Edit tour

Windows Analysis Report
EPIRTURMEROOO0060.exe

Overview

General Information

Sample name:	EPIRTURMEROOO0060.exe
Analysis ID:	1580113
MD5:	6b2561c0b680c9e681b71663cd6afb1e
SHA1:	39d5ad324e919744f94c5281af5d612422657fc2
SHA256:	e0663b19ffa16445efed5a1c70bd92ab61a65faef5535fe7f43c81f3b86ea2c2
Tags:	exeMassLoggeruser-threatcat_ch
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to detect sleep reduction / modifications

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

EPIRTURMEROOO0060.exe (PID: 6772 cmdline: "C:\Users\user\Desktop\EPIRTURMEROOO0060.exe" MD5: 6B2561C0B680C9E681B71663CD6AFB1E)

RegSvcs.exe (PID: 6888 cmdline: "C:\Users\user\Desktop\EPIRTURMEROOO0060.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Server": "fiber13.dnsiaas.com", "To": "almightstephen@gmail.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.2948549193.0000000003295000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefa7:$a1: get_encryptedPassword 0xf2cf:$a2: get_encryptedUsername 0xed42:$a3: get_timePasswordChanged 0xee63:$a4: get_passwordField 0xefbd:$a5: set_encryptedPassword 0x10919:$a7: get_logins 0x105ca:$a8: GetOutlookPasswords 0x103bc:$a9: StartKeylogger 0x10869:$a10: KeyLoggerEventArgs 0x10419:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: EPIRTURMEROOO0060.exe PID: 6772	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: EPIRTURMEROOO0060.exe PID: 6772	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EPIRTURMEROOO0060.exe PID: 6772	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: EPIRTURMEROOO0060.exe PID: 6772	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x19a137:$a1: get_encryptedPassword 0x19a450:$a2: get_encryptedUsername 0x199ee6:$a3: get_timePasswordChanged 0x19a007:$a4: get_passwordField 0x19a14d:$a5: set_encryptedPassword 0x19ba50:$a7: get_logins 0x19b701:$a8: GetOutlookPasswords 0x19b4f3:$a9: StartKeylogger 0x19b9a0:$a10: KeyLoggerEventArgs 0x19b550:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6888	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6888	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6888	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6888	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e001:$a1: get_encryptedPassword 0x2e31a:$a2: get_encryptedUsername 0x2ddb0:$a3: get_timePasswordChanged 0x2ded1:$a4: get_passwordField 0x2e017:$a5: set_encryptedPassword 0x2f91a:$a7: get_logins 0x2f5cb:$a8: GetOutlookPasswords 0x2f3bd:$a9: StartKeylogger 0x2f86a:$a10: KeyLoggerEventArgs 0x2f41a:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x123ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x118a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x11bb7:$a4: \Orbitum\User Data\Default\Login Data 0x129af:$a5: \Kometa\User Data\Default\Login Data
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
1.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x141ab:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x136a9:$a3: \Google\Chrome\User Data\Default\Login Data 0x139b7:$a4: \Orbitum\User Data\Default\Login Data 0x147af:$a5: \Kometa\User Data\Default\Login Data
Click to see the 10 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T00:25:13.665092+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Server": "fiber13.dnsiaas.com", "To": "almightstephen@gmail.com", "Port": 587}

Multi AV Scanner detection for submitted file

Source: EPIRTURMEROOO0060.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: EPIRTURMEROOO0060.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: EPIRTURMEROOO0060.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49731 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: EPIRTURMEROOO0060.exe, 00000000.00000003.1718566429.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1719605893.0000000003630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: EPIRTURMEROOO0060.exe, 00000000.00000003.1718566429.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1719605893.0000000003630000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F9DBBE
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA68EE FindFirstFileW,FindClose,	0_2_00FA68EE
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FA698F
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F9D076
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F9D3A9
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FA9642
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FA979D
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FA9B2B
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FA5C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 030C5782h	1_2_030C5366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 030C51B9h	1_2_030C4F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 030C5782h	1_2_030C56AF

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 172.67.177.134 172.67.177.134

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49731 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00FACE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00FACE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2948549193.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000001.00000002.2948549193.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: EPIRTURMEROOO0060.exe, 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000001.00000002.2949391644.0000000006560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: RegSvcs.exe, 00000001.00000002.2948549193.000000000320D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000001.00000002.2948549193.000000000320D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000001.00000002.2948549193.0000000003171000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EPIRTURMEROOO0060.exe, 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: EPIRTURMEROOO0060.exe, 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00FAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FAEAFF

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00FAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FAED6A

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

0_2_00FAEAFF

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F9AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00F9AA57

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00FC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00FC9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: EPIRTURMEROOO0060.exe PID: 6772, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6888, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: EPIRTURMEROOO0060.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: EPIRTURMEROOO0060.exe, 00000000.00000000.1692916411.0000000000FF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d22333c6-c
Source: EPIRTURMEROOO0060.exe, 00000000.00000000.1692916411.0000000000FF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_216857df-3
Source: EPIRTURMEROOO0060.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c469a9b4-e
Source: EPIRTURMEROOO0060.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_67dff195-b

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F9D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00F9D5EB

