EE9A2A72E2E7319C42EB51

Function 00EE96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00ECF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00EE9717
LoadStringW.USER32(00000000,?,00ECF7F8,00000001), ref: 00EE9720

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00ECF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00EE9742
LoadStringW.USER32(00000000,?,00ECF7F8,00000001), ref: 00EE9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00EE9866

Strings

^ ERROR, xrefs: 00EE97FB
Line %d:, xrefs: 00EE97A0
Error: , xrefs: 00EE981D
%s (%d) : ==> %s: %s %s, xrefs: 00EE984A
Line %d (File "%s"):, xrefs: 00EE978F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: db13ad3fe9c083fc3e38e665c6ed990037969d4dfbd4decc362293df9b440157
Instruction ID: 7b1c9a7588c3f81e56ee3cd16a294936fddc735fa90882f37f72ae0d21be44d9
Opcode Fuzzy Hash: db13ad3fe9c083fc3e38e665c6ed990037969d4dfbd4decc362293df9b440157
Instruction Fuzzy Hash: 57414D7290024DAACF04FBE0DD46DEEB7B8AF55740F141065F609B2092EB356F49DBA1

Function 00EE06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EE07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EE07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EE07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EE0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00EE082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EE0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EE083C

Strings

\IPC$, xrefs: 00EE0784
SOFTWARE\Classes\, xrefs: 00EE070E
\CLSID, xrefs: 00EE0724

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 4b7e810881e57e67eb948dff8834a401999626fc00fa4c4d070ce9cd0f52e4e6
Instruction ID: c3007cd0acde4d131b158d4b13c581614fe5022d8c8fdb4401f8fe3fe51bd3fa
Opcode Fuzzy Hash: 4b7e810881e57e67eb948dff8834a401999626fc00fa4c4d070ce9cd0f52e4e6
Instruction Fuzzy Hash: C3412672C1022DABDF15FBA4DC858EDB7B8BF04754B05512AE909B3161EB749E44CBA0

Function 00F03C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F03C5C
CoInitialize.OLE32(00000000), ref: 00F03C8A
CoUninitialize.OLE32 ref: 00F03C94
_wcslen.LIBCMT ref: 00F03D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00F03DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F03ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00F03F0E
CoGetObject.OLE32(?,00000000,00F1FB98,?), ref: 00F03F2D
SetErrorMode.KERNEL32(00000000), ref: 00F03F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F03FC4
VariantClear.OLEAUT32(?), ref: 00F03FD8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4ab59db31495bf070a6ea579ad0b260fa84a7f1770794d042a1bfcaa66ac53ad
Instruction ID: 7eae4e635aceccf00a35f5ca5c495e2c11253a823f972fac83540498a9b84f30
Opcode Fuzzy Hash: 4ab59db31495bf070a6ea579ad0b260fa84a7f1770794d042a1bfcaa66ac53ad
Instruction Fuzzy Hash: 17C15671A083059FD700DF68C88492BBBE9FF89754F00491DF98A9B291D731EE05EB92

Function 00EF7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EF7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EF7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00EF7BA3
CoCreateInstance.OLE32(00F1FD08,00000000,00000001,00F46E6C,?), ref: 00EF7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EF7C74
CoTaskMemFree.OLE32(?,?), ref: 00EF7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00EF7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EF7D7A
CoTaskMemFree.OLE32(00000000), ref: 00EF7D81
CoTaskMemFree.OLE32(00000000), ref: 00EF7DD6
CoUninitialize.OLE32 ref: 00EF7DDC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 2e056e842ef689003a8a65fd2fe502da44009ec1f4eb011533a9f6017f9b603f
Instruction ID: cf53b48ae2c8a952e13f1d3a9d6b50f3f61a20b34fc156f1d284b09cc1474ca8
Opcode Fuzzy Hash: 2e056e842ef689003a8a65fd2fe502da44009ec1f4eb011533a9f6017f9b603f
Instruction Fuzzy Hash: BFC14B75A04109AFCB14DFA4C884DAEBBF9FF49304B149498E95AEB361D731EE41CB90

Function 00F1541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F15504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F15515
CharNextW.USER32(00000158), ref: 00F15544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F15585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F1559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F155AC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: c5909dc50ebe54e16d5e7a9561d03b5fcf3f124aa54dc7cdf95cbe2c6e76b940
Instruction ID: e2fac1761c1310ecb3c5ae657368f4abe8844929ff0da7e27fa133d0a1f73c87
Opcode Fuzzy Hash: c5909dc50ebe54e16d5e7a9561d03b5fcf3f124aa54dc7cdf95cbe2c6e76b940
Instruction Fuzzy Hash: 7461B031900608EFDF10DF50CC94AFE3BB9EB89B35F108145F925AA290D7748AC0EBA1

Function 00EDFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EDFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00EDFB08
VariantInit.OLEAUT32(?), ref: 00EDFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00EDFB3A
VariantCopy.OLEAUT32(?,?), ref: 00EDFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00EDFBA1
VariantClear.OLEAUT32(?), ref: 00EDFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00EDFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EDFBCC
VariantClear.OLEAUT32(?), ref: 00EDFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EDFBE9

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 12cde59f1beb919855eab79c7148980a700b2c9c06b5fbbb3fb117ce3d13f423
Instruction ID: 3e00e63a7b968abbd52a3baef460e10655d0e59689d94bd7afd87a38396396e3
Opcode Fuzzy Hash: 12cde59f1beb919855eab79c7148980a700b2c9c06b5fbbb3fb117ce3d13f423
Instruction Fuzzy Hash: 05416235A04219DFDF04DFA4D8549EDBBB9FF08344F01906AE946A7361C730A946CFA0

Function 00EE9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00EE9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00EE9D22
GetKeyState.USER32(000000A0), ref: 00EE9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00EE9D57
GetKeyState.USER32(000000A1), ref: 00EE9D6C
GetAsyncKeyState.USER32(00000011), ref: 00EE9D84
GetKeyState.USER32(00000011), ref: 00EE9D96
GetAsyncKeyState.USER32(00000012), ref: 00EE9DAE
GetKeyState.USER32(00000012), ref: 00EE9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00EE9DD8
GetKeyState.USER32(0000005B), ref: 00EE9DEA

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0e35682423230cde1dcdc0ecb7a016b045888ad6c2fc641ed00efe196ee492f1
Instruction ID: 9fd22c762e4ac96c35ad72fda0a98476f9f0793b0f9c97de6bd2eebe9baf0785
Opcode Fuzzy Hash: 0e35682423230cde1dcdc0ecb7a016b045888ad6c2fc641ed00efe196ee492f1
Instruction Fuzzy Hash: 8441D5345047DD69FF34966288043F5FEE16B1134CF08A05ADAC66A5C3DBA599C8C7A2

Function 00F0055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F005BC
inet_addr.WSOCK32(?), ref: 00F0061C
gethostbyname.WSOCK32(?), ref: 00F00628
IcmpCreateFile.IPHLPAPI ref: 00F00636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00F007B9
WSACleanup.WSOCK32 ref: 00F007BF

Strings

Ping, xrefs: 00F00676

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 6d38c72487f4d86de96c4e332ee4f66d177f5247708cbe317f477fe98928431a
Instruction ID: 2573323ff0aea23ea7dda9fd25c8bd0c778506c45438566d58eadee70c64d0fb
Opcode Fuzzy Hash: 6d38c72487f4d86de96c4e332ee4f66d177f5247708cbe317f477fe98928431a
Instruction Fuzzy Hash: 2591C235A042019FD720DF15C888F1ABBE1AF45328F1885A9F4699B7A2CB34FD41EF91

Function 00F08CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00F08CF3

Part of subcall function 00EE8E54: _wcslen.LIBCMT ref: 00EE8E77

_wcslen.LIBCMT ref: 00F08D4E
_wcslen.LIBCMT ref: 00F08D9C
_wcslen.LIBCMT ref: 00F08DDC
_wcslen.LIBCMT ref: 00F08E6E

Strings

stdcall, xrefs: 00F08DD6, 00F08DDB
cdecl, xrefs: 00F08D48, 00F08D4D
winapi, xrefs: 00F08D96, 00F08D9B
none, xrefs: 00F08E65, 00F08E6A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 7ceeb6d2af318a14dec9455a686e84b389924a8e69cef1bfc08faeeaa2942ecd
Instruction ID: 107aae7f8fa5fbd68ae5101ea62fa8837304074c3bd088f94ea78775c836321a
Opcode Fuzzy Hash: 7ceeb6d2af318a14dec9455a686e84b389924a8e69cef1bfc08faeeaa2942ecd
Instruction Fuzzy Hash: 7E51B431E005169BCF14DFA8C9405BEB7E5BF65360B254229E89AE72C5DB30DD41F790

Function 00F0372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00F03774
CoUninitialize.OLE32 ref: 00F0377F
CoCreateInstance.OLE32(?,00000000,00000017,00F1FB78,?), ref: 00F037D9
IIDFromString.OLE32(?,?), ref: 00F0384C
VariantInit.OLEAUT32(?), ref: 00F038E4
VariantClear.OLEAUT32(?), ref: 00F03936

Strings

Failed to create object, xrefs: 00F037E4, 00F0389A
Invalid parameter, xrefs: 00F03865
NULL Pointer assignment, xrefs: 00F0381E

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 5bb5b9053332fca6105eb1e7f1d8f30a79252e9fa771cdb6ef1f0a628d46e491
Instruction ID: 7d203c5de864816c6e44be6af9aa5942b03d0c82120d932edf3a24c5682d5ca7
Opcode Fuzzy Hash: 5bb5b9053332fca6105eb1e7f1d8f30a79252e9fa771cdb6ef1f0a628d46e491
Instruction Fuzzy Hash: 2961B072608301AFD310DF54C888F6ABBE8EF49710F104949F985AB2D1D770EE48EB92

Function 00EF3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EF33CF

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EF33F0

Strings

^ ERROR , xrefs: 00EF349E
Error: , xrefs: 00EF34D1
Incorrect parameters to object property !, xrefs: 00EF34AB
"%s" (%d) : ==> %s:, xrefs: 00EF3522
"%s" (%d) : ==> %s:%s%s, xrefs: 00EF3504
Line %d (File "%s"):, xrefs: 00EF3443, 00EF345C

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: f13fd167f2100125de1002dd983a38ae05e724a98013563e918a13f8a132981b
Instruction ID: 63b0b3272715781a9ce94cb76562ec3b760c3a0a8cbb3b06da11ca9889dd3198
Opcode Fuzzy Hash: f13fd167f2100125de1002dd983a38ae05e724a98013563e918a13f8a132981b
Instruction Fuzzy Hash: 94518B71D0020AAADF15FBE0CD46EFEB7B9AF04740F245065F509B20A2EB256F58DB61

Function 00EEB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EEB5FC
_wcslen.LIBCMT ref: 00EEB608
_wcslen.LIBCMT ref: 00EEB64D
_wcslen.LIBCMT ref: 00EEB68C
_wcslen.LIBCMT ref: 00EEB6C7

Strings

KEYS, xrefs: 00EEB647, 00EEB64C
APPEND, xrefs: 00EEB6C1, 00EEB6C6
REMOVE, xrefs: 00EEB602, 00EEB607
EXISTS, xrefs: 00EEB686, 00EEB68B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 8573a5a7784b8ce8623229028a058be500775f7dc501e6f8977bad311435f5a1
Instruction ID: 99345bd97da0aefa4990c35bf4debc256be792597ec25f336d78acae5aacfce7
Opcode Fuzzy Hash: 8573a5a7784b8ce8623229028a058be500775f7dc501e6f8977bad311435f5a1
Instruction Fuzzy Hash: A541DD72A0016B9BCB105F7EC8905BF77A5AFA1758B245129E465FB284F731CD81C790

Function 00EF5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EF5416
GetLastError.KERNEL32 ref: 00EF5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00EF54A7

Strings

NOTREADY, xrefs: 00EF544B
READY, xrefs: 00EF5460, 00EF5468
UNKNOWN, xrefs: 00EF5444
READONLY, xrefs: 00EF5452
INVALID, xrefs: 00EF5459

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1a1cd8e8cc5153ae0771db3c435a1343d970b37a15562b05cc9bc269487b4667
Instruction ID: 528f3120e2bc03c9d63fd1032e6618f4845f537237692c0319628406aff92c51
Opcode Fuzzy Hash: 1a1cd8e8cc5153ae0771db3c435a1343d970b37a15562b05cc9bc269487b4667
Instruction Fuzzy Hash: 7A31B536A005099FD710DF68C484AF9BBF4EF15309F149056EA16EB292D731DD82CBA1

Function 00F13C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00F13C79
SetMenu.USER32(?,00000000), ref: 00F13C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F13D10
IsMenu.USER32(?), ref: 00F13D24
CreatePopupMenu.USER32 ref: 00F13D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F13D5B
DrawMenuBar.USER32 ref: 00F13D63

Strings

F, xrefs: 00F13D4E
0, xrefs: 00F13C54

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b4e59989165d235e7924d278d92ce76895049f1d274e4d9c57a1cb6dc43f2ebf
Instruction ID: fece29bd83db75fd547cd6937fe988f18ec02388940fff7a455bd2af40c69e42
Opcode Fuzzy Hash: b4e59989165d235e7924d278d92ce76895049f1d274e4d9c57a1cb6dc43f2ebf
Instruction Fuzzy Hash: 4E416879A01209AFDB14CF64E844BEA7BB6FF49354F144029EA46A7360D770AA10EB94

Function 00EE1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00EE1F64
GetDlgCtrlID.USER32 ref: 00EE1F6F
GetParent.USER32 ref: 00EE1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE1F8E
GetDlgCtrlID.USER32(?), ref: 00EE1F97
GetParent.USER32(?), ref: 00EE1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE1FAE

Strings

ComboBox, xrefs: 00EE1EEC
ListBox, xrefs: 00EE1F21

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 259dcf9061880ba999de24ddf98f93a03d49a309e5ddc12a5f035925436cc2f5
Instruction ID: cab6c30531c2c06c10f34076bce74ed099ff7b39cd04ec5895ac90557026f544
Opcode Fuzzy Hash: 259dcf9061880ba999de24ddf98f93a03d49a309e5ddc12a5f035925436cc2f5
Instruction Fuzzy Hash: F421B070E40218BFCF04AFA1CC95DFEBBB8EF05310B105155B96977292DB399948DBA0

Function 00F13A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F13A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F13AA0
GetWindowLongW.USER32(?,000000F0), ref: 00F13AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F13AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F13B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00F13BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00F13BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00F13BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00F13BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00F13C13

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: baa22df319c1f90c4990387de54f48da4bf38a5d78aaa5aca51ec9b3a1142ef2
Instruction ID: e3cb1e1e3af52112ce7ba6faf92b7b3517e977a45dc8edfe505301ae04393729
Opcode Fuzzy Hash: baa22df319c1f90c4990387de54f48da4bf38a5d78aaa5aca51ec9b3a1142ef2
Instruction Fuzzy Hash: DD618A75A00248AFDB10DFA8CC81FEE77F8EB49710F104099FA15A72A1D774AE85EB50

Function 00EEB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EEB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB165
GetWindowThreadProcessId.USER32(00000000), ref: 00EEB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EEB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00EEA1E1,?,00000001), ref: 00EEB21D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b59627b86fbeb130438dc50cdcc036069ecd9455dd12103c3384e4e8d55ed61a
Instruction ID: 035401eb02a3f13a2a866d634ae53d1dffa574d72c4bb934fd25e062a4c4cef0
Opcode Fuzzy Hash: b59627b86fbeb130438dc50cdcc036069ecd9455dd12103c3384e4e8d55ed61a
Instruction Fuzzy Hash: 8B31CE7554034CBFDB109F2ADC48BAF7BA9BF5435AF119004FB04E61A0D7B49A009FA4

Function 00EB2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EB2C94

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EB2CA0
_free.LIBCMT ref: 00EB2CAB
_free.LIBCMT ref: 00EB2CB6
_free.LIBCMT ref: 00EB2CC1
_free.LIBCMT ref: 00EB2CCC
_free.LIBCMT ref: 00EB2CD7
_free.LIBCMT ref: 00EB2CE2
_free.LIBCMT ref: 00EB2CED
_free.LIBCMT ref: 00EB2CFB

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4c54fc4edcba8cb4772cf4d1b30d7c1597c016e17b6a5fd96ffe82b33365f5c1
Instruction ID: 7b743ac391e0ff3df73cc629b8362886047f8e18ffe957e77af4b7d337f37b29
Opcode Fuzzy Hash: 4c54fc4edcba8cb4772cf4d1b30d7c1597c016e17b6a5fd96ffe82b33365f5c1
Instruction Fuzzy Hash: DF117476500108BFCB02EF54D982CDE3BA5FF49350F5159A9FA48AF222DA31EE509B90

Function 00E81410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E81459
OleUninitialize.OLE32(?,00000000), ref: 00E814F8
UnregisterHotKey.USER32(?), ref: 00E816DD
DestroyWindow.USER32(?), ref: 00EC24B9
FreeLibrary.KERNEL32(?), ref: 00EC251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EC254B

Strings

close all, xrefs: 00E81454

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fad322aaa70f357a37d908fe7a6e0d884fe4f26fe4d0ac6b3d60ab2135e61a11
Instruction ID: c6ea14f8e73b686974b7ba6c90739461d3f0119a873c9ac717e76ded717f6c79
Opcode Fuzzy Hash: fad322aaa70f357a37d908fe7a6e0d884fe4f26fe4d0ac6b3d60ab2135e61a11
Instruction Fuzzy Hash: 1ED145316012128FCB19EF14C995B69F7A4BF05714F2462ADE54EBB262DB32AC13CF91

Function 00EF7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EF7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF7FC1
GetFileAttributesW.KERNEL32(?), ref: 00EF7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00EF8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00EF8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EF80B0

Strings

*.*, xrefs: 00EF8066

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: c0c79db50b4e7df3d9fce1e830d132909dab58e323782650491e805d5dac14ae
Instruction ID: 6e3f59ee597647687d66d5263f1fb61c20985313a578e2557dbafffbe00e9783
Opcode Fuzzy Hash: c0c79db50b4e7df3d9fce1e830d132909dab58e323782650491e805d5dac14ae
Instruction Fuzzy Hash: 1881D1725082099BDB20EF14C8449BEB3E8BF89318F54685EFAC9E7250EB34DD45CB52

Function 00E85BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E85C7A

Part of subcall function 00E85D0A: GetClientRect.USER32(?,?), ref: 00E85D30
Part of subcall function 00E85D0A: GetWindowRect.USER32(?,?), ref: 00E85D71
Part of subcall function 00E85D0A: ScreenToClient.USER32(?,?), ref: 00E85D99

GetDC.USER32 ref: 00EC46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EC4708
SelectObject.GDI32(00000000,00000000), ref: 00EC4716
SelectObject.GDI32(00000000,00000000), ref: 00EC472B
ReleaseDC.USER32(?,00000000), ref: 00EC4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EC47C4

Strings

U, xrefs: 00EC4693

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d372e91147aa827a3d26ff736b77624caf52f6b56ea4de42427d313b42ca6519
Instruction ID: 6323038511778019afdc18bc709b034b2193a13e8a777e0f821854a8d3adc6b8
Opcode Fuzzy Hash: d372e91147aa827a3d26ff736b77624caf52f6b56ea4de42427d313b42ca6519
Instruction Fuzzy Hash: 8571D171400209DFCF219F64CA94FEA7BB1FF46318F14626AED596A1A6C7329842DF50