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F91201

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F9E8F6

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F38060	0_2_00F38060
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA2046	0_2_00FA2046
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F98298	0_2_00F98298
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F6E4FF	0_2_00F6E4FF
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F6676B	0_2_00F6676B
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FC4873	0_2_00FC4873
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F3CAF0	0_2_00F3CAF0
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F5CAA0	0_2_00F5CAA0
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F4CC39	0_2_00F4CC39
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F66DD9	0_2_00F66DD9
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F391C0	0_2_00F391C0
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F4B119	0_2_00F4B119
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F51394	0_2_00F51394
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F51706	0_2_00F51706
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F5781B	0_2_00F5781B
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F519B0	0_2_00F519B0
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F4997D	0_2_00F4997D
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F37920	0_2_00F37920
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F57A4A	0_2_00F57A4A
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F57CA7	0_2_00F57CA7
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F51C77	0_2_00F51C77
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F69EEE	0_2_00F69EEE
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FBBE44	0_2_00FBBE44
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F51F32	0_2_00F51F32
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_011A2A30	0_2_011A2A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_030CC168	1_2_030CC168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_030C27B9	1_2_030C27B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_030CCA58	1_2_030CCA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_030C4F08	1_2_030C4F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_030C7E68	1_2_030C7E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_030CC386	1_2_030CC386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_030CB9E0	1_2_030CB9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_030C7E59	1_2_030C7E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_030C4EF8	1_2_030C4EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_030C2DD1	1_2_030C2DD1

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: String function: 00F50A30 appears 46 times
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: String function: 00F4F9F2 appears 31 times

Source: EPIRTURMEROOO0060.exe, 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs EPIRTURMEROOO0060.exe
Source: EPIRTURMEROOO0060.exe, 00000000.00000003.1719235163.0000000003753000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs EPIRTURMEROOO0060.exe
Source: EPIRTURMEROOO0060.exe, 00000000.00000003.1719353574.00000000038FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs EPIRTURMEROOO0060.exe

Source: EPIRTURMEROOO0060.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: EPIRTURMEROOO0060.exe PID: 6772, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6888, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/2

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00FA37B5 GetLastError,FormatMessageW,

0_2_00FA37B5

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F910BF AdjustTokenPrivileges,CloseHandle,		0_2_00F910BF
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F916C3

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00FA51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FA51CD

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00FBA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FBA67C

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00FA648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FA648E

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F342A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

File created: C:\Users\user\AppData\Local\Temp\aut22DD.tmp

Jump to behavior

Source: EPIRTURMEROOO0060.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.2948549193.0000000003260000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2948549193.0000000003250000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2948549193.000000000326E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: EPIRTURMEROOO0060.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe "C:\Users\user\Desktop\EPIRTURMEROOO0060.exe"
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EPIRTURMEROOO0060.exe"
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EPIRTURMEROOO0060.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: EPIRTURMEROOO0060.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: EPIRTURMEROOO0060.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: EPIRTURMEROOO0060.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: EPIRTURMEROOO0060.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: EPIRTURMEROOO0060.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: EPIRTURMEROOO0060.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: EPIRTURMEROOO0060.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: EPIRTURMEROOO0060.exe, 00000000.00000003.1718566429.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1719605893.0000000003630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: EPIRTURMEROOO0060.exe, 00000000.00000003.1718566429.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1719605893.0000000003630000.00000004.00001000.00020000.00000000.sdmp

Source: EPIRTURMEROOO0060.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EPIRTURMEROOO0060.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EPIRTURMEROOO0060.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EPIRTURMEROOO0060.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EPIRTURMEROOO0060.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F9C9FE push esi; ret	0_2_00F9CA01
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F50A76 push ecx; ret	0_2_00F50A89
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F9CA33 push esi; ret	0_2_00F9CA36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_030CF273 push ebp; retf	1_2_030CF281

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F4F98E
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00FC1C41

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F3D85A

0_2_00F3D85A

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

API/Special instruction interceptor: Address: 11A2654

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: EPIRTURMEROOO0060.exe, 00000000.00000003.1694026953.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1708062602.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000002.1720499207.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1694502114.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1694706474.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1706659609.00000000011A0000.00000004.00000020.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1693969080.000000000119D000.00000004.00000020.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1697704862.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1694427573.00000000011B5000.00000004.00000020.00020000.00000000.sdmp, EPIRTURMEROOO0060.exe, 00000000.00000003.1694862399.00000000011B5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: FIDDLER.EXE

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

API coverage: 4.8 %

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F9DBBE
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA68EE FindFirstFileW,FindClose,	0_2_00FA68EE
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FA698F
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F9D076
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F9D3A9
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FA9642
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FA979D
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FA9B2B
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FA5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FA5C97

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Source: RegSvcs.exe, 00000001.00000002.2947867505.00000000013AD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_030CC168 LdrInitializeThunk,LdrInitializeThunk,

1_2_030CC168

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00FAEAA2 BlockInput,

0_2_00FAEAA2

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F62622

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F54CE8 mov eax, dword ptr fs:[00000030h]	0_2_00F54CE8
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_011A2920 mov eax, dword ptr fs:[00000030h]	0_2_011A2920
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_011A28C0 mov eax, dword ptr fs:[00000030h]	0_2_011A28C0
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_011A12A0 mov eax, dword ptr fs:[00000030h]	0_2_011A12A0

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00F90B62

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F62622
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F5083F
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F509D5 SetUnhandledExceptionFilter,	0_2_00F509D5
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00F50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F50C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E1B008

Jump to behavior

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

0_2_00F91201

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F72BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F72BA5

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F9B226 SendInput,keybd_event,

0_2_00F9B226

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00FB22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00FB22DA

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EPIRTURMEROOO0060.exe"

Jump to behavior

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

0_2_00F90B62

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F91663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F91663

Source: EPIRTURMEROOO0060.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: EPIRTURMEROOO0060.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F50698 cpuid

0_2_00F50698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00FA8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00FA8195

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F8D27A GetUserNameW,

0_2_00F8D27A

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F6BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F6BB6F

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EPIRTURMEROOO0060.exe PID: 6772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6888, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EPIRTURMEROOO0060.exe PID: 6772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6888, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: EPIRTURMEROOO0060.exe	Binary or memory string: WIN_81
Source: EPIRTURMEROOO0060.exe	Binary or memory string: WIN_XP
Source: EPIRTURMEROOO0060.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: EPIRTURMEROOO0060.exe	Binary or memory string: WIN_XPe
Source: EPIRTURMEROOO0060.exe	Binary or memory string: WIN_VISTA
Source: EPIRTURMEROOO0060.exe	Binary or memory string: WIN_7
Source: EPIRTURMEROOO0060.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2948549193.0000000003295000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EPIRTURMEROOO0060.exe PID: 6772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6888, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EPIRTURMEROOO0060.exe PID: 6772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6888, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EPIRTURMEROOO0060.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EPIRTURMEROOO0060.exe PID: 6772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6888, type: MEMORYSTR

Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00FB1204
Source: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe	Code function: 0_2_00FB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FB1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	321 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Access Token Manipulation	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	212 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EPIRTURMEROOO0060.exe	55%	ReversingLabs	Win32.Trojan.AutoitInject
EPIRTURMEROOO0060.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	172.67.177.134	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.microsoft	RegSvcs.exe, 00000001.00000002.2949391644.0000000006560000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	EPIRTURMEROOO0060.exe, 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000001.00000002.2948549193.000000000320D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000001.00000002.2948549193.000000000320D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2948549193.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000001.00000002.2948549193.0000000003171000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	EPIRTURMEROOO0060.exe, 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	EPIRTURMEROOO0060.exe, 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2948549193.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
172.67.177.134	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580113
Start date and time:	2024-12-24 00:24:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EPIRTURMEROOO0060.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 54 Number of non-executed functions: 289
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: EPIRTURMEROOO0060.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	MV GOLDEN SCHULTE DETAILS.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
172.67.177.134	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse
	YU SV Payment.exe	Get hash	malicious	MassLogger RAT	Browse
	PAYMENT ADVICE 750013-1012449943-81347-pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse
	66776676676.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Invoice.exe	Get hash	malicious	Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
reallyfreegeoip.org	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	nshkmips.elf	Get hash	malicious	Mirai	Browse	132.145.36.70
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	nshkarm.elf	Get hash	malicious	Mirai	Browse	140.238.15.102
	nshsh4.elf	Get hash	malicious	Mirai	Browse	140.238.98.44
CLOUDFLARENETUS	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	104.17.25.14
	https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	https://www.canva.com/design/DAGaHpv1g1M/bVE7B2sT8b8T3P-e2xb64w/view?utm_content=DAGaHpv1g1M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h1ee3678e45	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	104.18.20.226
	Play Aud.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://flowto.it/8tooc2sec?fc=0	Get hash	malicious	Unknown	Browse	104.18.35.227

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PARATRANSFARI REMINDER.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Browser.Daemon.exe	Get hash	malicious	Unknown	Browse	172.67.177.134

Process:	C:\Users\user\Desktop\EPIRTURMEROOO0060.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.8149694850955855
Encrypted:	false
SSDEEP:	1536:SdN20iXqMSQzcoJkrGkYu9nxqf5hpnr8GJpXItFGGGJcmGVxZxRgjpeQK8y:SVMSQzcoJkrBYutxqffZ8eX6GGGJc1ZB
MD5:	301CAAB968E759F55A523E3FBBB26501
SHA1:	F6EAE475AADBB79B204C4D442C47114DAC8C36E6
SHA-256:	156B9467A5DA58C5B9ADBC142C200334723625711A2F747D0BFEF7A04CAE7482
SHA-512:	A9CE9BDF92E9EBADB8C2BA39A31C0268D612BDC91342C5A879D79EC3A9EB2CB5F24CCD69FAE268085288E74921CACF99A76680873ACFFDF8E1875875543FB376
Malicious:	false
Reputation:	low
Preview:	...XP9TMQVVR..57.57ME1EB.XS9TMUVVRCU57V57ME1EBNXS9TMUVVRCU57.57MK..LN.Z.u.T..s.=\DvEE""C$/n;2W:"!v47c'@Yv\Ym.~.b#77\z@X\rRCU57V5g.E1.CMX...UVVRCU57.55LN0.BN<R9TEUVVRCU..W57mE1E.OXS9.MUvVRCW57R57ME1EBHXS9TMUVV.BU55V57ME1GB..S9DMUFVRCU%7V%7ME1EB^XS9TMUVVRCUq.W5`ME1E.OX.<TMUVVRCU57V57ME1EBN.R9XMUVVRCU57V57ME1EBNXS9TMUVVRCU57V57ME1EBNXS9TMUVVRCU5.V5?ME1EBNXS9TM]vVR.U57V57ME1EB`,6A MUV.0BU5.V57)D1E@NXS9TMUVVRCU57v57-kC60-XS9.HUVV.BU51V57+D1EBNXS9TMUVVR.U5wxGR!*REBBXS9T.TVVPCU5[W57ME1EBNXS9TM.VV.CU57V57ME1EBNXS9..TVVRCU}7V55M@1..NXS.TMVVVR.U51..7M.1EBNXS9TMUVVRCU57V57ME1EBNXS9TMUVVRCU57V57M.L.M..P'.VVRCU56T63KM9EBNXS9TM+VVR.U57.57Mr1EBkXS99MUVrRCUK7V5IME1!BNX!9TM4VVR.U57957M+1EB0XS9JO}IVRI..7T..ME;Eh.+r9TG.WVRG&.7V?.OE1A1mXS3.NUVR!gU5=.17MAB`BNR.<TMQ\|.R@.#1V5,"}1EHN[.,RMUM\|tCW..V5=Mo.EA.MU9TV.tVP.\57R.a>X1EDf.S9^9\VVP._57R.)OmrEBDrqGGMUR}RiwK#V53fE.g<[XS=.M.t(DCU1.V..3R1EFeXy?~/U$.^C%6X757Km.EBDp.9TKU\|lR=[57R7X.E1OddbS..MUPVz.U51V..M;.EBJtTGgMUR}D=d57R.15E1C1.XS3q.fVVVk.57\5..E..BN^S..MUP