Function 00EF359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00EF35E4

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

LoadStringW.USER32(00F52390,?,00000FFF,?), ref: 00EF360A

Strings

^ ERROR, xrefs: 00EF36C9
Error: , xrefs: 00EF36EF
"%s" (%d) : ==> %s:, xrefs: 00EF3742
"%s" (%d) : ==> %s:%s%s, xrefs: 00EF3724
Line %d (File "%s"):, xrefs: 00EF366B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f03f6e1e2f9fe88d97ac8c4dab56fbc084bf814bff7eda87e68b55977f305537
Instruction ID: 8778be548c4df85369126ad3a3507e2d691e1ba7599fc7bc9916ab5859d58c7b
Opcode Fuzzy Hash: f03f6e1e2f9fe88d97ac8c4dab56fbc084bf814bff7eda87e68b55977f305537
Instruction Fuzzy Hash: 29513E71D00209AADF15FBA0DC42EFEBBB4AF04704F146125F609721A2EB356B95DBA1

Function 00EFC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EFC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EFC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EFC2CA
GetLastError.KERNEL32 ref: 00EFC322
SetEvent.KERNEL32(?), ref: 00EFC336
InternetCloseHandle.WININET(00000000), ref: 00EFC341

Strings

, xrefs: 00EFC2BB

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1720e8646db7cec01d57e3026813fe9de653f7e47d3d5782273ae1463c5adb97
Instruction ID: ffab49baf1452239b0a7e997a4b815bad17bccc6f7734371200d19dadcc61cb4
Opcode Fuzzy Hash: 1720e8646db7cec01d57e3026813fe9de653f7e47d3d5782273ae1463c5adb97
Instruction Fuzzy Hash: F731BFB160160CAFD7219F648E88ABB7BFCEB49784F34951EF546A2200DB30DD059BA0

Function 00EE989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00EC3AAF,?,?,Bad directive syntax error,00F1CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EE98BC
LoadStringW.USER32(00000000,?,00EC3AAF,?), ref: 00EE98C3

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EE9987

Strings

Line %d:, xrefs: 00EE9912
., xrefs: 00EE996D
%s (%d) : ==> %s.: %s %s, xrefs: 00EE98F1
Error: , xrefs: 00EE9955
Line %d (File "%s"):, xrefs: 00EE992D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 7cc2414a4eb9c6a1c90ee23febdd53b243fa8699e28c0cdec3819029d49a8c89
Instruction ID: 41fe636feabd483e7bafa58975cd4318019ef0a83132b60222db573fa76f8129
Opcode Fuzzy Hash: 7cc2414a4eb9c6a1c90ee23febdd53b243fa8699e28c0cdec3819029d49a8c89
Instruction Fuzzy Hash: F7218D31D4025EABCF15AF90CC06EEE77B5BF18700F045429F519720A2EB369618DB51

Function 00EE209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EE20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00EE20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EE214D

Strings

largeicons, xrefs: 00EE20E1
smallicons, xrefs: 00EE2115
list, xrefs: 00EE212F
details, xrefs: 00EE20FB
SHELLDLL_DefView, xrefs: 00EE20CC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 7d41eb4e0951cf257257ea408ae03ae699dc3997d9c86b99f0b083518da8fd56
Instruction ID: f02af724245bcec6b153a52a70656a350479fc706a0b2e4aafdbfe27a5631f79
Opcode Fuzzy Hash: 7d41eb4e0951cf257257ea408ae03ae699dc3997d9c86b99f0b083518da8fd56
Instruction Fuzzy Hash: 07112C766C470EBAF6013A21DC07DE637DCCB49728B20201AFB04B90E2FEB1A9016555

Function 00EBCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00EBCEB7
_free.LIBCMT ref: 00EBCF22
_free.LIBCMT ref: 00EBCF48
_free.LIBCMT ref: 00EBCF71
_free.LIBCMT ref: 00EBCFA9
_free.LIBCMT ref: 00EBCFDA
_free.LIBCMT ref: 00EBD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00EBD09C
_free.LIBCMT ref: 00EBD0B5

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 2799a6caf621f487253fa6f534aeb2c3d6e77523f68a6867a48672334d73d09e
Instruction ID: b8cf40785291db921f68d670909bfa01431b08195e19451824f014210d9c9d8e
Opcode Fuzzy Hash: 2799a6caf621f487253fa6f534aeb2c3d6e77523f68a6867a48672334d73d09e
Instruction Fuzzy Hash: 32616A71A08304AFDF21AFB49C81AFB7BE6EF05324F2451ADFA44B7281EA319D019750

Function 00F150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00F15186
ShowWindow.USER32(?,00000000), ref: 00F151C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00F151CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00F151D1

Part of subcall function 00F16FBA: DeleteObject.GDI32(00000000), ref: 00F16FE6

GetWindowLongW.USER32(?,000000F0), ref: 00F1520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F1521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F1524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00F15287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00F15296

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: f4a772f61799041f3c32e32db4943f22a4b6e15961aa1ed64dfbbbe9050e6a59
Instruction ID: adf3a7565b2fc687ef2ec97972573e9fcb459b1cc04b82a1d3f704f20fba006c
Opcode Fuzzy Hash: f4a772f61799041f3c32e32db4943f22a4b6e15961aa1ed64dfbbbe9050e6a59
Instruction Fuzzy Hash: F651B432A50A08FEEF219F64CC45BD83B65FB85B21F148115F615A62E1C7B5A9C0FF40

Function 00E98B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00ED6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00ED68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ED68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00ED68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ED68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E98874,00000000,00000000,00000000,000000FF,00000000), ref: 00ED6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ED691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E98874,00000000,00000000,00000000,000000FF,00000000), ref: 00ED692D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 576073ead9d9e0077996a81a38ba2d5f8adc90f6bdfa192c5843974a5a461b60
Instruction ID: 8ef36cdf8359450b57c0b1035ae01c8c4c72220a47012f24130e8068a5178c40
Opcode Fuzzy Hash: 576073ead9d9e0077996a81a38ba2d5f8adc90f6bdfa192c5843974a5a461b60
Instruction Fuzzy Hash: 6B518874600209EFDF24CF24CC55FAA7BB6FB48354F145519FA46A72A0EB70E991EB80

Function 00EFC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EFC182
GetLastError.KERNEL32 ref: 00EFC195
SetEvent.KERNEL32(?), ref: 00EFC1A9

Part of subcall function 00EFC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EFC272
Part of subcall function 00EFC253: GetLastError.KERNEL32 ref: 00EFC322
Part of subcall function 00EFC253: SetEvent.KERNEL32(?), ref: 00EFC336
Part of subcall function 00EFC253: InternetCloseHandle.WININET(00000000), ref: 00EFC341

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 6ed11a7df4445dc17aba44ed788a9bc6e0bd7df1bd9259e573df270c404825f8
Instruction ID: 346529988c9bb43d1bab77124032545192a4308bb8e6284b77fc916638b0ea88
Opcode Fuzzy Hash: 6ed11a7df4445dc17aba44ed788a9bc6e0bd7df1bd9259e573df270c404825f8
Instruction Fuzzy Hash: EC31A471240A0DAFEB219FA5DE44AB67BF8FF14300B30941DF65692620D730D814EBA0

Function 00EE25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE3A57
Part of subcall function 00EE3A3D: GetCurrentThreadId.KERNEL32 ref: 00EE3A5E
Part of subcall function 00EE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE25B3), ref: 00EE3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EE25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00EE25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EE2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00EE2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EE2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00EE2627

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1df4b23449a5435b97cd77bbc3926fbba47c668d66327ca46d9bd9da383662c9
Instruction ID: 8f7823f2cb78a7ccd05330ed627fd1bead2726a88ffc0b2cba4abbc62f87fb7f
Opcode Fuzzy Hash: 1df4b23449a5435b97cd77bbc3926fbba47c668d66327ca46d9bd9da383662c9
Instruction Fuzzy Hash: 3101D8303D0358BBFB10676A9C8EF997F99DB4EB11F115015F318BF0D1C9E114449AA9

Function 00EE1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00EE1449,?,?,00000000), ref: 00EE180C
HeapAlloc.KERNEL32(00000000,?,00EE1449,?,?,00000000), ref: 00EE1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EE1449,?,?,00000000), ref: 00EE1828
GetCurrentProcess.KERNEL32(?,00000000,?,00EE1449,?,?,00000000), ref: 00EE1830
DuplicateHandle.KERNEL32(00000000,?,00EE1449,?,?,00000000), ref: 00EE1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EE1449,?,?,00000000), ref: 00EE1843
GetCurrentProcess.KERNEL32(00EE1449,00000000,?,00EE1449,?,?,00000000), ref: 00EE184B
DuplicateHandle.KERNEL32(00000000,?,00EE1449,?,?,00000000), ref: 00EE184E
CreateThread.KERNEL32(00000000,00000000,00EE1874,00000000,00000000,00000000), ref: 00EE1868

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a441594fb693bb1822fa0304a2b71de4230bbb48a430473fd77dad3f14720ab3
Instruction ID: 61f99da41efbe8c21e0c269615f441bc6ec60d61e58860279ddad4d27a494938
Opcode Fuzzy Hash: a441594fb693bb1822fa0304a2b71de4230bbb48a430473fd77dad3f14720ab3
Instruction Fuzzy Hash: 2701BFB52C0348BFE710AB65DC4DF977B6CEB89B11F018411FA05DB192C6709800DB60

Function 00EB3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00EB3F0B
__alldvrm.LIBCMT ref: 00EB410C
__alldvrm.LIBCMT ref: 00EB412E

Strings

}}, xrefs: 00EB3E96, 00EB3EF1, 00EB3F0A, 00EB4090
}}, xrefs: 00EB40CD
}}, xrefs: 00EB3E8A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-1495402609
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 1987bea809140b77a8af8bba7ad2daeddb054942d9ecac8270a97aaaa4422c74
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 9CA178B1E013869FDB22DF28C8927FFBBE5EF62354F1451ADE585AB282C2348941C751

Function 00F0A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00EED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00EED501
Part of subcall function 00EED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00EED50F
Part of subcall function 00EED4DC: CloseHandle.KERNEL32(00000000), ref: 00EED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F0A16D
GetLastError.KERNEL32 ref: 00F0A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F0A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F0A268
GetLastError.KERNEL32(00000000), ref: 00F0A273
CloseHandle.KERNEL32(00000000), ref: 00F0A2C4

Strings

SeDebugPrivilege, xrefs: 00F0A18F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: c6e20db09ffdac2a94744d26cb778040c1b11cf8d408734e3e111a716d8dee3e
Instruction ID: f0a2c34a8358fc09725b7cd38226c0a57e5be0109c5e32a1c150a79f3f6e4a21
Opcode Fuzzy Hash: c6e20db09ffdac2a94744d26cb778040c1b11cf8d408734e3e111a716d8dee3e
Instruction Fuzzy Hash: BF618C31604342AFD710DF14C494F16BBE1AF44318F19849CE46A9B7A3C772EC45EB92

Function 00F13886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F13925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00F1393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F13954
_wcslen.LIBCMT ref: 00F13999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F139F4

Strings

SysListView32, xrefs: 00F138F7

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 85cd1904b9d670f816cbecb280cbe4e9d01904c08cb7a363204c1e74594280c8
Instruction ID: 4b750d961e90a8a32da2e6e602b9a850fc338d3c2f86f1ae8496a64c68f14694
Opcode Fuzzy Hash: 85cd1904b9d670f816cbecb280cbe4e9d01904c08cb7a363204c1e74594280c8
Instruction Fuzzy Hash: 1F41A171A00319ABEF219F64CC45BEA7BA9EF08360F100526F958E7281D775DE84EB90

Function 00EEBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EEBCFD
IsMenu.USER32(00000000), ref: 00EEBD1D
CreatePopupMenu.USER32 ref: 00EEBD53
GetMenuItemCount.USER32(017254B8), ref: 00EEBDA4
InsertMenuItemW.USER32(017254B8,?,00000001,00000030), ref: 00EEBDCC

Strings

2, xrefs: 00EEBD37
0, xrefs: 00EEBCA8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f0940446be7a274e5f20087e148cded6f7a2a5937a59b0162de212df089fe4bd
Instruction ID: 61099c117b045e326acf1ef04ac4f5793992d95323df9b801a4679b99b9dfc65
Opcode Fuzzy Hash: f0940446be7a274e5f20087e148cded6f7a2a5937a59b0162de212df089fe4bd
Instruction Fuzzy Hash: F7519C70A0028D9BDB20CFAADC84BEFBBF9AF45318F249219E411F7290D7709945CB61

Function 00EA2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00EA2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00EA2D53
_ValidateLocalCookies.LIBCMT ref: 00EA2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00EA2E0C
_ValidateLocalCookies.LIBCMT ref: 00EA2E61

Strings

csm, xrefs: 00EA2DF6
&H, xrefs: 00EA2DFE, 00EA2E07, 00EA2E18

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1242228090
Opcode ID: 4e92426f9133dd98c3c172d7416cf734bd2633f0c28e1b8c2b399365acd54df3
Instruction ID: 3783d7bbf119b33640efb5c2dc6a0c57d5f91f150a6928422b00798670d85234
Opcode Fuzzy Hash: 4e92426f9133dd98c3c172d7416cf734bd2633f0c28e1b8c2b399365acd54df3
Instruction Fuzzy Hash: 4A41A334A00209ABCF14DF6CC845A9EBBE5BF4A328F149159E914BF292D735FA01CBD0

Function 00EEC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00EEC913

Strings

warning, xrefs: 00EEC8FC
blank, xrefs: 00EEC895
stop, xrefs: 00EEC8E4
info, xrefs: 00EEC8B4
question, xrefs: 00EEC8CC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2971896de50016e6bb3096d4f1a5685042c11d22538e43e657ccd5aa3549d6c1
Instruction ID: aa5c5e350c13978f140406cd5f96f9ce8fa6c4d6f79b2252cfc90c890b30a01d
Opcode Fuzzy Hash: 2971896de50016e6bb3096d4f1a5685042c11d22538e43e657ccd5aa3549d6c1
Instruction Fuzzy Hash: 38112E3168934EBAA70457559C82CDE77DCDF56318B30202AF904F61C3E7B5AD026269

Function 00EEED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00EEED2A
_wcslen.LIBCMT ref: 00EEED3B
_wcslen.LIBCMT ref: 00EEED79
_wcslen.LIBCMT ref: 00EEEDAF
_wcslen.LIBCMT ref: 00EEEDDF
_wcslen.LIBCMT ref: 00EEEDEF
_wcslen.LIBCMT ref: 00EEEE2B
_wcslen.LIBCMT ref: 00EEEE5A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 787a468aa48f926ba3dbd7d5ba9a28be8fd5504726ebaea23747ab3a57836550
Instruction ID: 192ba5e825bf757571434ecb7d559cfac7de911135092bee22a5e332b1cee4bd
Opcode Fuzzy Hash: 787a468aa48f926ba3dbd7d5ba9a28be8fd5504726ebaea23747ab3a57836550
Instruction Fuzzy Hash: 18419065C10258A5CB11EBF48C8AACFB7ECAF4A310F50A462E514F7271EB34E255C3A5

Function 00E9F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00E9F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00EDF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00EDF454

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b88c97ed442b00cc77192788af5725e1712c36711f4117e576a1c03321fdaf7a
Instruction ID: f6255a1416fcff949fb158ac90b87d4c1bd8ab50f507c560afa32623499a5712
Opcode Fuzzy Hash: b88c97ed442b00cc77192788af5725e1712c36711f4117e576a1c03321fdaf7a
Instruction Fuzzy Hash: F2413F31604640BECF38CB68C8887AA7BD2ABD6318F15B43DE047F6661C671E481D750

Function 00F12D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F12D1B
GetDC.USER32(00000000), ref: 00F12D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F12D2E
ReleaseDC.USER32(00000000,00000000), ref: 00F12D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F12D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F12D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F15A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00F12DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F12DE1

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 57764abb55cf117d0ec52411e8eb304d0eaf6cfd9096bf5988b703d9cf2a2312
Instruction ID: e955908cbc2b11ed6b785e04a20754c98ecd721c84f014b285c8d152ecf152f9
Opcode Fuzzy Hash: 57764abb55cf117d0ec52411e8eb304d0eaf6cfd9096bf5988b703d9cf2a2312
Instruction Fuzzy Hash: D5319C72241214BFEB118F50DC8AFEB3BA9EF09721F058055FE08DA291C6759C50DBA4

Function 00EE5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EE5637
_memcmp.LIBVCRUNTIME ref: 00EE5659
_memcmp.LIBVCRUNTIME ref: 00EE5671
_memcmp.LIBVCRUNTIME ref: 00EE5684
_memcmp.LIBVCRUNTIME ref: 00EE569E
_memcmp.LIBVCRUNTIME ref: 00EE56B1
_memcmp.LIBVCRUNTIME ref: 00EE56C9
_memcmp.LIBVCRUNTIME ref: 00EE56E4

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e96fa9b9c19d650e6b5a842cb56a57463cc433dbcc98d6c7105a719b0084802a
Instruction ID: 078a83958ea5301dc4536aa2a731fbca18a96bbe54a3bdd576b13613f5b51460
Opcode Fuzzy Hash: e96fa9b9c19d650e6b5a842cb56a57463cc433dbcc98d6c7105a719b0084802a
Instruction Fuzzy Hash: 9721AA73640A4E77D6149A125D92FFB339CAF1538CF441021FD057E581F760EE1895E6

Function 00F04FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00F05007
NULL Pointer assignment, xrefs: 00F0502E, 00F05383

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: acac294f492d5ca31d954cad15ba8a469156b2b64d70aa0ed17c51c00f97b36e
Instruction ID: 1a80b7d4adc93c944f8230fde1182b917f3fe5b1ced1ebffab3fe5a350706f2b
Opcode Fuzzy Hash: acac294f492d5ca31d954cad15ba8a469156b2b64d70aa0ed17c51c00f97b36e
Instruction Fuzzy Hash: 93D1B175E0060A9FDF10CFA8C881BAEB7B5BF48754F148069E915AB281E7B0DD45EF90

Function 00EC1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00EC15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00EC1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EC16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00EC16FB

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EC1777
__freea.LIBCMT ref: 00EC17A2
__freea.LIBCMT ref: 00EC17AE

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 52f680e5bc6655d95d1319c0a22895dbca54f85efa429b8e5822541ab32415cd
Instruction ID: f33a92574accaf7bd319a735197e6642d8a7e903bd258da3e9e9f2840f60b5b3
Opcode Fuzzy Hash: 52f680e5bc6655d95d1319c0a22895dbca54f85efa429b8e5822541ab32415cd
Instruction Fuzzy Hash: A7919371E002169ADB208E64CA51FEE7BF5AF4B714F18659EE801F7182D736DC4287A0

Function 00F04523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F04648
VariantInit.OLEAUT32(?), ref: 00F04749
VariantClear.OLEAUT32(?), ref: 00F04753
VariantClear.OLEAUT32(?), ref: 00F047B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00F045D8, 00F04706, 00F047BE
Incorrect Object type in FOR..IN loop, xrefs: 00F0472C

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 2aca79dd6f11aa5b522836c8fc0b9e2e7dcae68ca0ba9be6f6b49121eef4cfba
Instruction ID: 81ef30a1325581e1ed3d18fce45788d66a363b48b6bf7982ffba2814e564fb6c
Opcode Fuzzy Hash: 2aca79dd6f11aa5b522836c8fc0b9e2e7dcae68ca0ba9be6f6b49121eef4cfba
Instruction Fuzzy Hash: E29174B1E00215ABDF20CF95CC44FAEBBB8EF45714F108559F605AB281D770A945EFA0

Function 00EF1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00EF125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EF1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00EF12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EF1430

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 191e65ee9519cd9f5da0b2ed439019436b588a2fc0b81eacdfee9c2bb691be0a
Instruction ID: 3d964d8fd176ce35efbc991c48e50dd2da6cd175567daaed1c71b6ed5a7983f2
Opcode Fuzzy Hash: 191e65ee9519cd9f5da0b2ed439019436b588a2fc0b81eacdfee9c2bb691be0a
Instruction Fuzzy Hash: 68919A71A0020DDFEB009F94C884BBEB7B5EF45324F11A0A9EA50FB2A1D774A941DB90