C:\Users\user\AppData\Local\Temp\aut22DD.tmp

Download File

Process:	C:\Users\user\Desktop\EPIRTURMEROOO0060.exe
File Type:	data
Category:	dropped
Size (bytes):	15010
Entropy (8bit):	7.585673340317947
Encrypted:	false
SSDEEP:	384:M9/RFE4uzlhGGa8RZv4a1EQZR0Ct9RY4BTCCUDRUUYdKl:MR9uZQGa83v4KEhCR3jBMl
MD5:	0E5C87F8C71FFA93DB56639835B8D573
SHA1:	8D711FBFA435D2F99EDFECB0039370D7252BCE7F
SHA-256:	A85282EBD9D0566E2C1DE7033EF76A224CB298F8D8ABB06BE09B4938F4F2C52F
SHA-512:	B1C22FC38825ECE990D4AB748ED2EDD6B339CD803167EA7ED00D813C7EEE9D13A7A22541E972971A21526176454218E25FCB7D75EB3EB8B2D7281F1533B32295
Malicious:	false
Reputation:	low
Preview:	EA06.....Zo.........SP.n......5e...`.....\|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....\|.0...&d.....Hz..a....l?..uo.....P......V0....j......\|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8\|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...\|...<..aw.].3c..H.@B?...G..1...' ....k\|.A.O..#.....}V`....#..H\|.P!..d....0z....Y..>K..G./....G.7c.H..b....W..1....?.01..b.!...@.?..o.F\|....p9......S.!..nb.!....zb0..

C:\Users\user\AppData\Local\Temp\aut27C0.tmp

Download File

Process:	C:\Users\user\Desktop\EPIRTURMEROOO0060.exe
File Type:	data
Category:	dropped
Size (bytes):	65996
Entropy (8bit):	7.899258065335145
Encrypted:	false
SSDEEP:	1536:t5V/Srlc/7lfcjV6binHpdNHRFjR8ddqDn/5yuYx:t5lSrGfcBLLRFtadqDhc
MD5:	83D1D8C03D2CF951522C5F256530BB96
SHA1:	CF05AD591AC1033C85983116384DE6EA0AE33E10
SHA-256:	952A630049CF6388BC0B8D07A507BB3A876640CCB9B5352533722BA2FFDB1D2D
SHA-512:	94E16B580061DF141ABBE8BF300534EA5310887F5E88977079610083FE263DC0598B6C2734E286CCA2E7263FA572A1C8EA2EBDDCD5F22D20C92D3C33CF6667F9
Malicious:	false
Reputation:	low
Preview:	EA06..n..F;...M...-.k7.Mf..,.B.V`..T.X..f.z...i....X.X....w.....j..../=.Q..Z,.EC.K...^u"...{...Y.W+6...-b........\..,f....a4:mc...l..5...i..V.N.T.5J(..5{Z..om..<T..B)M.....2..5.@..T..j.a.=.]..h.........P..W.1.q.X,....eg.._6b.9...~@..D^.5...v..`B..;`.M.2....0...SyM.cE..,\|7i..[k.....c%H..>@............Vkw.Q.R.UJ.B...8.Z.P.B+up...+V.D.,>>.>..._@...6.1.....mR.V..# ..k.7..@<...k.L..x...BO....bmT.L.t...f.`......... ."..,N@..!....R@....a!.,&.............`.XR...MZ.I....H.^.E..m..].sT..j.j..M....z}.cA..k.9.R.U.T.6z..{.......N.t.y....R.j.`)D.E}..i...YR..i......U...m./E..).Y.R...U..:..A.....-.....k.......2.}..E.Q.W.=..U._jV...GV....X.y[.T..m..(.P...Z?...4Z5..y...Y&.C...y..m..!....K..-.).l.`..<.Y.>.d.T.0JmV.V.D.~....;.QhT..R.g.nh.. .a..h.......\y.`......X.....P...F0..C.....E..mP..N.T..j.j...g..s{/..!.Cg5k/..V.P..jU.k7...E:.W....ym.C..jui...G..@R..L.0...1.$......&..'g@.U.T.."(..........:=..7..i.:m.kG.G@,.L`...Ue.9.Zc...\..:.R.a;.... .p.n.X..).>OZ...J...

C:\Users\user\AppData\Local\Temp\miaoued

Download File

Process:	C:\Users\user\Desktop\EPIRTURMEROOO0060.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	172054
Entropy (8bit):	3.1814870752264017
Encrypted:	false
SSDEEP:	48:sb3feqfCpfS6ftqfA0f9fWf9fZ1fi20fq0fFfY6fofi51fK0fi0fCfZ1fK0f70fs:iaN7VHDhLOaDf8Q7+g/PCkjrk6GklX
MD5:	66FA7BFE30811B5D87701D5CBC3B3D85
SHA1:	A6841DAD239525D7234769C185D4FCD009228B95
SHA-256:	DDC2ED5120C9B4824A23C4F7E73DD0E91E288BA7DABA2483295811CAFDB06849
SHA-512:	B2FA2C52D43631D2004C22E3B787028D2FF59AAED3725B8A5CD46E356D1E5C7C636A100F8ECF57EE0B067379C702B501E9F969900B6F02FE5E9C23E1BF9DF896
Malicious:	false
Reputation:	low
Preview:	hixjs0hixjsxhixjs5hixjs5hixjs8hixjsbhixjsehixjschixjs8hixjs1hixjsehixjschixjschixjschixjs0hixjs2hixjs0hixjs0hixjs0hixjs0hixjs5hixjs6hixjs5hixjs7hixjsbhixjs8hixjs6hixjsbhixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjs4hixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjs6hixjsbhixjsahixjs7hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjs8hixjsbhixjs8hixjs6hixjsehixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjsahixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjschixjsbhixjsahixjs6hixjschixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjsehixjsbhixjs8hixjs3hixjs3hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs9hixjs0hixjsbhixjs9hixjs3hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixj

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.80923297076633
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EPIRTURMEROOO0060.exe
File size:	1'021'952 bytes
MD5:	6b2561c0b680c9e681b71663cd6afb1e
SHA1:	39d5ad324e919744f94c5281af5d612422657fc2
SHA256:	e0663b19ffa16445efed5a1c70bd92ab61a65faef5535fe7f43c81f3b86ea2c2
SHA512:	bc370c1bbda036cd74354aa3f9d33d230ffbab9c27b39e95b1e6a862d5a806b3a59cd90e79ce5a9a155989797ecbcfbb61a73334acd6723472d3bea7b028616e
SSDEEP:	24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8a3MexIUCk:9TvC/MTQYxsWR7a3MYIUC
TLSH:	CA25AE0273C1D062FF9B92334F9AF6515BBC69260123A61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6768A085 [Sun Dec 22 23:28:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F2FD12B7813h
jmp 00007F2FD12B711Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2FD12B72FDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2FD12B72CAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F2FD12B9EBDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F2FD12B9F08h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F2FD12B9EF1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x22c68	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf7000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x22c68	0x22e00	1e9369cff1ca86a2058de132f7d18734	False	0.8100008400537635	data	7.568860966929109	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf7000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x19f2e	data			1.0003857516512051
RT_GROUP_ICON	0xf66e8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf6760	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf6774	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf6788	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf679c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf6878	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T00:25:13.665092+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 00:25:03.778125048 CET	49730	80	192.168.2.4	193.122.6.168
Dec 24, 2024 00:25:03.897664070 CET	80	49730	193.122.6.168	192.168.2.4
Dec 24, 2024 00:25:03.897773981 CET	49730	80	192.168.2.4	193.122.6.168
Dec 24, 2024 00:25:03.898113966 CET	49730	80	192.168.2.4	193.122.6.168
Dec 24, 2024 00:25:04.017611027 CET	80	49730	193.122.6.168	192.168.2.4
Dec 24, 2024 00:25:10.440392971 CET	80	49730	193.122.6.168	192.168.2.4
Dec 24, 2024 00:25:10.448407888 CET	49730	80	192.168.2.4	193.122.6.168
Dec 24, 2024 00:25:10.569942951 CET	80	49730	193.122.6.168	192.168.2.4
Dec 24, 2024 00:25:13.609966040 CET	80	49730	193.122.6.168	192.168.2.4
Dec 24, 2024 00:25:13.665091991 CET	49730	80	192.168.2.4	193.122.6.168
Dec 24, 2024 00:25:13.757952929 CET	49731	443	192.168.2.4	172.67.177.134
Dec 24, 2024 00:25:13.757972956 CET	443	49731	172.67.177.134	192.168.2.4
Dec 24, 2024 00:25:13.758048058 CET	49731	443	192.168.2.4	172.67.177.134
Dec 24, 2024 00:25:13.768800974 CET	49731	443	192.168.2.4	172.67.177.134
Dec 24, 2024 00:25:13.768815041 CET	443	49731	172.67.177.134	192.168.2.4
Dec 24, 2024 00:25:14.993458033 CET	443	49731	172.67.177.134	192.168.2.4
Dec 24, 2024 00:25:14.993542910 CET	49731	443	192.168.2.4	172.67.177.134
Dec 24, 2024 00:25:15.000452995 CET	49731	443	192.168.2.4	172.67.177.134
Dec 24, 2024 00:25:15.000462055 CET	443	49731	172.67.177.134	192.168.2.4
Dec 24, 2024 00:25:15.000916004 CET	443	49731	172.67.177.134	192.168.2.4
Dec 24, 2024 00:25:15.055593967 CET	49731	443	192.168.2.4	172.67.177.134
Dec 24, 2024 00:25:15.061484098 CET	49731	443	192.168.2.4	172.67.177.134
Dec 24, 2024 00:25:15.107330084 CET	443	49731	172.67.177.134	192.168.2.4
Dec 24, 2024 00:25:15.439342022 CET	443	49731	172.67.177.134	192.168.2.4
Dec 24, 2024 00:25:15.439423084 CET	443	49731	172.67.177.134	192.168.2.4
Dec 24, 2024 00:25:15.439481974 CET	49731	443	192.168.2.4	172.67.177.134
Dec 24, 2024 00:25:15.449326038 CET	49731	443	192.168.2.4	172.67.177.134
Dec 24, 2024 00:26:18.610745907 CET	80	49730	193.122.6.168	192.168.2.4
Dec 24, 2024 00:26:18.610958099 CET	49730	80	192.168.2.4	193.122.6.168
Dec 24, 2024 00:26:53.618545055 CET	49730	80	192.168.2.4	193.122.6.168
Dec 24, 2024 00:26:53.738219976 CET	80	49730	193.122.6.168	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 00:25:03.633675098 CET	54869	53	192.168.2.4	1.1.1.1
Dec 24, 2024 00:25:03.770874023 CET	53	54869	1.1.1.1	192.168.2.4
Dec 24, 2024 00:25:13.611897945 CET	60228	53	192.168.2.4	1.1.1.1
Dec 24, 2024 00:25:13.756112099 CET	53	60228	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 00:25:03.633675098 CET	192.168.2.4	1.1.1.1	0x4691	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:25:13.611897945 CET	192.168.2.4	1.1.1.1	0x547c	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 00:25:03.770874023 CET	1.1.1.1	192.168.2.4	0x4691	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 00:25:03.770874023 CET	1.1.1.1	192.168.2.4	0x4691	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:25:03.770874023 CET	1.1.1.1	192.168.2.4	0x4691	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:25:03.770874023 CET	1.1.1.1	192.168.2.4	0x4691	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:25:03.770874023 CET	1.1.1.1	192.168.2.4	0x4691	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:25:03.770874023 CET	1.1.1.1	192.168.2.4	0x4691	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:25:13.756112099 CET	1.1.1.1	192.168.2.4	0x547c	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 24, 2024 00:25:13.756112099 CET	1.1.1.1	192.168.2.4	0x547c	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.122.6.168	80	6888	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 24, 2024 00:25:03.898113966 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 24, 2024 00:25:10.440392971 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 23:25:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 24, 2024 00:25:10.448407888 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 24, 2024 00:25:13.609966040 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 23:25:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.67.177.134	443	6888	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-23 23:25:15 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-23 23:25:15 UTC	864	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 23:25:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 311104 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5PzUpm0%2BeL2FYNzYg2CU8E1k1RdK9NOsUxU0%2FUKdXLuEpGLSS0tUhhJ%2B%2BcFdWOujArtu0X92CZx7qFxw%2BvriJGg%2FXlTGuj1scRh8MNJDOG1GctXlxWJ2m1Zb%2BGjwjgz0%2FpWA8zEJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6c1c1a6bae41e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1800&min_rtt=1761&rtt_var=688&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1658148&cwnd=249&unsent_bytes=0&cid=687cfa94290c213c&ts=462&x=0"
2024-12-23 23:25:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	18:24:59
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\EPIRTURMEROOO0060.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EPIRTURMEROOO0060.exe"
Imagebase:	0xf30000
File size:	1'021'952 bytes
MD5 hash:	6B2561C0B680C9E681B71663CD6AFB1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1720260774.0000000000C80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:25:02
Start date:	23/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EPIRTURMEROOO0060.exe"
Imagebase:	0xdb0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2948549193.0000000003295000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2947695905.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3%
Total number of Nodes:	2000
Total number of Limit Nodes:	57