Function 00E9948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6436f9be736c21388792100a1dfe505a875ff9c1585e6ef7b1f238f46a781187
Instruction ID: 700f85501ed2a2394ceffa8591d6220cfa401da33f6307a84fe7f1f869de7404
Opcode Fuzzy Hash: 6436f9be736c21388792100a1dfe505a875ff9c1585e6ef7b1f238f46a781187
Instruction Fuzzy Hash: 54913671D40219EFCF10CFA9C884AEEBBB8FF49320F159059E515B7252D374A942DBA0

Function 00F03947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F0396B
CharUpperBuffW.USER32(?,?), ref: 00F03A7A
_wcslen.LIBCMT ref: 00F03A8A
VariantClear.OLEAUT32(?), ref: 00F03C1F

Part of subcall function 00EF0CDF: VariantInit.OLEAUT32(00000000), ref: 00EF0D1F
Part of subcall function 00EF0CDF: VariantCopy.OLEAUT32(?,?), ref: 00EF0D28
Part of subcall function 00EF0CDF: VariantClear.OLEAUT32(?), ref: 00EF0D34

Strings

AUTOIT.ERROR, xrefs: 00F03A80, 00F03A85
Incorrect Parameter format, xrefs: 00F039A6, 00F03BA1

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 762b7942461c60177a60a594dce86270f969ec8c8e977fb880a87fca70b66bc1
Instruction ID: 64e71a677c5c30e15c9fdf363c1c9686ae4c6e61a765e708da0b3ab2a879c700
Opcode Fuzzy Hash: 762b7942461c60177a60a594dce86270f969ec8c8e977fb880a87fca70b66bc1
Instruction Fuzzy Hash: B7917F75A083059FC704EF24C48096AB7E9FF89314F14892DF889A7391DB31EE45EB92

Function 00F04BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00EE000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?,?,00EE035E), ref: 00EE002B
Part of subcall function 00EE000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0046
Part of subcall function 00EE000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0054
Part of subcall function 00EE000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?), ref: 00EE0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00F04C51
_wcslen.LIBCMT ref: 00F04D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00F04DCF
CoTaskMemFree.OLE32(?), ref: 00F04DDA

Strings

NULL Pointer assignment, xrefs: 00F04E23, 00F04E52

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 77bf604014a67e132c0e98aee73afd4bde33bbe4b29361d294f1badd8566245d
Instruction ID: d1931ef86ff89a9605e22bc825066027405fa28806bdf90282cd3c9fe420bd13
Opcode Fuzzy Hash: 77bf604014a67e132c0e98aee73afd4bde33bbe4b29361d294f1badd8566245d
Instruction Fuzzy Hash: 23912BB1D0021D9FDF14EFA4D891AEDB7B8BF48310F108169E919B7291DB74AA44DF60

Function 00F120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F12183
GetMenuItemCount.USER32(00000000), ref: 00F121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F121DD
_wcslen.LIBCMT ref: 00F12213
GetMenuItemID.USER32(?,?), ref: 00F1224D
GetSubMenu.USER32(?,?), ref: 00F1225B

Part of subcall function 00EE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE3A57
Part of subcall function 00EE3A3D: GetCurrentThreadId.KERNEL32 ref: 00EE3A5E
Part of subcall function 00EE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE25B3), ref: 00EE3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F122E3

Part of subcall function 00EEE97B: Sleep.KERNEL32 ref: 00EEE9F3

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 5bde41090217093a794f398ddf372f5c39058b79685e212cb5aa16cff85f1304
Instruction ID: 66368d474d5a0fc2b0d514c6178db050842f6b9e3d793fe36e8b62d8af76632c
Opcode Fuzzy Hash: 5bde41090217093a794f398ddf372f5c39058b79685e212cb5aa16cff85f1304
Instruction Fuzzy Hash: DD717D75E00205AFDB54EFA8C845AEEB7F1EF88320F148459E91AFB341D734A9919B90

Function 00F17E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01725490), ref: 00F17F37
IsWindowEnabled.USER32(01725490), ref: 00F17F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F1801E
SendMessageW.USER32(01725490,000000B0,?,?), ref: 00F18051
IsDlgButtonChecked.USER32(?,?), ref: 00F18089
GetWindowLongW.USER32(01725490,000000EC), ref: 00F180AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F180C3

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 00eef524c8e3e5b40ef6998f3489d9cb09c40825af6b774308009b2e869be96e
Instruction ID: 3750300b6fc0288724d12cbba3b4a7c7bace5deff971ea824ae887dcb2ed3783
Opcode Fuzzy Hash: 00eef524c8e3e5b40ef6998f3489d9cb09c40825af6b774308009b2e869be96e
Instruction Fuzzy Hash: 1071A035A08348AFEB25AF64CC84FEB7BB5FF09350F144059E95957261CB31A886FB90

Function 00EEAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00EEAEF9
GetKeyboardState.USER32(?), ref: 00EEAF0E
SetKeyboardState.USER32(?), ref: 00EEAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00EEAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00EEAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00EEAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EEB020

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0bdef07d84e9d22c653bb737e0705d6f150079665b47acb01574384d3019fc1b
Instruction ID: 3e567c1bc97cc8439e0c2fade17d9b3d288509d22aac00e86bb6fd9ee3e53939
Opcode Fuzzy Hash: 0bdef07d84e9d22c653bb737e0705d6f150079665b47acb01574384d3019fc1b
Instruction Fuzzy Hash: 3F51CEA06046D97DFB368336C845BBBBEE95B06308F0C949DE1D9658D2C398A8C8D791

Function 00EEACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00EEAD19
GetKeyboardState.USER32(?), ref: 00EEAD2E
SetKeyboardState.USER32(?), ref: 00EEAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EEADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EEADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EEAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EEAE38

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4bbd325c6a7c7b0510e800f04cd783911c819240872a4931c42001ad50346754
Instruction ID: 7dd7c651bf03b37f073eeb2b06b016b8eadc08cb6d4bd79cbc6c85a497cd8ee6
Opcode Fuzzy Hash: 4bbd325c6a7c7b0510e800f04cd783911c819240872a4931c42001ad50346754
Instruction Fuzzy Hash: 4F51E5A05047D93DFB3282268C95BBA7ED95F45308F0C949CE1D9668D2D294FCC8D752

Function 00EB542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00EC3CD6,?,?,?,?,?,?,?,?,00EB5BA3,?,?,00EC3CD6,?,?), ref: 00EB5470
__fassign.LIBCMT ref: 00EB54EB
__fassign.LIBCMT ref: 00EB5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00EC3CD6,00000005,00000000,00000000), ref: 00EB552C
WriteFile.KERNEL32(?,00EC3CD6,00000000,00EB5BA3,00000000,?,?,?,?,?,?,?,?,?,00EB5BA3,?), ref: 00EB554B
WriteFile.KERNEL32(?,?,00000001,00EB5BA3,00000000,?,?,?,?,?,?,?,?,?,00EB5BA3,?), ref: 00EB5584

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bd5454658b1233d83248606d9de6edb1eed6b88c33a382c1a1d0b38181494aa2
Instruction ID: b46957b36a532399b2873862ac03510d63664c5a226ef0a2bccf05ddd4d25fa4
Opcode Fuzzy Hash: bd5454658b1233d83248606d9de6edb1eed6b88c33a382c1a1d0b38181494aa2
Instruction Fuzzy Hash: 7351B071A00649AFDB20CFA8D845BEEBBF9EF09301F14511AE955F7291D6309A41CF60

Function 00F010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F0307A
Part of subcall function 00F0304E: _wcslen.LIBCMT ref: 00F0309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F01112
WSAGetLastError.WSOCK32 ref: 00F01121
WSAGetLastError.WSOCK32 ref: 00F011C9
closesocket.WSOCK32(00000000), ref: 00F011F9

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 04e81d630d8cb73423e10cc672c1e70abcd7fbefc78f561599e61cbe6b01e724
Instruction ID: 5c6f1927f355c44ba0663c633d6629892cf4035b8cfe76129cb6cbdac94d6e34
Opcode Fuzzy Hash: 04e81d630d8cb73423e10cc672c1e70abcd7fbefc78f561599e61cbe6b01e724
Instruction Fuzzy Hash: C741C131600208AFDB149F14C884BAABBE9FF45328F158059F919AB2D1C774ED41EBE1

Function 00EECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EECF22,?), ref: 00EEDDFD

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EECF22,?), ref: 00EEDE16

lstrcmpiW.KERNEL32(?,?), ref: 00EECF45
MoveFileW.KERNEL32(?,?), ref: 00EECF7F
_wcslen.LIBCMT ref: 00EED005
_wcslen.LIBCMT ref: 00EED01B
SHFileOperationW.SHELL32(?), ref: 00EED061

Strings

\*.*, xrefs: 00EECFF3

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c727c968159f622fea206d1ab07a63fe050e750448db0f2873f8ade970a519fe
Instruction ID: 8815888be68f83a1db54ed6bbff9f425f2c3624c5649e952691e6c60e9a8a219
Opcode Fuzzy Hash: c727c968159f622fea206d1ab07a63fe050e750448db0f2873f8ade970a519fe
Instruction Fuzzy Hash: 0B41747194525C5FDF12EBA5CD81ADEB7F9AF08380F1410E6E509FB142EA34A689CB50

Function 00F12DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F12E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00F12E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00F12E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F12EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F12EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00F12EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F12F0B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: dc4a5beff08b8abfad3d7630e2a1ee3885fc038dc69c83256bee837d1ef8a66f
Instruction ID: 5e0dea8937bb0a7b0042ebed65de18e0b52abc987beb656cdb1eb2211b29005e
Opcode Fuzzy Hash: dc4a5beff08b8abfad3d7630e2a1ee3885fc038dc69c83256bee837d1ef8a66f
Instruction Fuzzy Hash: 3A311731A442589FEB61CF98DC94FA537E1FB4A721F154164FA148F2B1CB71ACA0EB41

Function 00EE7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE778F
SysAllocString.OLEAUT32(00000000), ref: 00EE7792
SysAllocString.OLEAUT32(?), ref: 00EE77B0
SysFreeString.OLEAUT32(?), ref: 00EE77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00EE77DE
SysAllocString.OLEAUT32(?), ref: 00EE77EC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 49f6dc958e367c8a523706758983375a57a3ba13f1a19d85758c878d6d5e25cd
Instruction ID: d836b2c33920e97f5a504dfdc01097fe568e1a2ecc01b16683cf0237dde63383
Opcode Fuzzy Hash: 49f6dc958e367c8a523706758983375a57a3ba13f1a19d85758c878d6d5e25cd
Instruction Fuzzy Hash: 36217C7660821DAFDB10DFA9CC88CFB77ACEB097647058026FA55EB150D6709C8287A0

Function 00EE77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EE7868
SysAllocString.OLEAUT32(00000000), ref: 00EE786B
SysAllocString.OLEAUT32 ref: 00EE788C
SysFreeString.OLEAUT32 ref: 00EE7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00EE78AF
SysAllocString.OLEAUT32(?), ref: 00EE78BD

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c51c51fe6dace7f6d135df4523e3854041b80282981e2b634e49bb20cf69abf7
Instruction ID: 5ddd88c80a11ca1a4bb4fb109135781a4b28715a2654c98a70a3f9772d31f0cb
Opcode Fuzzy Hash: c51c51fe6dace7f6d135df4523e3854041b80282981e2b634e49bb20cf69abf7
Instruction Fuzzy Hash: ED21C171608228AFDF149FA9CC88DAA77ECEB183607108025F954DB2A0D670DC41DB68

Function 00EF04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00EF04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EF052E

Strings

nul, xrefs: 00EF0567

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f31c1cceaf0d7c5b734dfd6208a8873111d6c6b0e0727c877f3c19476d20db6f
Instruction ID: 2f39b02cffc122c9e5a3b6ccf63b721538e7a6469357305af8d7630ec61f1f45
Opcode Fuzzy Hash: f31c1cceaf0d7c5b734dfd6208a8873111d6c6b0e0727c877f3c19476d20db6f
Instruction Fuzzy Hash: 25215175500309ABDB309F69D844AAA77A4AF44728F204A19E9A1E61E1E7B0D940DF60

Function 00EF05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EF05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EF0601

Strings

nul, xrefs: 00EF0639

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c4ddd567a06aa406222f9f78ce4d241750bd3de4aeaa50786d7b96121b01a2f9
Instruction ID: efc4f995fc8a0a9ea679330f58f8b1087be58973d8e0aa629c4c63323009ef12
Opcode Fuzzy Hash: c4ddd567a06aa406222f9f78ce4d241750bd3de4aeaa50786d7b96121b01a2f9
Instruction Fuzzy Hash: DA21B27560031D9BDB208F68CC04AAA77E4BF85734F214A19FEA1F72E1DBB09860CB50

Function 00F140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E8604C
Part of subcall function 00E8600E: GetStockObject.GDI32(00000011), ref: 00E86060
Part of subcall function 00E8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F14112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F1411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F1412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F14139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F14145

Strings

Msctls_Progress32, xrefs: 00F140E3

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c3cd5a282a9e6c792d5207571c70a5eae7a8fd436288f01a184b76cd604e9d40
Instruction ID: 6637098fba6ee65e824ae0bdb7326f8bf6df053fb59013e186354b597c1c34af
Opcode Fuzzy Hash: c3cd5a282a9e6c792d5207571c70a5eae7a8fd436288f01a184b76cd604e9d40
Instruction Fuzzy Hash: AC1193B214021D7EEF219E64CC85EE77F5DEF097A8F014110BA18A6050C6729C61ABA4

Function 00EBD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EBD7A3: _free.LIBCMT ref: 00EBD7CC

_free.LIBCMT ref: 00EBD82D

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EBD838
_free.LIBCMT ref: 00EBD843
_free.LIBCMT ref: 00EBD897
_free.LIBCMT ref: 00EBD8A2
_free.LIBCMT ref: 00EBD8AD
_free.LIBCMT ref: 00EBD8B8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 7a32fcbbb999df6f05a650a52608f8f570bb0caa892b5f1dfbe1eb129e725550
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: 46112B71944B14BBDA21BFB0CC47FCB7BDCAF44700F406C2AB29DB6492EA65B50587A0

Function 00EEDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EEDA74
LoadStringW.USER32(00000000), ref: 00EEDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EEDA91
LoadStringW.USER32(00000000), ref: 00EEDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EEDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00EEDAB9

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 8bccd0d792eceaba8108f915135f8733967b18fc5001ad2256ac773f6f9da58b
Instruction ID: ce9f87ad3ac99b363389dcace2f6a19b1cd4142cfd5d002f203b60c2dafd855f
Opcode Fuzzy Hash: 8bccd0d792eceaba8108f915135f8733967b18fc5001ad2256ac773f6f9da58b
Instruction Fuzzy Hash: E30186F654020C7FE710DBA09D89EE7376CE708701F4154A1BB0AF2041E6749E845FB5

Function 00EF096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0171DF58,0171DF58), ref: 00EF097B
EnterCriticalSection.KERNEL32(0171DF38,00000000), ref: 00EF098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 00EF099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00EF09A9
CloseHandle.KERNEL32(00000000), ref: 00EF09B8
InterlockedExchange.KERNEL32(0171DF58,000001F6), ref: 00EF09C8
LeaveCriticalSection.KERNEL32(0171DF38), ref: 00EF09CF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 58ecbb0507a0684a54d84dd9754a1bdfc517f9c0bbbf0de664df09a1d3f4f92f
Instruction ID: 38fc1676f270a8e82173cc2e000771877b98ca9708a5543dcf3c70a5b6b34dd4
Opcode Fuzzy Hash: 58ecbb0507a0684a54d84dd9754a1bdfc517f9c0bbbf0de664df09a1d3f4f92f
Instruction Fuzzy Hash: 8EF03C32482A16BBD7525FA4EE8CBE6BB39FF41702F416025F242A08A1D7B49465DFD0

Function 00E85D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E85D30
GetWindowRect.USER32(?,?), ref: 00E85D71
ScreenToClient.USER32(?,?), ref: 00E85D99
GetClientRect.USER32(?,?), ref: 00E85ED7
GetWindowRect.USER32(?,?), ref: 00E85EF8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 94475841274945d782093cae84f05905def6e0da164da193e99996241031b968
Instruction ID: c879f15a3392af9218a9c1a5c8fb1b3b43980ba47fd5def805273ab014f63fb2
Opcode Fuzzy Hash: 94475841274945d782093cae84f05905def6e0da164da193e99996241031b968
Instruction Fuzzy Hash: 6BB18E76A0074ADBDB14DFA8C540BEEB7F1FF54314F14A41AE8A9E7290DB30AA41DB50

Function 00EB01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00EB00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB00D6
__allrem.LIBCMT ref: 00EB00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB010B
__allrem.LIBCMT ref: 00EB0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB0140

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 50967f15ad26d6c6736a095a0dd7975d18b6a7c1aaacc319e06550d5e07abb57
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 1C81D775A017069FE724AF68CC41BAB73E9AF46364F24653EF551FB281E7B0E9008790

Function 00F01D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F03149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00F0101C,00000000,?,?,00000000), ref: 00F03195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F01DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F01DE1
WSAGetLastError.WSOCK32 ref: 00F01DF2
inet_ntoa.WSOCK32(?), ref: 00F01E8C
htons.WSOCK32(?,?,?,?,?), ref: 00F01EDB
_strlen.LIBCMT ref: 00F01F35

Part of subcall function 00EE39E8: _strlen.LIBCMT ref: 00EE39F2

Part of subcall function 00E86D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00E9CF58,?,?,?), ref: 00E86DBA
Part of subcall function 00E86D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00E9CF58,?,?,?), ref: 00E86DED

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: f12b8feaa4d723c83e2d4452cabaad1d10a64c98a70c87145d60f3ab9fd38406
Instruction ID: 7ba6aa33762aca6ba8715ea9af9b1558cb0e1b8cf1360c1973fd541105d12e90
Opcode Fuzzy Hash: f12b8feaa4d723c83e2d4452cabaad1d10a64c98a70c87145d60f3ab9fd38406
Instruction Fuzzy Hash: 5FA1D031604341AFC724EB24C885F2A7BE5BF85328F54994CF45A6B2E2CB31ED45EB91

Function 00EB61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00EA82D9,00EA82D9,?,?,?,00EB644F,00000001,00000001,?), ref: 00EB6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00EB644F,00000001,00000001,?,?,?,?), ref: 00EB62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00EB63D8
__freea.LIBCMT ref: 00EB63E5

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

__freea.LIBCMT ref: 00EB63EE
__freea.LIBCMT ref: 00EB6413

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bed2eacf79a0ad9ec912400cac8a9f01a8a7095edde06ff781f06f9c055e14c7
Instruction ID: 9fdf1fd69afbe881fad37e6fd0f52c678d0366f5da249c108384007db3b6c097
Opcode Fuzzy Hash: bed2eacf79a0ad9ec912400cac8a9f01a8a7095edde06ff781f06f9c055e14c7
Instruction Fuzzy Hash: ED51E072A00216ABEB258F64DC81EEF7BE9EB94714F155629FC05F6150EB38DC40C6A0

Function 00F0BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00F0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0C9F1
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA68
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F0BD25
RegCloseKey.ADVAPI32(00000000), ref: 00F0BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F0BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F0BDF3
RegCloseKey.ADVAPI32(?), ref: 00F0BDFF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: c83012511915f20fddf3fd17d18aff1622cced7dda7e82ce5ccc14e9992a7342
Instruction ID: 7e567f73392c0c4f567bcc427bfd3c79b7d5e1ae557e8473835237d3180b34d6
Opcode Fuzzy Hash: c83012511915f20fddf3fd17d18aff1622cced7dda7e82ce5ccc14e9992a7342
Instruction Fuzzy Hash: 3B81D231608241EFD714EF24C885E2ABBE5FF84318F14895CF4599B2A2DB31ED45EB92