Executed Functions

Function 00F342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F3430D

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

GetCurrentProcess.KERNEL32(?,00FCCB64,00000000,?,?), ref: 00F34422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F34429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F34454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F34466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F34474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F3447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00F344A0

Strings

|O, xrefs: 00F736F8
GetNativeSystemInfo, xrefs: 00F34460
kernel32.dll, xrefs: 00F3444F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 0a5a52d796d63c77a1e206cec95601a674d7ab1e1deb44d5a01dfb9f425ef548
Instruction ID: add7625ddb78165541183081c440a07b09569081b8cbdc3b62eb43e7702d08f5
Opcode Fuzzy Hash: 0a5a52d796d63c77a1e206cec95601a674d7ab1e1deb44d5a01dfb9f425ef548
Instruction Fuzzy Hash: 3DA1B772D0E2C0DFC737C769B4816957FA47B26314F08D4A9E4C5A3A0AD23AD505FBA2

Function 00F3D85A Relevance: 12.5, APIs: 8, Instructions: 481
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

timeGetTime.WINMM ref: 00F3DA07

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Timetime
String ID:
API String ID: 17336451-0
Opcode ID: ad5b6bcc0f64f104ff6be0b27d37c60e1f612e46ad05614a6f7d0d200a302910
Instruction ID: b066f13a4a93ec3373144604c9c9b4ac38eb601dc258d123c45ae1a7019c6795
Opcode Fuzzy Hash: ad5b6bcc0f64f104ff6be0b27d37c60e1f612e46ad05614a6f7d0d200a302910
Instruction Fuzzy Hash: 7A12EF71A08201DFD728DF24D884BAAB7E1FF85324F148559F89687291D779F844FB82

Function 00F342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F350AA,?,?,00000000,00000000), ref: 00F342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F350AA,?,?,00000000,00000000), ref: 00F342C9
LoadResource.KERNEL32(?,00000000,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20), ref: 00F735BE
SizeofResource.KERNEL32(?,00000000,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20), ref: 00F735D3
LockResource.KERNEL32(00F350AA,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20,?), ref: 00F735E6

Strings

SCRIPT, xrefs: 00F342BF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a0aadf03291d813e491f98e1fee12d2a54ac37171b742750b0b338bd98b5822a
Instruction ID: b320c983f3fdf10c8e5d0c333f4145b5b0024f30103527a569e19fde8130fe7f
Opcode Fuzzy Hash: a0aadf03291d813e491f98e1fee12d2a54ac37171b742750b0b338bd98b5822a
Instruction Fuzzy Hash: 4811AC70600305BFD7218BA6DD49F677BBDEBC6B61F148169F41696290DB71EC00AA70

Function 00F72BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00F32B6B

Part of subcall function 00F33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01001418,?,00F32E7F,?,?,?,00000000), ref: 00F33A78

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00FF2224), ref: 00F72C10
ShellExecuteW.SHELL32(00000000,?,?,00FF2224), ref: 00F72C17

Strings

runas, xrefs: 00F72C0B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: cfb05e53a2d1c4f1f6e5dcf7dbdad9438169e8dfe7538a378a7d7bc87805be5a
Instruction ID: 06dc227dbbce5af65847008605180aeaa04927a10a6eac253831f96ecb3b425c
Opcode Fuzzy Hash: cfb05e53a2d1c4f1f6e5dcf7dbdad9438169e8dfe7538a378a7d7bc87805be5a
Instruction Fuzzy Hash: 8511EE316083456AC719FF60DC429BEBBA4AFD1370F44542DF286030A2CFB98A0AF712

Function 00F9DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00F75222), ref: 00F9DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00F9DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00F9DBEE
FindClose.KERNEL32(00000000), ref: 00F9DBFA

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 75fffdaff9b0ad083fba0081a6501b32186d731eaa8d14ec11aadfb397bc611d
Instruction ID: 8d47973c52c62b1c523973df89bb50420c6e60a374bc1d33ebbc8db4de432834
Opcode Fuzzy Hash: 75fffdaff9b0ad083fba0081a6501b32186d731eaa8d14ec11aadfb397bc611d
Instruction Fuzzy Hash: 2BF0E531810918579B206F7CEE0ECAA776C9E01334B244702F83AC30F0EBB05D55EAD5

Function 00F32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F32D07
RegisterClassExW.USER32(00000030), ref: 00F32D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F32D42
InitCommonControlsEx.COMCTL32(?), ref: 00F32D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F32D6F
LoadIconW.USER32(000000A9), ref: 00F32D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F32D94

Strings

AutoIt v3 GUI, xrefs: 00F32D23
0, xrefs: 00F32CE9
+, xrefs: 00F32CF0
TaskbarCreated, xrefs: 00F32D37

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 802c25cefd9cdd853e79b0c48f254e529e5763393423b15a69e23185a39db160
Instruction ID: bc9cf779ac6d22711aeb623701922bf92e7c203ce22372a7fcb07c0e9c706fdd
Opcode Fuzzy Hash: 802c25cefd9cdd853e79b0c48f254e529e5763393423b15a69e23185a39db160
Instruction Fuzzy Hash: DB21EFB1D41308AFDB11DFA4E98AB9DBBB4FB08700F00811AFA55A7290D7BA85449F91

Function 00F7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F7039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F70704,?,?,00000000,?,00F70704,00000000,0000000C), ref: 00F703B7

GetLastError.KERNEL32 ref: 00F7076F
__dosmaperr.LIBCMT ref: 00F70776
GetFileType.KERNELBASE(00000000), ref: 00F70782
GetLastError.KERNEL32 ref: 00F7078C
__dosmaperr.LIBCMT ref: 00F70795
CloseHandle.KERNEL32(00000000), ref: 00F707B5
CloseHandle.KERNEL32(?), ref: 00F708FF
GetLastError.KERNEL32 ref: 00F70931
__dosmaperr.LIBCMT ref: 00F70938

Strings

H, xrefs: 00F708BD

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fcc1eeb2a9753278cf998d619bf9290162a5f14c621780bbcee1e98cde91ff4b
Instruction ID: 4aec7dbcd386d61b678fe6049ff4b85c65e0f7bdc02ccffec7d745c14f64a1d0
Opcode Fuzzy Hash: fcc1eeb2a9753278cf998d619bf9290162a5f14c621780bbcee1e98cde91ff4b
Instruction Fuzzy Hash: 15A12732A101488FDF19AF68DC51BAD3BA0AF46320F14815EF8599B391DB359C17EB92

Function 00F3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01001418,?,00F32E7F,?,?,?,00000000), ref: 00F33A78

Part of subcall function 00F33357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F33379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F3356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F7318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F731CE
RegCloseKey.ADVAPI32(?), ref: 00F73210
_wcslen.LIBCMT ref: 00F73277
_wcslen.LIBCMT ref: 00F73286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00F33560
\, xrefs: 00F7328C
\Include\, xrefs: 00F33527
Include, xrefs: 00F73184, 00F731C5

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 60f2ae1428aaf155738f41df320b520d042b9beaaf9f31eea98f7d91b1526447
Instruction ID: 815a572f4d887de613ad4c38b979fc2d12872018d7f32451026ac883e5606527
Opcode Fuzzy Hash: 60f2ae1428aaf155738f41df320b520d042b9beaaf9f31eea98f7d91b1526447
Instruction Fuzzy Hash: 3171E3714083019EC315EF25DC86D5BBBE8FF84350F40882EF589D31A5EB799A48EB52

Function 00F32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F32B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00F32B9D
LoadIconW.USER32(00000063), ref: 00F32BB3
LoadIconW.USER32(000000A4), ref: 00F32BC5
LoadIconW.USER32(000000A2), ref: 00F32BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F32BEF
RegisterClassExW.USER32(?), ref: 00F32C40