Function 00EDF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00EDF7B9
SysAllocString.OLEAUT32(00000001), ref: 00EDF860
VariantCopy.OLEAUT32(00EDFA64,00000000), ref: 00EDF889
VariantClear.OLEAUT32(00EDFA64), ref: 00EDF8AD
VariantCopy.OLEAUT32(00EDFA64,00000000), ref: 00EDF8B1
VariantClear.OLEAUT32(?), ref: 00EDF8BB

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3ce3d19d8dc177292c9265ec9767fc60d623961cab601324f8d4614be94f2afa
Instruction ID: c080b1b46962b37a5b87336866fc7f136a04d14779650f36b65d2f2437589e62
Opcode Fuzzy Hash: 3ce3d19d8dc177292c9265ec9767fc60d623961cab601324f8d4614be94f2afa
Instruction Fuzzy Hash: 9151E435940310BACF14EBA5D8A5B69B3E8EF85310B24A467E807FF392DB708C41D796

Function 00EF910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00EF94E5
_wcslen.LIBCMT ref: 00EF9506
_wcslen.LIBCMT ref: 00EF952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00EF9585

Strings

X, xrefs: 00EF9412

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c780aa15741897b659135dc59bf660183941180e2aba77bef2eca7345deb16d1
Instruction ID: b73ed2f485fbe950c8914949fc482ffc1f64241f89fa332b2ec875f4626786a3
Opcode Fuzzy Hash: c780aa15741897b659135dc59bf660183941180e2aba77bef2eca7345deb16d1
Instruction Fuzzy Hash: 80E1B1716083018FD714EF24C881B6AB7E4BF85314F14996DF99DAB2A2DB31ED05CB92

Function 00E9920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

BeginPaint.USER32(?,?,?), ref: 00E99241
GetWindowRect.USER32(?,?), ref: 00E992A5
ScreenToClient.USER32(?,?), ref: 00E992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E992D3
EndPaint.USER32(?,?,?,?,?), ref: 00E99321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00ED71EA

Part of subcall function 00E99339: BeginPath.GDI32(00000000), ref: 00E99357

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 9568f887494542e5f931ee34c3743f023ad2d2e984e735ce585e74f2eaca28e7
Instruction ID: 8ec13cfd721991a1eb9745f8267360aa3fa3e720ecd77426543385ecd4b06a0f
Opcode Fuzzy Hash: 9568f887494542e5f931ee34c3743f023ad2d2e984e735ce585e74f2eaca28e7
Instruction Fuzzy Hash: 8D41B370105304AFDB11DF28DC84FAA7BE8FB46725F04022DFA95A72E2D731A845EB61

Function 00EF07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00EF080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00EF0847
EnterCriticalSection.KERNEL32(?), ref: 00EF0863
LeaveCriticalSection.KERNEL32(?), ref: 00EF08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00EF08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00EF0921

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: d0f8476306eebc3f8d107fd45f0f54da254e453cd263cc25d12fecc59775ac3c
Instruction ID: ad7dba8a1b4752da86c37d766ddeaadc9ae7f3e47296a32ff74964eaf80dcdad
Opcode Fuzzy Hash: d0f8476306eebc3f8d107fd45f0f54da254e453cd263cc25d12fecc59775ac3c
Instruction Fuzzy Hash: FE417C71A00209EBDF14AF54DC85AAA77B8FF45310F1480A9ED00EE297DB30DE65DBA0

Function 00F181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00EDF3AB,00000000,?,?,00000000,?,00ED682C,00000004,00000000,00000000), ref: 00F1824C
EnableWindow.USER32(00000000,00000000), ref: 00F18272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00F182D1
ShowWindow.USER32(00000000,00000004), ref: 00F182E5
EnableWindow.USER32(00000000,00000001), ref: 00F1830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00F1832F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 667545e83484202c39769d998f7132439ec5bb93ea080226176c568c58467494
Instruction ID: 4627757fea16b24074b0331d6eb28b390de1701c9b96fada016853140744ccc8
Opcode Fuzzy Hash: 667545e83484202c39769d998f7132439ec5bb93ea080226176c568c58467494
Instruction Fuzzy Hash: C041C834A01644AFDB12CF15CD95BE47BE0FB06765F184169E6184F2B2CB71AC82EF50

Function 00EE4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00EE4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EE4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EE4CEA
_wcslen.LIBCMT ref: 00EE4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EE4D10
_wcsstr.LIBVCRUNTIME ref: 00EE4D1A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 7a1c74d51c60287a97eaaf3498154107ea4ab1c30a66d9ee36b2aea360c987d4
Instruction ID: 24673a70853e46d25d8132b28bb5cc8d3acb43658b9461f36d08b281c5622868
Opcode Fuzzy Hash: 7a1c74d51c60287a97eaaf3498154107ea4ab1c30a66d9ee36b2aea360c987d4
Instruction Fuzzy Hash: 362129B12042487BEB155B3ADC09E7B7BDCDF49750F119029F809EA1D1DA61DC0096A1

Function 00EF581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E83A97,?,?,00E82E7F,?,?,?,00000000), ref: 00E83AC2

_wcslen.LIBCMT ref: 00EF587B
CoInitialize.OLE32(00000000), ref: 00EF5995
CoCreateInstance.OLE32(00F1FCF8,00000000,00000001,00F1FB68,?), ref: 00EF59AE
CoUninitialize.OLE32 ref: 00EF59CC

Strings

.lnk, xrefs: 00EF5876, 00EF58C1, 00EF5985

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4b3a4fa1ffa8b37b53d2837d766ec8efbc10fdfaff6ecd55dea8c10ab54c59b6
Instruction ID: fb106ccaae3eb3638e756f948009bd7b5923d6fbd8f2d3bf4c8df1317f7e074b
Opcode Fuzzy Hash: 4b3a4fa1ffa8b37b53d2837d766ec8efbc10fdfaff6ecd55dea8c10ab54c59b6
Instruction Fuzzy Hash: 9DD185726087059FC708EF24C48092ABBE1FF99714F14985DFA99AB361C731ED45CB92

Function 00EE175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EE0FCA
Part of subcall function 00EE0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EE0FD6
Part of subcall function 00EE0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EE0FE5
Part of subcall function 00EE0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EE0FEC
Part of subcall function 00EE0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EE1002

GetLengthSid.ADVAPI32(?,00000000,00EE1335), ref: 00EE17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EE17BA
HeapAlloc.KERNEL32(00000000), ref: 00EE17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EE17DA
GetProcessHeap.KERNEL32(00000000,00000000,00EE1335), ref: 00EE17EE
HeapFree.KERNEL32(00000000), ref: 00EE17F5

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 70f18d428d4046a4d6620b47cd5df24fa3bd00edb114ce9bc885801a3ffcc87b
Instruction ID: 47387bb91f0461e9053fce4c0abc839439ab6ea77931b08e285d242f44eea03e
Opcode Fuzzy Hash: 70f18d428d4046a4d6620b47cd5df24fa3bd00edb114ce9bc885801a3ffcc87b
Instruction Fuzzy Hash: D011EE31684208FFDB108FA6CC48BEE7BB8EB46719F108059F481B7211C731A980DBA0

Function 00EE14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EE14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00EE1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EE1515
CloseHandle.KERNEL32(00000004), ref: 00EE1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EE154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EE1563

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bb59a34c3a7ca66a512b5af7c1c39e17133e9b02ab966e6aae218b8e202071d3
Instruction ID: 78c76998d2b875b93ef382d010957e0a18e1c3096200226e1a8fc107be5a8309
Opcode Fuzzy Hash: bb59a34c3a7ca66a512b5af7c1c39e17133e9b02ab966e6aae218b8e202071d3
Instruction Fuzzy Hash: 9611597250024DABDF118F98DD49BDE7BA9EF48748F058054FA15A21A0C3718EA4EBA0

Function 00EA3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EA3379,00EA2FE5), ref: 00EA3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00EA339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00EA33B7
SetLastError.KERNEL32(00000000,?,00EA3379,00EA2FE5), ref: 00EA3409

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1aa4a47ba1824b756c9facabed4e1b108abaef539eb44c001d9a47f55afc0a1c
Instruction ID: 923437a0e9d8bd8ec36708c21a284f14e19a1935b586443ba7a42e81c8014b0a
Opcode Fuzzy Hash: 1aa4a47ba1824b756c9facabed4e1b108abaef539eb44c001d9a47f55afc0a1c
Instruction Fuzzy Hash: 3D01243660E315BEAA6427787C855A73ED4EB6F3797203229F830EC1F0EF156E096184

Function 00EB2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00EB5686,00EC3CD6,?,00000000,?,00EB5B6A,?,?,?,?,?,00EAE6D1,?,00F48A48), ref: 00EB2D78
_free.LIBCMT ref: 00EB2DAB
_free.LIBCMT ref: 00EB2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00EAE6D1,?,00F48A48,00000010,00E84F4A,?,?,00000000,00EC3CD6), ref: 00EB2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00EAE6D1,?,00F48A48,00000010,00E84F4A,?,?,00000000,00EC3CD6), ref: 00EB2DEC
_abort.LIBCMT ref: 00EB2DF2

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 0971efc5ef6369c10bfe5d03aa2eedb8562487e3b93ec3a6b5f878f6f980ab46
Instruction ID: c8533c8e697b9229720e3f33a4bde25289a192f4200a6505e7bf69d6860af726
Opcode Fuzzy Hash: 0971efc5ef6369c10bfe5d03aa2eedb8562487e3b93ec3a6b5f878f6f980ab46
Instruction Fuzzy Hash: 0EF0FC3554560037C6123739BC0AEDF3599AFC67A5F25651CFF38F21E6EF24880161A1

Function 00F18A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E99693
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996A2
Part of subcall function 00E99639: BeginPath.GDI32(?), ref: 00E996B9
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00F18A4E
LineTo.GDI32(?,00000003,00000000), ref: 00F18A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00F18A70
LineTo.GDI32(?,00000000,00000003), ref: 00F18A80
EndPath.GDI32(?), ref: 00F18A90
StrokePath.GDI32(?), ref: 00F18AA0

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 23f7b067612c63bd4b66027f931baa228795f42e4ba5935b2c05a3b1c1e1c8dd
Instruction ID: 600ec098f6955ba4e1dc6c336672199af179e6af4b112aad06073b0a4279f996
Opcode Fuzzy Hash: 23f7b067612c63bd4b66027f931baa228795f42e4ba5935b2c05a3b1c1e1c8dd
Instruction Fuzzy Hash: 2211F77644010CFFDB129F94DC88EEA7FACEF08390F01C012BA199A1A1C771AD55EBA0

Function 00EE51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EE5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00EE5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EE5230
ReleaseDC.USER32(00000000,00000000), ref: 00EE5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EE524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00EE5261

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 16c27a0f95eb3f079fa4130189c9180d7174fcb986c949794ce8857069757de1
Instruction ID: 8b8780207aaf863f34fc4ee360cf32123c6dd98b6ab07699ac36dd2272df9349
Opcode Fuzzy Hash: 16c27a0f95eb3f079fa4130189c9180d7174fcb986c949794ce8857069757de1
Instruction Fuzzy Hash: 9D014875A40718BBEB105BA69C45A5E7F78EB48751F044065FA09A7291D6709900DB90

Function 00E81BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E81BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E81BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E81C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E81C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E81C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E81C22

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3eb8cdeeeeb9c2c672a36e3d1b69955c8f1113fe1a4591f44bc753547443b83f
Instruction ID: 1e6ba7abab5e3c87e841b3f34cc0bb31c7612f4dfbd31d1daafcdcc4f78c88c1
Opcode Fuzzy Hash: 3eb8cdeeeeb9c2c672a36e3d1b69955c8f1113fe1a4591f44bc753547443b83f
Instruction Fuzzy Hash: 0D0167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00EEEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EEEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EEEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00EEEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EEEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EEEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EEEB75

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 15e0a8599ef7323807f891a77cf5e3e3d2ee71ce1026d59e65a86475813c8d97
Instruction ID: f3b509680d1b01257f125b0298fcf710f0093acdacc4b60c7ab2520f5e62a043
Opcode Fuzzy Hash: 15e0a8599ef7323807f891a77cf5e3e3d2ee71ce1026d59e65a86475813c8d97
Instruction Fuzzy Hash: 97F0307258015CBBE72157529C0DEEF3A7CEFCAB11F018158F611E1191D7A05A01E6F5

Function 00ED7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00ED7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00ED7469
GetWindowDC.USER32(?), ref: 00ED7475
GetPixel.GDI32(00000000,?,?), ref: 00ED7484
ReleaseDC.USER32(?,00000000), ref: 00ED7496
GetSysColor.USER32(00000005), ref: 00ED74B0

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 5567e17bb1cce8dd464424552cec6b0a06250203a84398cf94899039197ad443
Instruction ID: 35af826e6bb588a1132f5c21c673b3d9b8c3a59e666922af9d9b034f755bab3a
Opcode Fuzzy Hash: 5567e17bb1cce8dd464424552cec6b0a06250203a84398cf94899039197ad443
Instruction Fuzzy Hash: 1A018B31440219EFDB515F64DC08BEA7BB6FB04311F568064F929A21A1CB311E42EB90

Function 00EE1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EE187F
UnloadUserProfile.USERENV(?,?), ref: 00EE188B
CloseHandle.KERNEL32(?), ref: 00EE1894
CloseHandle.KERNEL32(?), ref: 00EE189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00EE18A5
HeapFree.KERNEL32(00000000), ref: 00EE18AC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 622a03c4a0979d3e63830ef0e131f1f3b7808ad5a0bd126336a2da741213bd68
Instruction ID: 4ee0289d42603902a28a0e662f0f99c081448674beb7fe88841e4dcdb7e97fd4
Opcode Fuzzy Hash: 622a03c4a0979d3e63830ef0e131f1f3b7808ad5a0bd126336a2da741213bd68
Instruction Fuzzy Hash: 99E0ED36484219BBEB015FA2ED0C985BF39FF49721B11C220F22591071CB725420EF90

Function 00F07B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00EA0242: EnterCriticalSection.KERNEL32(00F5070C,00F51884,?,?,00E9198B,00F52518,?,?,?,00E812F9,00000000), ref: 00EA024D
Part of subcall function 00EA0242: LeaveCriticalSection.KERNEL32(00F5070C,?,00E9198B,00F52518,?,?,?,00E812F9,00000000), ref: 00EA028A

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EA00A3: __onexit.LIBCMT ref: 00EA00A9

__Init_thread_footer.LIBCMT ref: 00F07BFB

Part of subcall function 00EA01F8: EnterCriticalSection.KERNEL32(00F5070C,?,?,00E98747,00F52514), ref: 00EA0202
Part of subcall function 00EA01F8: LeaveCriticalSection.KERNEL32(00F5070C,?,00E98747,00F52514), ref: 00EA0235

Strings

G, xrefs: 00F07C7F
+T, xrefs: 00F07E2E
Variable must be of type 'Object'., xrefs: 00F07C3A
5, xrefs: 00F07C78

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4125810065
Opcode ID: c5814488c26fe9098d9a00b18dc7cb4df3f231cd30613cba6200f3ae0bbb04c6
Instruction ID: 034009552a71217a611b66c53dfed843769c96c0fe3c59e655392b9e692144a4
Opcode Fuzzy Hash: c5814488c26fe9098d9a00b18dc7cb4df3f231cd30613cba6200f3ae0bbb04c6
Instruction Fuzzy Hash: 0A919A70E05309EFCB14EF54D8909BEB7B1BF49314F148099F80AAB292DB71AE41EB51

Function 00EEC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EEC6EE
_wcslen.LIBCMT ref: 00EEC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EEC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EEC7CA

Strings

0, xrefs: 00EEC6AF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 604ee1a2efe5ecd7cd29bc8e438d2ebb0c16f43df8a489b65e9d677884e23562
Instruction ID: 63f7a8790b2a0a2dedb3ab95816a47ec15a7826559ea5d32cc18f06bd8f8a8df
Opcode Fuzzy Hash: 604ee1a2efe5ecd7cd29bc8e438d2ebb0c16f43df8a489b65e9d677884e23562
Instruction Fuzzy Hash: 7E5124716043899BD7149F3AC844BAB77E4AF89318F242A2EF995F3190DB70DC06DB52

Function 00F0AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00F0AEA3

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

GetProcessId.KERNEL32(00000000), ref: 00F0AF38
CloseHandle.KERNEL32(00000000), ref: 00F0AF67

Strings

<, xrefs: 00F0AE6B
@, xrefs: 00F0AE72

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: fe000d1ea6ef4f9615445307fe9699b3100c9b7d81e43c9c7da77483dd0aa17d
Instruction ID: 8af8e321ac33e0517447991d999376d4e8ad9d468774e573f4ed04e0392a6c81
Opcode Fuzzy Hash: fe000d1ea6ef4f9615445307fe9699b3100c9b7d81e43c9c7da77483dd0aa17d
Instruction Fuzzy Hash: EE718C71A00619DFCB14EF54C484A9EBBF1FF08314F148499E85AAB392C774ED45DB91

Function 00EE719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EE7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EE723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EE724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EE72CF

Strings

DllGetClassObject, xrefs: 00EE7242

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 059d53fe902ec82ce3a08af626d2f10030c7bd1c9ebd44aba171a913a5d58aa0
Instruction ID: 831a2496d5cb72df5220f319185b0d0092803942dd7ff616dcf58ae6def8cbdf
Opcode Fuzzy Hash: 059d53fe902ec82ce3a08af626d2f10030c7bd1c9ebd44aba171a913a5d58aa0
Instruction Fuzzy Hash: 0241DFB1A04209EFDB15CF55C884A9A7BB9EF48314F1090A9BE45AF21AD7B0DD40DBA0

Function 00F13D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F13E35
IsMenu.USER32(?), ref: 00F13E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F13E92
DrawMenuBar.USER32 ref: 00F13EA5

Strings

0, xrefs: 00F13D89

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 16da9cd1b0bf380f177fff2130008652157eff7b284f1c0dcc8be2ebbd5f3c4b
Instruction ID: 1a355d4171bce9c8e14b1ea5f7cd890946961b8b78b93bcd6e8c2d6e32a8e3d2
Opcode Fuzzy Hash: 16da9cd1b0bf380f177fff2130008652157eff7b284f1c0dcc8be2ebbd5f3c4b
Instruction Fuzzy Hash: A3413A75A01309EFDB10DF54D884AEABBB9FF49364F044129E915A7290D730AE89EF90

Function 00EE1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EE1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EE1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EE1EA9

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Strings

ComboBox, xrefs: 00EE1DF0
ListBox, xrefs: 00EE1E25

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: e06dbbdbb0b9d4afb5ce7f1815d3c88a2bbfdb2bfb789b4dcafa7df329a145d6
Instruction ID: 9ee2f3c8e44727e31558c8ab0df9eefb7eb13f0918d1b5fc19083004d2f359ca
Opcode Fuzzy Hash: e06dbbdbb0b9d4afb5ce7f1815d3c88a2bbfdb2bfb789b4dcafa7df329a145d6
Instruction Fuzzy Hash: 23212371A00148AFDB18ABB1CC49CFFB7B8DF41364B146119F829B31E1DB3949499760

Function 00F0C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F0C9F1
_wcslen.LIBCMT ref: 00F0CA68
_wcslen.LIBCMT ref: 00F0CA9E
_wcslen.LIBCMT ref: 00F0CAF9
_wcslen.LIBCMT ref: 00F0CB2F
_wcslen.LIBCMT ref: 00F0CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00F0CA62, 00F0CA67
HKLM, xrefs: 00F0CA98, 00F0CA9D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 3498a4bfa6dcb01c88f7dc90dd4be4af5f8f82a08ebb760a5c79ef59165fffcb
Instruction ID: bdde58fde7c130fed8b7110e4b52a8a5ae25ce300459ad5da2142a99c5cc17f7
Opcode Fuzzy Hash: 3498a4bfa6dcb01c88f7dc90dd4be4af5f8f82a08ebb760a5c79ef59165fffcb
Instruction Fuzzy Hash: 2B31E673F0016E4BCB20EF6C98601BF37929BA2760B154229EC55AB2C5E679DD44B3E0

Function 00F12F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F12F8D
LoadLibraryW.KERNEL32(?), ref: 00F12F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F12FA9
DestroyWindow.USER32(?), ref: 00F12FB1

Strings

SysAnimate32, xrefs: 00F12F68

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0a2155e9ea70584f7c6dc57a5e9a3d0dc09b4ba5cc913a776e624a5257713840
Instruction ID: b5d90947942effeabf09bbb6e382e48c13dcad7a5eff4be2b90007a770e2725a
Opcode Fuzzy Hash: 0a2155e9ea70584f7c6dc57a5e9a3d0dc09b4ba5cc913a776e624a5257713840
Instruction Fuzzy Hash: 83219D71600209ABEB604FA4EC84EFB37B9EB59374F104218F954D6190D771DCA2A760

Function 00EA4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00EA4D1E,00EB28E9,(,00EA4CBE,00000000,00F488B8,0000000C,00EA4E15,(,00000002), ref: 00EA4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00EA4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00EA4D1E,00EB28E9,(,00EA4CBE,00000000,00F488B8,0000000C,00EA4E15,(,00000002,00000000), ref: 00EA4DC3

Strings

CorExitProcess, xrefs: 00EA4D98
mscoree.dll, xrefs: 00EA4D86

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 65a3fce03ac37acebeb663e4875f0e400b6437aed71e3c3c684ef59bffe8f92d
Instruction ID: 9cdfe011f4d1aa24f56fbb0ede029d5ed54e0f7d834f0c96d2ba6750943daafa
Opcode Fuzzy Hash: 65a3fce03ac37acebeb663e4875f0e400b6437aed71e3c3c684ef59bffe8f92d
Instruction Fuzzy Hash: 43F0AF35A8021CBBDB109F94DC49BEDBFB4EF48716F0140A4F805B62A0CF70A940EAD1

Function 00E84E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E84EAE
FreeLibrary.KERNEL32(00000000,?,?,00E84EDD,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84EC0

Strings

kernel32.dll, xrefs: 00E84E94
Wow64DisableWow64FsRedirection, xrefs: 00E84EA8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: aff9ee1e73ab682bebcf85669da8a745c6ffb57eabb2194c4ec4240e0e5c7269
Instruction ID: efe9d7358faeb83c732d6adadc7b0c458d4e5a86a9d4c495aa677ab673594d0b
Opcode Fuzzy Hash: aff9ee1e73ab682bebcf85669da8a745c6ffb57eabb2194c4ec4240e0e5c7269
Instruction Fuzzy Hash: 54E0CD35A815236BD2312B256C18F9F7654EFC1F667064115FC0CF7140DB60CD0161E1

Function 00E84E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E84E74
FreeLibrary.KERNEL32(00000000,?,?,00EC3CDE,?,00F51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E84E87

Strings

kernel32.dll, xrefs: 00E84E5B
Wow64RevertWow64FsRedirection, xrefs: 00E84E6E

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c7eb216b503a56da958508bdf8a42650ec6a3ae13c2a7336d9f8e8a274ce9e58
Instruction ID: dd9804ecedeb1488a72a069fe29d2466dd3dac5535daafa36b132f224bf33a76
Opcode Fuzzy Hash: c7eb216b503a56da958508bdf8a42650ec6a3ae13c2a7336d9f8e8a274ce9e58
Instruction Fuzzy Hash: 61D012355826236757222B256C18DCB7A18EF85B593064515BD0DF6154CF60CD01A6D1

Function 00F0A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00F0A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F0A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F0A468
CloseHandle.KERNEL32(?), ref: 00F0A63D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 9d983eaca9336a759b27cfe7d6af59feeb3bce5245416c8456d73c8e86afb83b
Instruction ID: df3013ff38fddf7f1afcbcb17908627114dfa40056f238de71e18bea07985dd6
Opcode Fuzzy Hash: 9d983eaca9336a759b27cfe7d6af59feeb3bce5245416c8456d73c8e86afb83b
Instruction Fuzzy Hash: 68A1B3716043009FE720DF24D886F2AB7E5AF84714F14985CF56A9B2D2D771EC41DB92

Function 00EEE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EECF22,?), ref: 00EEDDFD

Part of subcall function 00EEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EECF22,?), ref: 00EEDE16

Part of subcall function 00EEE199: GetFileAttributesW.KERNEL32(?,00EECF95), ref: 00EEE19A

lstrcmpiW.KERNEL32(?,?), ref: 00EEE473
MoveFileW.KERNEL32(?,?), ref: 00EEE4AC
_wcslen.LIBCMT ref: 00EEE5EB
_wcslen.LIBCMT ref: 00EEE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00EEE650

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 9b2906bc237f50b5c5b0576b99c59973038253efa6ff3948c24118aec3ccbd26
Instruction ID: 9cda126c0ea8f05d36d7bbfdf768423ac1d997f4b4104784d892463a3353fe9a
Opcode Fuzzy Hash: 9b2906bc237f50b5c5b0576b99c59973038253efa6ff3948c24118aec3ccbd26
Instruction Fuzzy Hash: 3A5175B24083895BC724EB90DC819DFB3ECAF85344F00591EF599E3291EF75A5888766

Function 00F0B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00F0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0B6AE,?,?), ref: 00F0C9B5
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0C9F1
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA68
Part of subcall function 00F0C998: _wcslen.LIBCMT ref: 00F0CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F0BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F0BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F0BB63
RegCloseKey.ADVAPI32(?,?), ref: 00F0BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00F0BBB3

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: af423f2e021ec2edc595e71b8714672d93714bdec2d2ee1275b015ea401627cc
Instruction ID: 463c21bbbf535aa35fa9ed6d98bf28078e292cddab302b610317aa72d15df074
Opcode Fuzzy Hash: af423f2e021ec2edc595e71b8714672d93714bdec2d2ee1275b015ea401627cc
Instruction Fuzzy Hash: 5C61E271608201EFD314EF14C890E2ABBE5FF84318F14855CF4998B2A2DB35ED45EB92

Function 00EE8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE8BCD
VariantClear.OLEAUT32 ref: 00EE8C3E
VariantClear.OLEAUT32 ref: 00EE8C9D
VariantClear.OLEAUT32(?), ref: 00EE8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EE8D3B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 548fce355257c28930d04a995d45dd92d1993021bfec6bb109b30689cbe66111
Instruction ID: 9ca722943a4166f2ae6bc8fedc0cf23cb47430d612fb755884fae47307a5886a
Opcode Fuzzy Hash: 548fce355257c28930d04a995d45dd92d1993021bfec6bb109b30689cbe66111
Instruction Fuzzy Hash: 6B5197B5A00219EFCB10CF29C884AAAB7F9FF89314B118559E909EB354E730E911CF90

Function 00EF8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EF8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00EF8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EF8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EF8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EF8C5F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6bedc43e21f696dda0c8e98b7d8fe28c62a357805ece5629ef3edb895dfca9e2
Instruction ID: 084239e5d3c688924b1ebd861f38992397db59c6b1a4eb9940632f8127a1c6dc
Opcode Fuzzy Hash: 6bedc43e21f696dda0c8e98b7d8fe28c62a357805ece5629ef3edb895dfca9e2
Instruction Fuzzy Hash: 0C515A35A002199FCB04EF64C880AADBBF5FF49314F189458E94DAB362CB31ED41CBA1

Function 00F08EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00F08F40
GetProcAddress.KERNEL32(00000000,?), ref: 00F08FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F08FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00F09032
FreeLibrary.KERNEL32(00000000), ref: 00F09052

Part of subcall function 00E9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00EF1043,?,753CE610), ref: 00E9F6E6
Part of subcall function 00E9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00EDFA64,00000000,00000000,?,?,00EF1043,?,753CE610,?,00EDFA64), ref: 00E9F70D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 59b31e521e79ca1029f86125c9d8741cb2ffa86f431b85b41cdf99bbea71f1bc
Instruction ID: b7f48e721fa331a2c2ddb0c451969f5e5df911610875152659f56f8c339564df
Opcode Fuzzy Hash: 59b31e521e79ca1029f86125c9d8741cb2ffa86f431b85b41cdf99bbea71f1bc
Instruction Fuzzy Hash: C9515F35A04205DFC715EF64C4848ADBBF1FF49324B058099E849AB3A2DB31ED86EB90

Function 00F16B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00F16C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00F16C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00F16C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00EFAB79,00000000,00000000), ref: 00F16C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00F16CC7

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 74469a50f10fea136281166bc5a863d6abfd66e07b101f610720f2a83e71dd60
Instruction ID: 9f096118a8421a3b3eb30ef96e542169c86ef72509371d25122c3d21e0033432
Opcode Fuzzy Hash: 74469a50f10fea136281166bc5a863d6abfd66e07b101f610720f2a83e71dd60
Instruction Fuzzy Hash: 0141D435A04104AFD724CF28CC58FE97BA5EB09361F154268F999E73E0C371AD81EAC0

Function 00EB2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EB20C3
_free.LIBCMT ref: 00EB20E3

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8fbc1c1f7d444ff95e2e7a2be8ed6a790a057c817acc5fdad4aa980010c97870
Instruction ID: 7c4a852abbb0134f964d55b63c97aaa6e9ca47e3b82afb7c62f99d44f3df88c2
Opcode Fuzzy Hash: 8fbc1c1f7d444ff95e2e7a2be8ed6a790a057c817acc5fdad4aa980010c97870
Instruction Fuzzy Hash: F241E272A00204AFCB24DF78C880A9EB7E5EF89714F1555ACEA15FB391DB31AD01DB80

Function 00E9912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E99141
ScreenToClient.USER32(00000000,?), ref: 00E9915E
GetAsyncKeyState.USER32(00000001), ref: 00E99183
GetAsyncKeyState.USER32(00000002), ref: 00E9919D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 97bacb000af2e337ae363535999cfdc4b9db9af8f6102a034788e85b2b935238
Instruction ID: 00f7ba8c5d7dda81092c848cb6c8d76afd14e59f85e1c45fe9a1b87ac184b48b
Opcode Fuzzy Hash: 97bacb000af2e337ae363535999cfdc4b9db9af8f6102a034788e85b2b935238
Instruction Fuzzy Hash: 9D419F31A0821AFBDF099F68C844BEEB774FB05324F21931AE469B32D1D7346990DB91

Function 00EF3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00EF38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EF3922
TranslateMessage.USER32(?), ref: 00EF394B
DispatchMessageW.USER32(?), ref: 00EF3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF3966

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 454a7f48fd1d22b4d45c53fc95908d4d0542a2fe7fdb81ccff2285f518ecd62e
Instruction ID: fc121fec41e9483548b9098fa5e903587147e86e8563ed1e1bd006855c93abaa
Opcode Fuzzy Hash: 454a7f48fd1d22b4d45c53fc95908d4d0542a2fe7fdb81ccff2285f518ecd62e
Instruction Fuzzy Hash: B631097050438E9EEB35CB34D808BB637E8AB41349F04156DE762E21E4E3F4AA85DB11

Function 00EFCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00EFCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EFC21E,00000000), ref: 00EFCFF2

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 88f79e62ead626e26f19012c9c79294c8cab937d6b746a60856d340299d787a8
Instruction ID: e13ae8644e4f9f499dbe2b43a3efdbc703c67ad76bfd44745dfaad6464670ed5
Opcode Fuzzy Hash: 88f79e62ead626e26f19012c9c79294c8cab937d6b746a60856d340299d787a8
Instruction Fuzzy Hash: F431417260420DAFDB20DFA5C984ABBBBF9EB14354B30942EF616E2150D730AD40DBA0

Function 00EE1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EE1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00EE19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00EE19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00EE19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00EE19E2

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ef946c687abf766c6ad6dae79ee1efd0e2074da1061c53576325ee1cc213e06c
Instruction ID: 9c43fde59a2d1a65aaa38837d0a48be400fb88dde8fe3f08a5ce5783675b09e3
Opcode Fuzzy Hash: ef946c687abf766c6ad6dae79ee1efd0e2074da1061c53576325ee1cc213e06c
Instruction Fuzzy Hash: 2431D47190025DEFCB00CFA9CD99ADE3BB5EB44315F109265F925A72D2C7709D84DB90

Function 00F15706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F15745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F1579D
_wcslen.LIBCMT ref: 00F157AF
_wcslen.LIBCMT ref: 00F157BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F15816

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: b25b49115b129b8b6c1c7445430f6eb8aa7a4a9778325ccb69f3e46950f728a6
Instruction ID: 5cb43cf0bbcb6e828851a836cffa00459fba9c923b5b748c77ee169b94a5ea4d
Opcode Fuzzy Hash: b25b49115b129b8b6c1c7445430f6eb8aa7a4a9778325ccb69f3e46950f728a6
Instruction Fuzzy Hash: EF218F71D04618DADB209FA0CC85AEEB7B8FF84B35F108216E929AA1C0D77099C5DF50

Function 00F00930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F00951
GetForegroundWindow.USER32 ref: 00F00968
GetDC.USER32(00000000), ref: 00F009A4
GetPixel.GDI32(00000000,?,00000003), ref: 00F009B0
ReleaseDC.USER32(00000000,00000003), ref: 00F009E8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: eb0996aa485d9b4689e7ff59a0e25023a31cbf0996058aafc1724b90a7967dd6
Instruction ID: f4a00f352d517134909fc253ed72e82f5a0927ff484a3cdc6f0d386e59e5b6d7
Opcode Fuzzy Hash: eb0996aa485d9b4689e7ff59a0e25023a31cbf0996058aafc1724b90a7967dd6
Instruction Fuzzy Hash: 7A218175600208AFD704EF65D884AAEBBE9EF45700F058069F94AA7362CB70AC04DB90

Function 00EBCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00EBCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EBCDE9

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00EBCE0F
_free.LIBCMT ref: 00EBCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00EBCE31

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c4f53a230355e16dfb2023c0aaad0bd8e6ff2e552f7f6566d5178d5e4399bc5e
Instruction ID: ef6518c3d0982f4c5c83d73f18076ec079eb16f854396b8acf1995ae3f05f6ca
Opcode Fuzzy Hash: c4f53a230355e16dfb2023c0aaad0bd8e6ff2e552f7f6566d5178d5e4399bc5e
Instruction Fuzzy Hash: FC01F772605215BF23211AB66C8CCFB7A6DDEC6BA53255129FD05FB200EA60CD0191F1

Function 00E99639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E99693
SelectObject.GDI32(?,00000000), ref: 00E996A2
BeginPath.GDI32(?), ref: 00E996B9
SelectObject.GDI32(?,00000000), ref: 00E996E2

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 4c4ecab73376f05def7788b1a6323f9e7679ea52a2bfde24589aaa00f8911894
Instruction ID: f057d1776caa9f2667bf977e3fa3cb19ad994d6e6e00111764095a0ef046a451
Opcode Fuzzy Hash: 4c4ecab73376f05def7788b1a6323f9e7679ea52a2bfde24589aaa00f8911894
Instruction Fuzzy Hash: 4A215070802309EBDF119F68EC187ED3BA9BB5135AF10421AF611B61B2D3706895EB94

Function 00EE5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00EE5726
_memcmp.LIBVCRUNTIME ref: 00EE5744
_memcmp.LIBVCRUNTIME ref: 00EE5757
_memcmp.LIBVCRUNTIME ref: 00EE576F
_memcmp.LIBVCRUNTIME ref: 00EE5787

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d615334d32ee67e86b7fae1f2dcf59bf280268751d56a07e78891ef08442a522
Instruction ID: 1c77cfc27181406fd841567090c8039f86008b8d3f0d62947751726034e7140c
Opcode Fuzzy Hash: d615334d32ee67e86b7fae1f2dcf59bf280268751d56a07e78891ef08442a522
Instruction Fuzzy Hash: 0601D2A364160DFAD60896129D92EFB739C9B6539CF001022FD04BE241F660FD7892E1

Function 00EB2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00EAF2DE,00EB3863,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6), ref: 00EB2DFD
_free.LIBCMT ref: 00EB2E32
_free.LIBCMT ref: 00EB2E59
SetLastError.KERNEL32(00000000,00E81129), ref: 00EB2E66
SetLastError.KERNEL32(00000000,00E81129), ref: 00EB2E6F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d23c7ad032b6bb4fd9ad92d455c74ce38e88553edc21a191d9643c8d4860853b
Instruction ID: 5eb13f38501a17367b748f328ebd335f704c64418b6ddf2a34d0f1986b03bf5c
Opcode Fuzzy Hash: d23c7ad032b6bb4fd9ad92d455c74ce38e88553edc21a191d9643c8d4860853b
Instruction Fuzzy Hash: 3801283624560477C61327766C46DEB36ADAFD57B9B21B42CFB25B21E2EF34CC016060

Function 00EE000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?,?,00EE035E), ref: 00EE002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?), ref: 00EE0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00EDFF41,80070057,?,?), ref: 00EE0070

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 50af3deb5ef9fd2a8cfc24cf470104a1257aa6930f03df03f010ba538eb78dc6
Instruction ID: c317af615e2a2fbb41ea3f78cd61747be8efa5eca071a475745bd1d7e7c2d873
Opcode Fuzzy Hash: 50af3deb5ef9fd2a8cfc24cf470104a1257aa6930f03df03f010ba538eb78dc6
Instruction Fuzzy Hash: 3D01A27264020CBFDB119F6AEC44BEA7AEDEF44761F159524F905E2210D7B1DD80ABA0

Function 00EEE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00EEE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00EEE9A5
Sleep.KERNEL32(00000000), ref: 00EEE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00EEE9B7
Sleep.KERNEL32 ref: 00EEE9F3

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 924f4b58e4a0268f67713f419056ed5784b1e70712d6cdd8f4ad041d3f9bc36e
Instruction ID: e7888592bf893b2f6740be7c4c9c68cfcee54e37c1d614462949895aafa017f9
Opcode Fuzzy Hash: 924f4b58e4a0268f67713f419056ed5784b1e70712d6cdd8f4ad041d3f9bc36e
Instruction Fuzzy Hash: 3A016931C4162DEBCF04AFE6DC59AEDBBB8FF48300F015586E502B2242CB319550DBA1

Function 00EE10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EE1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00EE0B9B,?,?,?), ref: 00EE1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EE114D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 914fe0c79364df9f651c1fc4cc51e2d4bc01db1839bf5b0b4cfcc483e0aead57
Instruction ID: f3fe1825dc8f82e73eab37e59a91f847fa0bf82931e6f9b5e25555c88432c76c
Opcode Fuzzy Hash: 914fe0c79364df9f651c1fc4cc51e2d4bc01db1839bf5b0b4cfcc483e0aead57
Instruction Fuzzy Hash: 8901D179140308BFDB010F65DC08EAA3F6EEF85364B124014FA00D3350DB31CC409AA0

Function 00EE0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EE0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EE0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EE0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EE0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EE1002

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d4c03d2025d35acbc03d8ad7f7f1f66e051b4dd1c40cfd4360edb597c6fde294
Instruction ID: fa3112e529b00070ea201cf922ddda8be6bcfc78a54b96fecf6808bcb317c57f
Opcode Fuzzy Hash: d4c03d2025d35acbc03d8ad7f7f1f66e051b4dd1c40cfd4360edb597c6fde294
Instruction Fuzzy Hash: 38F0C239180309FBD7210FA5DC4DF963B6EEF89761F128414F945D7291CA30DC809AA0

Function 00EE1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EE102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1062

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f4a6ac56226f3138956a7205dcd9c99794b51d085aebb4f5c236f88074212331
Instruction ID: 0b4228d72b911552c5d80383e33ef571725cffc063a8d25edafd838971f7967b
Opcode Fuzzy Hash: f4a6ac56226f3138956a7205dcd9c99794b51d085aebb4f5c236f88074212331
Instruction Fuzzy Hash: 89F0C239180309FBD7211FA5EC48F963B6EEF89761F124414F945D7250CA30D8809AA0