Part of subcall function 00F32CD4: GetSysColorBrush.USER32(0000000F), ref: 00F32D07
Part of subcall function 00F32CD4: RegisterClassExW.USER32(00000030), ref: 00F32D31
Part of subcall function 00F32CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F32D42
Part of subcall function 00F32CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F32D5F
Part of subcall function 00F32CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F32D6F
Part of subcall function 00F32CD4: LoadIconW.USER32(000000A9), ref: 00F32D85
Part of subcall function 00F32CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F32D94

Strings

AutoIt v3, xrefs: 00F32C2F
0, xrefs: 00F32C0F
#, xrefs: 00F32C16

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 81bfc708a1ed330c6bf990dc081238a5c50aa820fac619a40720dbfe4399ca15
Instruction ID: 01c68936d0e0e64f103438c93bb2f37c41aa85e246aa7d053951dd92085c4737
Opcode Fuzzy Hash: 81bfc708a1ed330c6bf990dc081238a5c50aa820fac619a40720dbfe4399ca15
Instruction Fuzzy Hash: 75214970E00318ABDB229FA5ED49BA97FF5FB48B50F04801AF644A7694D7BA8540DF90

Function 00F33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F3316A,?,?), ref: 00F331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00F3316A,?,?), ref: 00F33204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F33227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F3316A,?,?), ref: 00F33232
CreatePopupMenu.USER32 ref: 00F33246
PostQuitMessage.USER32(00000000), ref: 00F33267

Strings

TaskbarCreated, xrefs: 00F3322D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 066e3e37f2198a7a96a836d426dd54a02ad526769760243800317e0af69f25bd
Instruction ID: c5f0ff3d44bf6a227ba1601ebb7119335279ea7b3fd5110b2a4c083569cbd2c5
Opcode Fuzzy Hash: 066e3e37f2198a7a96a836d426dd54a02ad526769760243800317e0af69f25bd
Instruction Fuzzy Hash: 48412C32E44204ABEB25AB78DD0EB7A3755FB05370F044119F54AC62D1CB79CE40B7A1

Function 00F68D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbbfc3ee2fbf46e8f2ea3fd00cc842ebea1264cd3dd59781647abf3e0f80705
Instruction ID: e935344005c3f2e9405047e801188d56d7b8a4183ce383118d470873bd3706fa
Opcode Fuzzy Hash: 4cbbfc3ee2fbf46e8f2ea3fd00cc842ebea1264cd3dd59781647abf3e0f80705
Instruction Fuzzy Hash: 3CC12475D08249AFCF11DFA8C841BADBBB4EF09360F044199F915A7392CB758946EB60

Function 00F3DFD0 Relevance: 11.9, APIs: 2, Strings: 4, Instructions: 1414COMMON

Download Yara Rule

Strings

D%, xrefs: 00F3E42C
D%, xrefs: 00F3E0F2
D%, xrefs: 00F3E433
Variable must be of type 'Object'., xrefs: 00F832B7

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID: D%$D%$D%$Variable must be of type 'Object'.
API String ID: 0-2018361425
Opcode ID: 6b02f71306c8bff69c35f9bae392ce9d38df2c9112570824a295f5ad0d93be07
Instruction ID: a5eb76c4e12bc420e039ac34270e87f7d861c045b600fa5eff44a40a76ae875d
Opcode Fuzzy Hash: 6b02f71306c8bff69c35f9bae392ce9d38df2c9112570824a295f5ad0d93be07
Instruction Fuzzy Hash: 5AC29A75E00205CFCB24DF58C880BADBBB1BF09720F248169E956AB3A1D375ED41EB91

Function 011A1A10 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011A1AE1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 011A1D07

Memory Dump Source

Source File: 00000000.00000002.1720483954.000000000119F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119f000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 4dbbff0fa593899f5fc22923d263ac5cb7054db73221dc1d16f022cbc595b904
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 1CA12878E00209EBDB18CFA4C994BEEBBB5FF48304F608559E601BB284D7759A41CF95

Function 00F32C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F32C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F32CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F31CAD,?), ref: 00F32CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F31CAD,?), ref: 00F32CCF

Strings

AutoIt v3, xrefs: 00F32C89, 00F32C8E, 00F32C8F
edit, xrefs: 00F32CAC

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 743494b336d9ed288f5c775bc16d447da13ae7af1139d9014825c01b9ba89c9a
Instruction ID: b58460a7cbc9aef68230e081788b9d6b156555e26e332d7a2c44d0d173499371
Opcode Fuzzy Hash: 743494b336d9ed288f5c775bc16d447da13ae7af1139d9014825c01b9ba89c9a
Instruction Fuzzy Hash: 6BF0F4755403947AEB320713AC09E673FBDD7C6F50F00801AF904A3594C67A8840EAB0

Function 011A17E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 011A16D0: Sleep.KERNELBASE(000001F4), ref: 011A16E1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011A18FE

Strings

EBNXS9TMUVVRCU57V57ME1, xrefs: 011A1961, 011A1964

Memory Dump Source

Source File: 00000000.00000002.1720483954.000000000119F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119f000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateFileSleep
String ID: EBNXS9TMUVVRCU57V57ME1
API String ID: 2694422964-551242376
Opcode ID: d37fc6740848d6df2432817494541c988f667f6d4edad8f1106d4855681fc6d6
Instruction ID: 346a6d5ae04ea7cb93300c5a2a9ae8d96836479506516143e991af0f2e5c6fee
Opcode Fuzzy Hash: d37fc6740848d6df2432817494541c988f667f6d4edad8f1106d4855681fc6d6
Instruction Fuzzy Hash: 16519074D04289EAEF15DBA4C844BEFBFB9AF15304F444199E608BB2C1D7B90B48CB65

Function 00FA2