Function 00EF030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0324
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0331
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF033E
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF034B
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0358
CloseHandle.KERNEL32(?,?,?,?,00EF017D,?,00EF32FC,?,00000001,00EC2592,?), ref: 00EF0365

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 60450389931351649fd59ee8ab6a1331cae63e6c846c158edd4dab90b42daece
Instruction ID: 3376b8dbd0bcd4176b225ed6a871eb16d786a7dfd4d82cd503570a0d4d5dd0b8
Opcode Fuzzy Hash: 60450389931351649fd59ee8ab6a1331cae63e6c846c158edd4dab90b42daece
Instruction Fuzzy Hash: 7F01A272801B199FC7309F66D880822F7F5BF503193159A3FD29662932C371A954DF80

Function 00EBD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EBD752

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EBD764
_free.LIBCMT ref: 00EBD776
_free.LIBCMT ref: 00EBD788
_free.LIBCMT ref: 00EBD79A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 165a6d931fdcbe3565bfee1b8f3510a866e360bff5006f2f8351a8fd3fd26874
Instruction ID: f28d9b7be1d4e68d922f8357fdc61bd5563f03dacf553ee89d149b37444489b3
Opcode Fuzzy Hash: 165a6d931fdcbe3565bfee1b8f3510a866e360bff5006f2f8351a8fd3fd26874
Instruction Fuzzy Hash: 40F04F32509218BB8661EB64FDC5CD77BDDBF453147942C0AF548F7501DB20FC8086A4

Function 00EE5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00EE5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00EE5C6F
MessageBeep.USER32(00000000), ref: 00EE5C87
KillTimer.USER32(?,0000040A), ref: 00EE5CA3
EndDialog.USER32(?,00000001), ref: 00EE5CBD

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1fcea3afd1d01a54884390e153d8521cf1729ac4b621a70125dd08c55b0995b1
Instruction ID: 6e0a30ae0333356255b8a5fd3aca4bd0a839869a9b9ccf57cd334edae9c398f1
Opcode Fuzzy Hash: 1fcea3afd1d01a54884390e153d8521cf1729ac4b621a70125dd08c55b0995b1
Instruction Fuzzy Hash: B101D131540B08ABEB205B11DD5EFE6B7B8BF04B09F052159A287B10E1DBF0A984DF90

Function 00EB22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EB22BE

Part of subcall function 00EB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000), ref: 00EB29DE
Part of subcall function 00EB29C8: GetLastError.KERNEL32(00000000,?,00EBD7D1,00000000,00000000,00000000,00000000,?,00EBD7F8,00000000,00000007,00000000,?,00EBDBF5,00000000,00000000), ref: 00EB29F0

_free.LIBCMT ref: 00EB22D0
_free.LIBCMT ref: 00EB22E3
_free.LIBCMT ref: 00EB22F4
_free.LIBCMT ref: 00EB2305

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 68c0ebd25be6cf1d3ae6bc44af18b6eee30c9b24bb204fa0c9d777ec872ece31
Instruction ID: f9cc511cc351bb7d6798bac614a8a09ae2ca29a3583ee5a8154e16fbf6f41688
Opcode Fuzzy Hash: 68c0ebd25be6cf1d3ae6bc44af18b6eee30c9b24bb204fa0c9d777ec872ece31
Instruction Fuzzy Hash: 41F054744013189B8652AF54BC0199A3BE4FB59752B012A0EFB18E2271CB301411BFE5

Function 00E995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E995D4
StrokeAndFillPath.GDI32(?,?,00ED71F7,00000000,?,?,?), ref: 00E995F0
SelectObject.GDI32(?,00000000), ref: 00E99603
DeleteObject.GDI32 ref: 00E99616
StrokePath.GDI32(?), ref: 00E99631

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ef7a5b2c5c9791d7d0cf750cbe4e419c8e5606db15044bf9b248bc35ae35cf7f
Instruction ID: 2a076157f774ca9a6356edebb7380731270c734b5425133c4110b20202158dcb
Opcode Fuzzy Hash: ef7a5b2c5c9791d7d0cf750cbe4e419c8e5606db15044bf9b248bc35ae35cf7f
Instruction Fuzzy Hash: 16F0373004630CEBDB225F69ED1CBA93B61BB15327F058258F665A50F2C7309995EFA4

Function 00EB0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00EB10F9
__freea.LIBCMT ref: 00EB1117

Part of subcall function 00EB1537: _free.LIBCMT ref: 00EB154F

Strings

a/p, xrefs: 00EB11DE
am/pm, xrefs: 00EB117A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: dc57967ba496cb9fa87c876900bc4ec708939eb30f216a426589b6743f8f5489
Instruction ID: c1d2c26e88aa94980ffe67dfac6bd7d50a295345ee777a766fb4e460deb72057
Opcode Fuzzy Hash: dc57967ba496cb9fa87c876900bc4ec708939eb30f216a426589b6743f8f5489
Instruction Fuzzy Hash: 2BD11831900206CADB249F68C865BFFB7F1FF05724F992199E601BB650E3759D80CB91

Function 00EB8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00EB8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00EB8B7A
__dosmaperr.LIBCMT ref: 00EB8B81

Strings

., xrefs: 00EB8A63

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3963672497
Opcode ID: 32aea55759372622fc553463aab4a84ca4088e0854476d22e5198de3f90b4c3e
Instruction ID: df7c54745d8ebaca2dfe85e899c3d72eb90f90c0a4d8638daaea3d1671e68e3d
Opcode Fuzzy Hash: 32aea55759372622fc553463aab4a84ca4088e0854476d22e5198de3f90b4c3e
Instruction Fuzzy Hash: 06414B74604145AFD7249F64D9D0AFB7FE9DB85304B28A19AE885A7352DE318C02D790

Function 00EE2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EE21D0,?,?,00000034,00000800,?,00000034), ref: 00EEB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EE2760

Part of subcall function 00EEB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EE21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00EEB3F8

Part of subcall function 00EEB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00EEB355
Part of subcall function 00EEB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EE2194,00000034,?,?,00001004,00000000,00000000), ref: 00EEB365
Part of subcall function 00EEB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EE2194,00000034,?,?,00001004,00000000,00000000), ref: 00EEB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EE27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EE281A

Strings

@, xrefs: 00EE2832

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c3299a7b624988c416c30892a543e1678236bfa3bdd742e97386f8b66a9ef123
Instruction ID: 14c6d6f77e3ef91f3ccaf0e9543a6a5c46c8196e902e6350390198c2327c42c8
Opcode Fuzzy Hash: c3299a7b624988c416c30892a543e1678236bfa3bdd742e97386f8b66a9ef123
Instruction Fuzzy Hash: DA412F7290021CAFDB10DFA5CD46ADEBBB8EF09700F105099FA55B7181DB706E45CBA1

Function 00EB172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\nnn.exe,00000104), ref: 00EB1769
_free.LIBCMT ref: 00EB1834
_free.LIBCMT ref: 00EB183E

Strings

C:\Users\user\Desktop\nnn.exe, xrefs: 00EB1760, 00EB1767, 00EB1796, 00EB17CE

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\nnn.exe
API String ID: 2506810119-3771354791
Opcode ID: 5df6a9ee802949470b924517c9fce4933df882a41a1a91e253f0f0fbd9078310
Instruction ID: c34b9d31b4f03b636a5780b2dcf09427660d0a7d24ec7fa907aa102ef9f33f7d
Opcode Fuzzy Hash: 5df6a9ee802949470b924517c9fce4933df882a41a1a91e253f0f0fbd9078310
Instruction Fuzzy Hash: B8319F71A00218ABDB21DB999885EDFBBFCFF85320F5051AAF904E7211DA709A40DB90

Function 00EEC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EEC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00EEC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F51990,017254B8), ref: 00EEC395

Strings

0, xrefs: 00EEC2DF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b07a151fd8af8519277f928f727d93dbf5420e51a43ebd25734a789ea7714b83
Instruction ID: 76fa497f68d7079874aa8b79d36d67cdf338e29614be13c3c0309db23efa43ed
Opcode Fuzzy Hash: b07a151fd8af8519277f928f727d93dbf5420e51a43ebd25734a789ea7714b83
Instruction Fuzzy Hash: E341E3312043859FD720DF26D844F5ABBE8AF85314F24966DF9A5A72D2C730E805CB62

Function 00F14416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F1CC08,00000000,?,?,?,?), ref: 00F144AA
GetWindowLongW.USER32 ref: 00F144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F144D7

Strings

SysTreeView32, xrefs: 00F1447C

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: b21de93615a3f6497cd43ece17677f0e7c7dde2e01c8db2bab3b0da5290bd017
Instruction ID: 52f3ba7f47aa1436409d3d681819c39c0456dccc901811cbca41e9ff3b94bfdb
Opcode Fuzzy Hash: b21de93615a3f6497cd43ece17677f0e7c7dde2e01c8db2bab3b0da5290bd017
Instruction Fuzzy Hash: CC31AF31610205AFDF209E38DC45BDA7BA9EB48334F254315F979A31D0D771EC90AB50

Function 00EE6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00EE6EED
VariantCopyInd.OLEAUT32(?,?), ref: 00EE6F08
VariantClear.OLEAUT32(?), ref: 00EE6F12

Strings

*j, xrefs: 00EE6E8B, 00EE6E90, 00EE6EF8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j
API String ID: 2173805711-1845181700
Opcode ID: 938d3c73fb4081564cd84bb1ddf2718c6055481939f13202dae1c06711b45a7c
Instruction ID: 91c2de3dacfa72adfec1524abc3805e5221fcd465731a5212a13c821bd54fe4b
Opcode Fuzzy Hash: 938d3c73fb4081564cd84bb1ddf2718c6055481939f13202dae1c06711b45a7c
Instruction Fuzzy Hash: 6431B171708299DFCB04EFA5E8909FD37B6FFA5344B101498F8066B2A1CB309912DBD0

Function 00F0304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F0335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00F03077,?,?), ref: 00F03378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F0307A
_wcslen.LIBCMT ref: 00F0309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00F03106

Strings

255.255.255.255, xrefs: 00F03095, 00F0309A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 728429a04a20bf207a423b8af3bb0e8e701f51e17d08ccdc3f4e3e8ad9687f4e
Instruction ID: e4de6c6174fdb2a76a2cb79be05be17ee02697a2405bdd599342bbb4e7791271
Opcode Fuzzy Hash: 728429a04a20bf207a423b8af3bb0e8e701f51e17d08ccdc3f4e3e8ad9687f4e
Instruction Fuzzy Hash: DA31E735A04205DFCB10CF28C585EAA77E8EF54328F258059E8159B3D2D772EE45F761

Function 00F13EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F13F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F13F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F13F78

Strings

SysMonthCal32, xrefs: 00F13F0B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ea2d689f29535d9d54b103a808f04b97b84954bb56cf4d8c0be3791c3388d781
Instruction ID: 536bf78137ab55012fd36e764e381c207b4cd0221cfb5b069e279ec9130ffa35
Opcode Fuzzy Hash: ea2d689f29535d9d54b103a808f04b97b84954bb56cf4d8c0be3791c3388d781
Instruction Fuzzy Hash: 0921BF32A00219BFDF259F50CC46FEA3B75EB48724F110214FA197B1D0D6B1A895EB90

Function 00F14653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F14705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F14713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F1471A

Strings

msctls_updown32, xrefs: 00F14684

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b50fe182dbe659a0f97ca10810efc31b9f742706a4c113fe7390cb35f0be6f4c
Instruction ID: 068b5aabf4ece2595e26a5e3af8c9ee09667ef1827ce8b4a2fc81939775ee1f6
Opcode Fuzzy Hash: b50fe182dbe659a0f97ca10810efc31b9f742706a4c113fe7390cb35f0be6f4c
Instruction Fuzzy Hash: 6B2160B5600208AFEB11DF64DCC1DA737EDEB9A7A4B140059FA049B291CB71FC51EB60

Function 00EE95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EE961D

Strings

#notrayicon, xrefs: 00EE95B7
#OnAutoItStartRegister, xrefs: 00EE95F3
#requireadmin, xrefs: 00EE95D9

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 1c2344fe43ffbbeaa446bf69604acaa4968a29d5c78be0c2da871d2db2ed1ae4
Instruction ID: 79d12625038d8fbaae03eded12b79c8a1ae5c59c8e9f961edfa9ea8472df6b14
Opcode Fuzzy Hash: 1c2344fe43ffbbeaa446bf69604acaa4968a29d5c78be0c2da871d2db2ed1ae4
Instruction Fuzzy Hash: 7C218B72204696A6C331BB269C02FFB73E89F95304F106427F949BB083EB51ED85C3A1

Function 00F137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F13840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F13850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F13876

Strings

Listbox, xrefs: 00F1380F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b8639a02e3d57be488092afe7e0a86590a8b05eb5c6bd34a1f59ad655b99321a
Instruction ID: 6d72a87f726a8a995fa3398c1d1a9f015b4b40ef8f3861e49ba887ac6c2872e6
Opcode Fuzzy Hash: b8639a02e3d57be488092afe7e0a86590a8b05eb5c6bd34a1f59ad655b99321a
Instruction Fuzzy Hash: E0219272A14218BBEF219F54DC45FFB376EEF89760F118124F9049B190C675DC92A7A0

Function 00EF49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EF4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EF4A5C
SetErrorMode.KERNEL32(00000000,?,?,00F1CC08), ref: 00EF4AD0

Strings

%lu, xrefs: 00EF4A6F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 794e4aedf737ad0dfa295492ca26009987290e831157622e67237ae753479fb6
Instruction ID: cc97321c52c6226d41ec9ac6b560e97d11ba2619a159f88a8be6edc5a9d25226
Opcode Fuzzy Hash: 794e4aedf737ad0dfa295492ca26009987290e831157622e67237ae753479fb6
Instruction Fuzzy Hash: 74318575A40109AFDB10DF54C885EBA7BF8EF05308F148099F909EB252D771ED45CBA1

Function 00F141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F1424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F14264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F14271

Strings

msctls_trackbar32, xrefs: 00F14226

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 66842b70543a4fe48206a46b767fdfefabab3353ba377633417ddf562e6b6816
Instruction ID: 5daec33638e5d281114f7bd988d1571bd14669899e1dfb57a40a7cd417b12c22
Opcode Fuzzy Hash: 66842b70543a4fe48206a46b767fdfefabab3353ba377633417ddf562e6b6816
Instruction Fuzzy Hash: E6110631640248BEEF205F29CC06FEB3BACEFD5B64F110114FA55E2090D271EC91AB10

Function 00EE2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E86B57: _wcslen.LIBCMT ref: 00E86B6A

Part of subcall function 00EE2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EE2DC5
Part of subcall function 00EE2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE2DD6
Part of subcall function 00EE2DA7: GetCurrentThreadId.KERNEL32 ref: 00EE2DDD
Part of subcall function 00EE2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EE2DE4

GetFocus.USER32 ref: 00EE2F78

Part of subcall function 00EE2DEE: GetParent.USER32(00000000), ref: 00EE2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00EE2FC3
EnumChildWindows.USER32(?,00EE303B), ref: 00EE2FEB

Strings

%s%d, xrefs: 00EE2FFF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 758e08fc9a89e7229a282cd4cd16d107f70b2fcc420368ba1a68c364b5208e9f
Instruction ID: 4a874baa2bd35a6b4c3327a3fe8e66fbe42b00a2941b6c8a0925899fc9d7fc3e
Opcode Fuzzy Hash: 758e08fc9a89e7229a282cd4cd16d107f70b2fcc420368ba1a68c364b5208e9f
Instruction Fuzzy Hash: F711B7756002496BCF147F718C89EED77AAAF94318F049079FA0DBB252DE3099459B60

Function 00F15882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00F158EE
DrawMenuBar.USER32(?), ref: 00F158FD

Strings

0, xrefs: 00F1588F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: c6be9435bfc0bef7dcaae662f23904823b5b7097eea181af5eece77eb61a6671
Instruction ID: 6241660ca2b519e4c092a6c6818b4ff7fadaaec7e9d1013c98a26ee92464f2b4
Opcode Fuzzy Hash: c6be9435bfc0bef7dcaae662f23904823b5b7097eea181af5eece77eb61a6671
Instruction Fuzzy Hash: D2016D32500218EFDB219F11DC44BEEBBB9FB85760F148099E849D6151DB308AC4EF62

Function 00EDD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00EDD3BF
FreeLibrary.KERNEL32 ref: 00EDD3E5

Strings

X64, xrefs: 00EDD2A8
GetSystemWow64DirectoryW, xrefs: 00EDD3B9

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 3ff562fc48cf142836d19ab786144dfede0505a1aef5f22584692a0ef032837f
Instruction ID: 25249b3b2fd4db5e1726f8f84903397c3c8b556ac02147c6b462ae118e7f9fd0
Opcode Fuzzy Hash: 3ff562fc48cf142836d19ab786144dfede0505a1aef5f22584692a0ef032837f
Instruction Fuzzy Hash: 70F02B318CD621EBDB7516108C64EE97324EF10705F5AB56BFC02F2315E720CD86A6D2

Function 00EE007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf875f035842e1fe8c32e0c037b783c869980f6f4d0589949335bceb0bf5261
Instruction ID: 422b0ff8e81a640b5ae0819a801a44d96df48af9712c6595ff1785831b7eb0d8
Opcode Fuzzy Hash: bcf875f035842e1fe8c32e0c037b783c869980f6f4d0589949335bceb0bf5261
Instruction Fuzzy Hash: 2DC16B75A0024AEFDB14CFA5C894EAEB7B5FF48304F209598E505EB251D771EE81CB90

Function 00F0342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F03459
CoUninitialize.OLE32 ref: 00F03463
VariantInit.OLEAUT32(?), ref: 00F0346E
VariantClear.OLEAUT32(?), ref: 00F0371B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: a77818e6f5a09e3307a33bed7b00686285a83c18adf9536e60f2a89998745be4
Instruction ID: 059c44219a7594832bc00f4a6ccac819a997449372cde660ad7d6a59882aee84
Opcode Fuzzy Hash: a77818e6f5a09e3307a33bed7b00686285a83c18adf9536e60f2a89998745be4
Instruction Fuzzy Hash: 61A14F756043019FC710EF24C485A2AB7E9FF89714F148859F999AB3A2DB31ED01DB51

Function 00EE0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F1FC08,?), ref: 00EE05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F1FC08,?), ref: 00EE0608
CLSIDFromProgID.OLE32(?,?,00000000,00F1CC40,000000FF,?,00000000,00000800,00000000,?,00F1FC08,?), ref: 00EE062D
_memcmp.LIBVCRUNTIME ref: 00EE064E

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6855709527d1878755104cfb8b14126fa30a9a935d33a15fa35a03afa2033daa
Instruction ID: 6934dbbf17f06018e19bfe838d0380f0b6fe40c4a2a5e955d74438a30084d824
Opcode Fuzzy Hash: 6855709527d1878755104cfb8b14126fa30a9a935d33a15fa35a03afa2033daa
Instruction Fuzzy Hash: 3D810971A0010AEFCB04DF94C984EEEB7B9FF89315F205558E516BB250DB71AE46CBA0

Function 00EC1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EC14C0

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd281f55aee7acb5e9e00849ac9bba97be804954bd0ffea08ea838d7dbdafeed
Instruction ID: 61665c490442227b7884e0f065ee1abd6d82ddcb5d134ca824dfdab4f16032b5
Opcode Fuzzy Hash: bd281f55aee7acb5e9e00849ac9bba97be804954bd0ffea08ea838d7dbdafeed
Instruction Fuzzy Hash: 1C412A31500100AADB296BF88D45FEE3AE5FF47374F1462ADF829F6293E63648425261

Function 00F16278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0172E8E0,?), ref: 00F162E2
ScreenToClient.USER32(?,?), ref: 00F16315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00F16382

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 958e087ce0d41a30be4852daea3e73d1aa4380e2bea12548b0242c8470b9172e
Instruction ID: 2273d28715747dbad9e4f3d9fb8d9d25963457038195e74ad6a20fa1d4e9ea72
Opcode Fuzzy Hash: 958e087ce0d41a30be4852daea3e73d1aa4380e2bea12548b0242c8470b9172e
Instruction Fuzzy Hash: ED512974A00249AFDF14DF68D880AEE7BB5FB45360F108169F925DB2A0D770ED81EB90

Function 00F01AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F01AFD
WSAGetLastError.WSOCK32 ref: 00F01B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F01B8A
WSAGetLastError.WSOCK32 ref: 00F01B94

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 32ee1bd559ee091309886e006bcb27b899b1acc3bbe2b1d67ed94cce90788fd9
Instruction ID: c11673be1ccb46cba034390742a08b4f2964ff309b40fb03a3dfa744bb32ff03
Opcode Fuzzy Hash: 32ee1bd559ee091309886e006bcb27b899b1acc3bbe2b1d67ed94cce90788fd9
Instruction Fuzzy Hash: 4941B274640200AFEB20AF24C886F6977E5AF84718F54D488FA1AAF7D2D772DD41DB90

Function 00EBB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9739a614e682005f893c8f5fd1ee1a1fb8d15371de6a3568eb6a8f85ff7bdbc1
Instruction ID: f71e6b8f2ea340793ae57eee59f7d8d0216c930fbcb09e61f94734ab23c42fd9
Opcode Fuzzy Hash: 9739a614e682005f893c8f5fd1ee1a1fb8d15371de6a3568eb6a8f85ff7bdbc1
Instruction Fuzzy Hash: 5E412871A00714AFD7249F78CC41BEBBBE9EF89710F10566EF151EB292E7B1A9018790

Function 00EF56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EF5783
GetLastError.KERNEL32(?,00000000), ref: 00EF57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EF57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EF57FA

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4adfefa824aa020f17a701aa3011f81796561b71aa81055d1b5d227f57009ae2
Instruction ID: b92d1a2c4fc02383badd263a9a62d8c23b0d0a715a52f0779d56b33c564eae1c
Opcode Fuzzy Hash: 4adfefa824aa020f17a701aa3011f81796561b71aa81055d1b5d227f57009ae2
Instruction Fuzzy Hash: D1412B39600654DFCB11EF15C444A5EBBE2AF89724B19D498EA5EAB362CB30FD40CB91

Function 00EBD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00EA82D9,?,00EA82D9,?,00000001,?,?,00000001,00EA82D9,00EA82D9), ref: 00EBD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EBD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00EBD9AB
__freea.LIBCMT ref: 00EBD9B4

Part of subcall function 00EB3820: RtlAllocateHeap.NTDLL(00000000,?,00F51444,?,00E9FDF5,?,?,00E8A976,00000010,00F51440,00E813FC,?,00E813C6,?,00E81129), ref: 00EB3852

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 078a28f19451c3425de94234e829cae7bd06271845305c27342ab9d09cbd230d
Instruction ID: 188a5191824f86fb7547bce7adb0df0cee26fdee329192d6581a9171feac039d
Opcode Fuzzy Hash: 078a28f19451c3425de94234e829cae7bd06271845305c27342ab9d09cbd230d
Instruction Fuzzy Hash: 5131AB72A0020AABDF289F65DC41EEF7BA5EB81714F054168FC04EA290EB75DD54CBA0

Function 00F152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00F15352
GetWindowLongW.USER32(?,000000F0), ref: 00F15375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F15382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F153A8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: d4d113b2e134b80f64c5a798d5e5dc0145c100e9649eed64020fa1d78ec93596
Instruction ID: 4e7ab216a5f996dbe93eb4c5f8ef6518a62ce3266865bbaf02e1f1bc90b17fd8
Opcode Fuzzy Hash: d4d113b2e134b80f64c5a798d5e5dc0145c100e9649eed64020fa1d78ec93596
Instruction Fuzzy Hash: 8831C435E55A0CEFEB349E54CC15BE83767AB84BA0F584106FA24971E1C7B1ADC0BB41

Function 00EEAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00EEABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00EEAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00EEAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00EEACC6

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e67cf3bb54fb0488cac4f7069c4ec0ff89bef7cded830ef151388320628a7b45
Instruction ID: 2451d05a732cf722efaf123722c1ade529aa7ee806587d901a889faa74140c5f
Opcode Fuzzy Hash: e67cf3bb54fb0488cac4f7069c4ec0ff89bef7cded830ef151388320628a7b45
Instruction Fuzzy Hash: 32312A30A4039C6FEF34CB668C047FAFBA5AB85314F2C622EE485721D1C375A9859792

Function 00F17674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F1769A
GetWindowRect.USER32(?,?), ref: 00F17710
PtInRect.USER32(?,?,00F18B89), ref: 00F17720
MessageBeep.USER32(00000000), ref: 00F1778C

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 27b982ec435353934ec7deff76445c0a3d149b64aff898e698b31673a6c6010e
Instruction ID: cb72e16f0dc677fbf0bd07e3d9bf15d28472499780b0fe35f467528fa3865c81
Opcode Fuzzy Hash: 27b982ec435353934ec7deff76445c0a3d149b64aff898e698b31673a6c6010e
Instruction Fuzzy Hash: 73417E35A053189FDB01EF59C894FE9BBF5BB49314F1581A8E5189B2A1C730A981EF90

Function 00F116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F116EB

Part of subcall function 00EE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE3A57
Part of subcall function 00EE3A3D: GetCurrentThreadId.KERNEL32 ref: 00EE3A5E
Part of subcall function 00EE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00EE25B3), ref: 00EE3A65

GetCaretPos.USER32(?), ref: 00F116FF
ClientToScreen.USER32(00000000,?), ref: 00F1174C
GetForegroundWindow.USER32 ref: 00F11752

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0c418e968ddaa48320b64bc624393f127460b240dc64ae5410e0eb97ad601187
Instruction ID: efe26b5ec941fb38c0228bf6e5327c25e67412af95d4b1b95bbab39eaaaf8986
Opcode Fuzzy Hash: 0c418e968ddaa48320b64bc624393f127460b240dc64ae5410e0eb97ad601187
Instruction Fuzzy Hash: 84316F71E00149AFDB00EFA9C881CEEBBF9EF48304B6490A9E519E7251D731DE45CBA0

Function 00EED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EED501
Process32FirstW.KERNEL32(00000000,?), ref: 00EED50F
Process32NextW.KERNEL32(00000000,?), ref: 00EED52F
CloseHandle.KERNEL32(00000000), ref: 00EED5DC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a1c48659411ee051a98f662060424a113d67e0e9670ecfb5c16109a43a21192c
Instruction ID: b2fdf799b3083ce451d3601dab81853e3caa3b1a0dc56cca6c2aea0175c12b33
Opcode Fuzzy Hash: a1c48659411ee051a98f662060424a113d67e0e9670ecfb5c16109a43a21192c
Instruction Fuzzy Hash: 2931AF310083449FD304EF54CC85ABFBBF8EF99344F14092DF589A21A2EB719948CB92

Function 00F18FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

GetCursorPos.USER32(?), ref: 00F19001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ED7711,?,?,?,?,?), ref: 00F19016
GetCursorPos.USER32(?), ref: 00F1905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ED7711,?,?,?), ref: 00F19094

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: a2d7ac685e38b3b352603b3f11af77395615da72d75771e9e3a3614d7bb0050b
Instruction ID: 2f4584668dca944b6820a170f7dbfbc0ea8f2cc8bcd68a83c059714357eaa1c6
Opcode Fuzzy Hash: a2d7ac685e38b3b352603b3f11af77395615da72d75771e9e3a3614d7bb0050b
Instruction Fuzzy Hash: 32218035A00118AFDB25CFA5C868FEA7BB9FB49361F044065F90557261C371AD90FBA0

Function 00EED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F1CB68), ref: 00EED2FB
GetLastError.KERNEL32 ref: 00EED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F1CB68), ref: 00EED376

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2e3a6f9078da8bdfe6cf7cdcac1fc0b4f1d14d0ed27267a3df5e4ba5741356ab
Instruction ID: dbae974abfbf6cd560fc85c35cf99fcffb4adf10a6ee8b25ea7a9baca61515bb
Opcode Fuzzy Hash: 2e3a6f9078da8bdfe6cf7cdcac1fc0b4f1d14d0ed27267a3df5e4ba5741356ab
Instruction Fuzzy Hash: 5C21A1745482459F8310EF29CC818AEB7E4EE5A328F105A1DF499E72E1D731D945CB93

Function 00EE1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EE102A
Part of subcall function 00EE1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1036
Part of subcall function 00EE1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1045
Part of subcall function 00EE1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE104C
Part of subcall function 00EE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EE15BE
_memcmp.LIBVCRUNTIME ref: 00EE15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE1617
HeapFree.KERNEL32(00000000), ref: 00EE161E

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e61c7594c72009b40d12d89ad5c477c5cf371bde8b93b8e0c30e8ca29254e5d8
Instruction ID: 84fb9ca719b468c1c0fac546f2d2e7e7d2ef2306150f7efc9166af6c1393f1e7
Opcode Fuzzy Hash: e61c7594c72009b40d12d89ad5c477c5cf371bde8b93b8e0c30e8ca29254e5d8
Instruction Fuzzy Hash: BC218E31E40109EFDF00DFA6C945BEEB7B8EF44354F099499E445BB241E730AA45DB90

Function 00F12782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00F1280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F12824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00F12832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00F12840

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 97ca78cd34df33f997bc12a27992d0b336850b3fe8d6a7c3da27fd10b6468522
Instruction ID: 785ccd2bad7e075b0421f15bdfc14022064d879b37aa0000f45fb9800e5ee992
Opcode Fuzzy Hash: 97ca78cd34df33f997bc12a27992d0b336850b3fe8d6a7c3da27fd10b6468522
Instruction Fuzzy Hash: 78210331604114AFD7149B64CC44FEA7B9AEF45324F198158F42A8B2E2CB75FC92DBD0

Function 00EE78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00EE790A,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?), ref: 00EE8D8C
Part of subcall function 00EE8D7D: lstrcpyW.KERNEL32(00000000,?,?,00EE790A,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE8DB2
Part of subcall function 00EE8D7D: lstrcmpiW.KERNEL32(00000000,?,00EE790A,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?), ref: 00EE8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE7923
lstrcpyW.KERNEL32(00000000,?,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00EE8754,00000000,?,0000001C,?,?,00000000), ref: 00EE7984

Strings

cdecl, xrefs: 00EE797B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1857df898e492be908a83ea390459f5b36e0f2a96d308f0972c678bcb7adf2d8
Instruction ID: 8a4f561b3d343929d49c5365e23ebe98ed362204f6a25ce3a32d7b64be9d8dca
Opcode Fuzzy Hash: 1857df898e492be908a83ea390459f5b36e0f2a96d308f0972c678bcb7adf2d8
Instruction Fuzzy Hash: 2711293A200389ABCB155F35DC44E7A77E9FF85354B11902AF886D7265EB32D801D791

Function 00F17CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00F17D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00F17D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F17D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EFB7AD,00000000), ref: 00F17D6B

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 8a3d7c369d5fb5fdf2f95066d7604faab2b1bdccfb88bfbbeee1a5e2613799c9
Instruction ID: ade470fd91f9c26888bc3bb2eded90a97c16a74ec3f215eec0af830f36298cf4
Opcode Fuzzy Hash: 8a3d7c369d5fb5fdf2f95066d7604faab2b1bdccfb88bfbbeee1a5e2613799c9
Instruction Fuzzy Hash: 7D11C032604718AFCB10AF28DC04AE63BA5BF45375B158724F939D72F0D7309991EB80

Function 00F15660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00F156BB
_wcslen.LIBCMT ref: 00F156CD
_wcslen.LIBCMT ref: 00F156D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F15816

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e64ac3bc59e9cf7a8323e4b295e8fac6091f8b92197ef27747c499aee8e4ba50
Instruction ID: 5b1387672ce0836cf80a79ced7c3562f31502839b0f3febf881f6371ead7ea50
Opcode Fuzzy Hash: e64ac3bc59e9cf7a8323e4b295e8fac6091f8b92197ef27747c499aee8e4ba50
Instruction Fuzzy Hash: 38110672A00609D6DF20DF61CC81AEE77ACEF95B74F504026F905D6081E770D9C4EBA0

Function 00EB1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6eb4871bc45d43f62759eea1c325be27c5c236583c38581962b673572785ed
Instruction ID: 4bb58f5e53b1f6a28db80564c666ddfa0010aad2e1074fd90af741d7c3c1eeab
Opcode Fuzzy Hash: ea6eb4871bc45d43f62759eea1c325be27c5c236583c38581962b673572785ed
Instruction Fuzzy Hash: C901D1B220A71A7EF62126786CD0FE7665CDF817BAF71236AF621B11D2DB60CC005170

Function 00EE1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EE1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE1A8A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e8458578bff4c0d02f341ed023a363ed220c9d8f448fbc6ec00cbd9f31fd7881
Instruction ID: 5abddd354d64ec08bc4d07f5e3519d71ffe37cc5f92bae33b9900bec6c367070
Opcode Fuzzy Hash: e8458578bff4c0d02f341ed023a363ed220c9d8f448fbc6ec00cbd9f31fd7881
Instruction Fuzzy Hash: 6411393AD01219FFEB10DBA5CD85FADBB78EB08750F2000A1EA04B7290D6716E90DB94

Function 00EEE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EEE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00EEE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EEE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EEE24D

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 18dea5b8bd84c964ff53c0abe86d9c7f4ea9445c841a4a6979e04d69e52a8d74
Instruction ID: 3677ff9e5816c609f8665c3316ea0f4424cbc048425b18c45559f774b0b79f0c
Opcode Fuzzy Hash: 18dea5b8bd84c964ff53c0abe86d9c7f4ea9445c841a4a6979e04d69e52a8d74
Instruction Fuzzy Hash: 7911087690435CBBC7019FA9AC05BDE7FACAB4A315F008215FA24F3390D2B0DD0497A0

Function 00EAD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00EACFF9,00000000,00000004,00000000), ref: 00EAD218
GetLastError.KERNEL32 ref: 00EAD224
__dosmaperr.LIBCMT ref: 00EAD22B
ResumeThread.KERNEL32(00000000), ref: 00EAD249

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a683300a6ac407c6a291c6fe9e4e36c5d8f1a3c5967c6601dfbd58c13f602fed
Instruction ID: ccf7ae5ef13e857f3d72857207330d6fd625219843e3b03fcb7a115017d45ce6
Opcode Fuzzy Hash: a683300a6ac407c6a291c6fe9e4e36c5d8f1a3c5967c6601dfbd58c13f602fed
Instruction Fuzzy Hash: EE010876409108BBC7115BA5DC05BAA7A99DF8B330F105219F926BA0E0CB70A800C6B0

Function 00F19EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00E99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E99BB2

GetClientRect.USER32(?,?), ref: 00F19F31
GetCursorPos.USER32(?), ref: 00F19F3B
ScreenToClient.USER32(?,?), ref: 00F19F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00F19F7A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 15df21134d517df35c306c2160f170576388e1e14d629004ec0748efa696d877
Instruction ID: 85ea5d9d7ce9be1a865d4e8c9a279d888df6c484e6f5c322e21f2bbc86f4f611
Opcode Fuzzy Hash: 15df21134d517df35c306c2160f170576388e1e14d629004ec0748efa696d877
Instruction Fuzzy Hash: AB11333290421ABBDB10EFA8C8999EE77B9FB05321F004455F911E3141D3B4BA82EBE1

Function 00E8600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E8604C
GetStockObject.GDI32(00000011), ref: 00E86060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8606A

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3275e6093f68b1fb18f682e3e5a6143928f986588410b03581c41c67292171ce
Instruction ID: 3ca37400110e4a5d5696e9e5160cfa489887569780892c7e9872214bf0f298b0
Opcode Fuzzy Hash: 3275e6093f68b1fb18f682e3e5a6143928f986588410b03581c41c67292171ce
Instruction Fuzzy Hash: 8211AD7210150CBFEF225FA48C54EEABB69FF083A8F015205FA0866150C732DC60EBA0

Function 00EA3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00EA3B56

Part of subcall function 00EA3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00EA3AD2
Part of subcall function 00EA3AA3: ___AdjustPointer.LIBCMT ref: 00EA3AED

_UnwindNestedFrames.LIBCMT ref: 00EA3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00EA3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00EA3BA4

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: aced855509fe34021b5ebc2758200dfd440bc381eb152b1439bbc9d61a48e809
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 0E012D72100148BBDF115EA5DC42EEB7FAAEF8E754F045014FE586A121C772E961DBA0

Function 00EB3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E813C6,00000000,00000000,?,00EB301A,00E813C6,00000000,00000000,00000000,?,00EB328B,00000006,FlsSetValue), ref: 00EB30A5
GetLastError.KERNEL32(?,00EB301A,00E813C6,00000000,00000000,00000000,?,00EB328B,00000006,FlsSetValue,00F22290,FlsSetValue,00000000,00000364,?,00EB2E46), ref: 00EB30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00EB301A,00E813C6,00000000,00000000,00000000,?,00EB328B,00000006,FlsSetValue,00F22290,FlsSetValue,00000000), ref: 00EB30BF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 25b63cc8c5d96c9d247592402890c4033f3100de8ed497a41acf60989c3c66cb
Instruction ID: 5128057b5c68b63a735d8ca15ea0f461fc26a78923802421b9a0058200c5e58e
Opcode Fuzzy Hash: 25b63cc8c5d96c9d247592402890c4033f3100de8ed497a41acf60989c3c66cb
Instruction Fuzzy Hash: CA01F236785336ABCB315B79AC46AE77B98AF05BA5B215620F906F3140CB21D901C6E0

Function 00EE7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00EE747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EE7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EE74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00EE74CA

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 3e0dd9de953d340fa912edf48c0e232590ec8444cbc250c07e54b66fa35fc458
Instruction ID: d13c4004dbf12b7cf7c3e304f132041dd003bb93fcbc89b2f82c015f36177acd
Opcode Fuzzy Hash: 3e0dd9de953d340fa912edf48c0e232590ec8444cbc250c07e54b66fa35fc458
Instruction Fuzzy Hash: 2E11A1B5249358ABE720CF55DC08FD27FFCEB00B04F109569A6A6E6191D770E904DB90

Function 00EEB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00EEACD3,?,00008000), ref: 00EEB126

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 38c92656510a48282648102248e9da6f50d32c2244e78e0e7119948e2d22b54e
Instruction ID: dec3061355e6b8f2970068d8751ec77724b201de5b16d7423135d2a417e1dae2
Opcode Fuzzy Hash: 38c92656510a48282648102248e9da6f50d32c2244e78e0e7119948e2d22b54e
Instruction Fuzzy Hash: FC115B31C4166CE7CF04AFE6E9A87EFBB78FF49721F119086D941B2281CB305650AB91

Function 00EE2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00EE2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE2DD6
GetCurrentThreadId.KERNEL32 ref: 00EE2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00EE2DE4

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f88e93e500a6fbde8d4c1489a34c9984d2d6a37deab5e3443c2c5e9e517908bb
Instruction ID: ed8b24a3bb138f5b5102ad63b35aa37f4c7d0cec4957ad7ff4a95c8a03ef7475
Opcode Fuzzy Hash: f88e93e500a6fbde8d4c1489a34c9984d2d6a37deab5e3443c2c5e9e517908bb
Instruction Fuzzy Hash: 9EE06D7158122C7BD7201BA39C0DEEB3E6CEB42BA1F015119B309E1080DBA08840D6F0

Function 00F18863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E99693
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996A2
Part of subcall function 00E99639: BeginPath.GDI32(?), ref: 00E996B9
Part of subcall function 00E99639: SelectObject.GDI32(?,00000000), ref: 00E996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00F18887
LineTo.GDI32(?,?,?), ref: 00F18894
EndPath.GDI32(?), ref: 00F188A4
StrokePath.GDI32(?), ref: 00F188B2

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 66e39c1d00017e79fc0a041de3764904e632343a027c0cdf865e466b55a8ca0a
Instruction ID: 407deb4269c702cde8323bf5a7fb3415053090d2231a11ff727375b73c8a02bb
Opcode Fuzzy Hash: 66e39c1d00017e79fc0a041de3764904e632343a027c0cdf865e466b55a8ca0a
Instruction Fuzzy Hash: B6F05E3608125CFADB125F94AC0AFCE3F59AF0A321F058000FB11A50E2C7755551EFE9

Function 00E998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E998CC
SetTextColor.GDI32(?,?), ref: 00E998D6
SetBkMode.GDI32(?,00000001), ref: 00E998E9
GetStockObject.GDI32(00000005), ref: 00E998F1

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 4acbffce2b59a095cd2e8f25643f12b21fbd4bdc997f84f705cfe0c386207a5a
Instruction ID: 3650c6d357416f47ce8a7ffb5b6500e60aee7ec8b2ad2c123cfa296a37d6e39e
Opcode Fuzzy Hash: 4acbffce2b59a095cd2e8f25643f12b21fbd4bdc997f84f705cfe0c386207a5a
Instruction Fuzzy Hash: 1EE065312C4244BADB215B74BC09BD83F11EB11736F14C21AF6F5640E1C3714641AB11

Function 00EE162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EE1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EE11D9), ref: 00EE163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EE11D9), ref: 00EE1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EE11D9), ref: 00EE164F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5034fad71d28fdbe7a4ceaab07e358875c28c15cc37b78f0c7ec1a716f31ee8f
Instruction ID: 946708fcb0dd44ee688651b9b2d2d0a4732a9ed6b58a24804d1dd4fd8685e3df
Opcode Fuzzy Hash: 5034fad71d28fdbe7a4ceaab07e358875c28c15cc37b78f0c7ec1a716f31ee8f
Instruction Fuzzy Hash: 95E08631641215DBD7201FA19D0DBC63B7CBF44795F16C848F245D9080D6344580DB90

Function 00EDD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EDD858
GetDC.USER32(00000000), ref: 00EDD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EDD882
ReleaseDC.USER32(?), ref: 00EDD8A3

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3274c60a97a140cbe530fbbe026d6ee627906668dcf4c99981a8fe4eec202f75
Instruction ID: 2691e23c50ad36f45d8ad22de96ab0f7cc821ce52ff8b36eedc434c084ad8667
Opcode Fuzzy Hash: 3274c60a97a140cbe530fbbe026d6ee627906668dcf4c99981a8fe4eec202f75
Instruction Fuzzy Hash: 5AE01AB4844208EFCF41AFA0D8086ADBBF2FB08310F25E009E80EE7250C7384901BF90

Function 00EDD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00EDD86C
GetDC.USER32(00000000), ref: 00EDD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EDD882
ReleaseDC.USER32(?), ref: 00EDD8A3

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 97878f561f7fc4fbb5b47c32a2f18dabd8ae17e72c2c4e9987068377367424b5
Instruction ID: 7569b16628a86b25e83d5ab81bbb6298a9e3b66534f16e85a186659e8b8200ce
Opcode Fuzzy Hash: 97878f561f7fc4fbb5b47c32a2f18dabd8ae17e72c2c4e9987068377367424b5
Instruction Fuzzy Hash: 51E09A75D44208DFCF51AFA0D8086ADBBF5BB08311B15A449E94EE7250C7385901AF90

Function 00EF4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E87620: _wcslen.LIBCMT ref: 00E87625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00EF4ED4

Strings

*, xrefs: 00EF4E10
LPT, xrefs: 00EF4DFB

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: f2c27f1b4e75fdd54c6f910b421eb5a8354d40f6e9b6ea228c3c758ddc4351ae
Instruction ID: 2dd5478f788eed110d0b51068e8e4d9784d63ca2a9cbf93f4bcf5c86c8b12dfb
Opcode Fuzzy Hash: f2c27f1b4e75fdd54c6f910b421eb5a8354d40f6e9b6ea228c3c758ddc4351ae
Instruction Fuzzy Hash: 759163B5A002089FCB14DF54C484EBABBF1BF45318F19A099E549AF3A2D731ED85CB91

Function 00EAE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00EAE30D

Strings

pow, xrefs: 00EAE2E5, 00EAE302

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 40eaa614bacc2d59bc64537566e8b764ed7af0dabb411eb986b07a4a9782428a
Instruction ID: 4b87c2420fdb516b795c98db40094756e1f472ba6964d84cdf912a6357fd5937
Opcode Fuzzy Hash: 40eaa614bacc2d59bc64537566e8b764ed7af0dabb411eb986b07a4a9782428a
Instruction Fuzzy Hash: 5B518D61A0C20696CB157714C9013FB3BE8EF86784F30799CE0D67A7E8EB34DC959A46

Function 00E9E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00E9E1B1

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bf7b3e3b5a9a6fb33020abcd601f399acc1ea1d9e32383c243f2a9c7f43a4e9
Instruction ID: ab430129ea2e2b6c74bd9bf34df5eed4c5f5ebc24d6e107b1bcd04e1f170aa0d
Opcode Fuzzy Hash: 4bf7b3e3b5a9a6fb33020abcd601f399acc1ea1d9e32383c243f2a9c7f43a4e9
Instruction Fuzzy Hash: F0510F35900246DFDF19EF68C4856FA7BA8EF15314F246056E891BF3A0D6309D43CBA0

Function 00E9F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E9F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E9F2BB

Strings

@, xrefs: 00E9F2AF

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9fac522cde3f8a2285dfedf2f1ad4f78febf5dc90b7a4005c73283bddbbc87ea
Instruction ID: e9536d5f82764b6782aee01dc97b0d5f123515965278f3c83ca0fbbfea5738c9
Opcode Fuzzy Hash: 9fac522cde3f8a2285dfedf2f1ad4f78febf5dc90b7a4005c73283bddbbc87ea
Instruction Fuzzy Hash: D25158715087489BE320AF10EC86BAFBBF8FF85314F91884DF1D961195EB308529CB66

Function 00F05745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00F057E0
_wcslen.LIBCMT ref: 00F057EC

Strings

CALLARGARRAY, xrefs: 00F057E6, 00F057EB

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 8466591f48c83938047bc3e3cfae2fec7f5b41b5e6d7434db9c179d92f71b1b2
Instruction ID: 29d41d436f490faf058f4e880d571d73d1c6830caf156f6596b50dd018c59e63
Opcode Fuzzy Hash: 8466591f48c83938047bc3e3cfae2fec7f5b41b5e6d7434db9c179d92f71b1b2
Instruction Fuzzy Hash: 74418F31E002099FCB14DFA9C8819BEBBF5EF59720F149069E905A7292E7709D81EF90

Function 00EFD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EFD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EFD13A

Strings

|, xrefs: 00EFD10B

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: c21b64ce75f0f5158e8da50d7c0cd853a365ad76945c003f4c301487fcdddf43
Instruction ID: 48937a569583d5ff393ec80bb51349e46e0cb91368ae70f979029f2d044a79fb
Opcode Fuzzy Hash: c21b64ce75f0f5158e8da50d7c0cd853a365ad76945c003f4c301487fcdddf43
Instruction Fuzzy Hash: EB313E71D01219ABCF15EFA4CC85AEEBFBAFF05304F001059F919B6162E731AA16DB60

Function 00F1356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F13621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F1365C

Strings

static, xrefs: 00F135BC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1f5ea66e105ebe283f40c1b8c14e1cdc2eff1ae940c2f084d1fa837183a6698c
Instruction ID: 6d9ad86155f40873c570b6e1570f89870a70e8dcf9d29ff9e8cfb5ad4aec75c6
Opcode Fuzzy Hash: 1f5ea66e105ebe283f40c1b8c14e1cdc2eff1ae940c2f084d1fa837183a6698c
Instruction Fuzzy Hash: 0C318D71500204AEDB209F28DC80EFB73A9FF88764F10961DF9A997280DA35AD91E760

Function 00F14537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00F1461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F14634

Strings

', xrefs: 00F1458E

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c105b27aba3936f0a26e3a45180192131c1f8283602fe23a19aa3d1ddc8f1004
Instruction ID: fa6b251d15cde91ee2e2ad59dc00260e1e68d332b4c59e480bf7729d21b7a276
Opcode Fuzzy Hash: c105b27aba3936f0a26e3a45180192131c1f8283602fe23a19aa3d1ddc8f1004
Instruction Fuzzy Hash: FC313975A0030A9FDF14CFA9C990BDABBB6FF49314F14406AE904AB381D770A981DF90

Function 00F131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F1327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F13287

Strings

Combobox, xrefs: 00F13249

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ab162c40ad7e4c1c14a892601d28c9e3a6dccac9fd69c1864cc7e7960b72d4e3
Instruction ID: b7f5a3a828d63ac67e0d85b8869cf21a2fa9f6041ce12fbe39a259925de6d162
Opcode Fuzzy Hash: ab162c40ad7e4c1c14a892601d28c9e3a6dccac9fd69c1864cc7e7960b72d4e3
Instruction Fuzzy Hash: 1F11B2717002487FEF21AE54DC80EFB3BABEB983A4F104128F918A7290D6319D91A760

Function 00F13710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E8604C
Part of subcall function 00E8600E: GetStockObject.GDI32(00000011), ref: 00E86060
Part of subcall function 00E8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E8606A

GetWindowRect.USER32(00000000,?), ref: 00F1377A
GetSysColor.USER32(00000012), ref: 00F13794

Strings

static, xrefs: 00F13757

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ec4ad39a7388f6167a150114d47722748eb96fc3aadb8292a0711c8601c03150
Instruction ID: e431fca8ab70442329150aa6c2a77732c21614e7e3e846610a36da72c6d12ce1
Opcode Fuzzy Hash: ec4ad39a7388f6167a150114d47722748eb96fc3aadb8292a0711c8601c03150
Instruction Fuzzy Hash: 131126B261020AAFDF11DFA8CC46AEA7BB9FB08354F014914F955E2250E735E851ABA0

Function 00EFCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EFCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EFCDA6

Strings

<local>, xrefs: 00EFCD66

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 622736f424601c43d3b63fcb92d370dbb662abf8d1e18e7a0b8dec1a604306eb
Instruction ID: 5ebfdba4e108f4cc52866a1fe6e946e6534c2c1de0ed1e356286f913dcd6cee6
Opcode Fuzzy Hash: 622736f424601c43d3b63fcb92d370dbb662abf8d1e18e7a0b8dec1a604306eb
Instruction Fuzzy Hash: 2A11CA7124563D79D7344B668C45EFBBE5CEF127A4F705225B209A3080D7719941D6F0

Function 00F13429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F134BA

Strings

edit, xrefs: 00F1348F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9e7e24f9072bcaab3f192fd6220e417b91647759d73be5649f956b21a8b3e5ab
Instruction ID: c892485430c2709bccf9f57297b3c74950d866c1420c27b5ce15aff143be680e
Opcode Fuzzy Hash: 9e7e24f9072bcaab3f192fd6220e417b91647759d73be5649f956b21a8b3e5ab
Instruction Fuzzy Hash: 92118F71500208AFEF218E64DC44AEB37AAEB15374F504324FA65931D4C771EC91A750

Function 00EE6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

CharUpperBuffW.USER32(?,?,?), ref: 00EE6CB6
_wcslen.LIBCMT ref: 00EE6CC2

Strings

STOP, xrefs: 00EE6CBC, 00EE6CC1

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 47a913f9ceb15619160299a668eab4eddd7fb98eb92a75517b63c129406ca393
Instruction ID: ed29957438f18279a2ba7bdc0d22c145b7d5da31d6d99bee9a96703528cf63fd
Opcode Fuzzy Hash: 47a913f9ceb15619160299a668eab4eddd7fb98eb92a75517b63c129406ca393
Instruction Fuzzy Hash: 4401E532A0056A8A8B10AEBECC409BFB7E5EA717547501924E856B6195EA31D8008750

Function 00EE1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EE1D4C

Strings

ComboBox, xrefs: 00EE1CEB
ListBox, xrefs: 00EE1D16

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: be1298466d5ed07a756341eaa80a0f6e95630c14a370476d71820c5a6b54fcb9
Instruction ID: 5abf238541fa495c24b40a81edc998e23d6e6a7a4d3e64ad0b6471e074b50252
Opcode Fuzzy Hash: be1298466d5ed07a756341eaa80a0f6e95630c14a370476d71820c5a6b54fcb9
Instruction Fuzzy Hash: A1012831A0121CABCB08FBA0CC15CFEB7A8EB42350B141549F83A772C2EA3199488760

Function 00EE1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EE1C46

Strings

ComboBox, xrefs: 00EE1BE5
ListBox, xrefs: 00EE1C10

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c27ced3c4face63e725f4641741acc5ef0591a72c5565f80eb814d4e2e4cbf34
Instruction ID: 80aec641248c1338f65fdfe9b778907aa37e379964ed33abd4107c0d56202f11
Opcode Fuzzy Hash: c27ced3c4face63e725f4641741acc5ef0591a72c5565f80eb814d4e2e4cbf34
Instruction Fuzzy Hash: 0501FC71B8114C67CB08F7A1C955AFFB7E89B11340F241055B80AB3182EA359E4897B1

Function 00EE1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EE1CC8

Strings

ComboBox, xrefs: 00EE1C69
ListBox, xrefs: 00EE1C94

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2cc80c99e0fa1cf2bca9843582408d37dc2c4dad5fcc75390deb4f642c68c0b6
Instruction ID: fe9a2471b851ba2db00959c643e64d76591834e4c7a56bc1a6ac9f3ed2ea5db3
Opcode Fuzzy Hash: 2cc80c99e0fa1cf2bca9843582408d37dc2c4dad5fcc75390deb4f642c68c0b6
Instruction Fuzzy Hash: 5101DB71A8115C67CB08F7A1CA15AFEF7E89B11740F342015B80AB3282EA35DF48D771

Function 00EE1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E89CB3: _wcslen.LIBCMT ref: 00E89CBD

Part of subcall function 00EE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00EE3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00EE1DD3

Strings

ComboBox, xrefs: 00EE1D75
ListBox, xrefs: 00EE1DA0

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d496d63026a5901306d0a61bc7e1122ee1e04953ccd8caf87cf4a7446bb34509
Instruction ID: 02fba8cb5a020c3aa9f7d5347d0e36273d37ca9c4d3532c71be5744046891be7
Opcode Fuzzy Hash: d496d63026a5901306d0a61bc7e1122ee1e04953ccd8caf87cf4a7446bb34509
Instruction Fuzzy Hash: 2EF0F471E4121C67CB08F7A5CC56AFEB7A8AB01740F182915B82A732C2EB7199088360

Function 00F0747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F07493
_wcslen.LIBCMT ref: 00F074B9

Strings

3, 3, 16, 1, xrefs: 00F07483

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 87004348170733393fb80d77aa4f94cad547fba39139f76ae50d21b2d09fe956
Instruction ID: a393cf95b76cf57307fedc1841e28a26db0a47753625b188f0545061f4e3e646
Opcode Fuzzy Hash: 87004348170733393fb80d77aa4f94cad547fba39139f76ae50d21b2d09fe956
Instruction Fuzzy Hash: ECE02B4AE0436190D33136799CC197F96CDCFCA760710286BF981D62E6EAD4EDA1B3A1

Function 00EE0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EE0B23

Strings

AutoIt, xrefs: 00EE0B17
Error allocating memory., xrefs: 00EE0B1C

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 4b9d456773bafb0c65b42d528448df5c1810caf535d1c55f04b9727803da703f
Instruction ID: 9c95ca6d58d2c1e4cf332af3faebd04de6a0d8913e0fdf9eed9b02219be006ee
Opcode Fuzzy Hash: 4b9d456773bafb0c65b42d528448df5c1810caf535d1c55f04b9727803da703f
Instruction Fuzzy Hash: D9E0D83128430827D21036547C03FC97AC48F06F20F10542AFB48B94C38AD2649016EA

Function 00EA0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E9F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00EA0D71,?,?,?,00E8100A), ref: 00E9F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00E8100A), ref: 00EA0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E8100A), ref: 00EA0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EA0D7F

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c4e72b18b879daaca39c75f7c782402b3ddde4901883e21e3bf11ebdad927325
Instruction ID: f03007771bf3f38d19915193f385efa6a80a7a4af81ae043513c254409a003b3
Opcode Fuzzy Hash: c4e72b18b879daaca39c75f7c782402b3ddde4901883e21e3bf11ebdad927325
Instruction Fuzzy Hash: BCE092742007418BD3709FB8D4083827BE0BF05744F008D2DE486DA651DBF4F4889BD1

Function 00EDD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EDD220

Strings

%.3d, xrefs: 00EDD22B
X64, xrefs: 00EDD2A8

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: fb0ffa0cdd192fe6954bfe2cd78b9cc4ba5cb212446aedb11e22dd4d6ae7a1c8
Instruction ID: 7c21b72076794662e09b988aff28b202543b6ef335a20dc6ffcde9473289aa99
Opcode Fuzzy Hash: fb0ffa0cdd192fe6954bfe2cd78b9cc4ba5cb212446aedb11e22dd4d6ae7a1c8
Instruction Fuzzy Hash: 12D012A184C118EACF509AD0CC458F9B3BCEB18341F50A453FC06F1150E634C50A6B61

Function 00F12356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1236C
PostMessageW.USER32(00000000), ref: 00F12373

Part of subcall function 00EEE97B: Sleep.KERNEL32 ref: 00EEE9F3

Strings

Shell_TrayWnd, xrefs: 00F12365

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4c18ca3b7bd4c29faaca404e60194f322ea447e43d166870e678318b60e332cd
Instruction ID: a0826131f315b1bab49423be98027003c920da7b980866f331c5285d3a3edf94
Opcode Fuzzy Hash: 4c18ca3b7bd4c29faaca404e60194f322ea447e43d166870e678318b60e332cd
Instruction Fuzzy Hash: 8CD022323C03047BE264B370DC0FFC6BA449B00B00F0189027705EA1D0C8F0B800DA84

Function 00F12322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F1233F

Part of subcall function 00EEE97B: Sleep.KERNEL32 ref: 00EEE9F3

Strings

Shell_TrayWnd, xrefs: 00F12325

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8eb8753f7ade3384be188a91229e3a021fa3afe5c26e61d14c17ec998a1782fa
Instruction ID: 4351db4346060e745275b6525bd591625e5c134b4379c31f5aee8b3a06211bdc
Opcode Fuzzy Hash: 8eb8753f7ade3384be188a91229e3a021fa3afe5c26e61d14c17ec998a1782fa
Instruction Fuzzy Hash: 22D022323C0304BBE264B370DC0FFC6BA449B00B00F0189027709EA1D0C8F0A800DA80

Function 00EBBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00EBBE93
GetLastError.KERNEL32 ref: 00EBBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00EBBEFC

Memory Dump Source

Source File: 00000000.00000002.1726621853.0000000000E81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.1726603881.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F1C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726688264.0000000000F42000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726737427.0000000000F4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726755663.0000000000F54000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_nnn.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: fa08bae52517edc0efb6b3e10be7b5daf1ad0e9fd9fb2aa3b62c917a0993b42e
Instruction ID: 4a22cbc09a886a1a4b22e192855deae39f580b613f8502dfa6c1bad48c9b8425
Opcode Fuzzy Hash: fa08bae52517edc0efb6b3e10be7b5daf1ad0e9fd9fb2aa3b62c917a0993b42e
Instruction Fuzzy Hash: 0841F73470020AAFCF218FA5CC44AFB7BA9EF42314F156169F959BB1A1DBB09D01DB60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nnn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut489E.tmp

C:\Users\user\AppData\Local\Temp\parters

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
nnn.exe

Function 00E842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00E842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00EEDBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Function 00E82CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00EB8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 00EC065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00E8344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00E82B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00E83170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 0174F458 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00E82C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0174F228 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Function 00EF2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00EB5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre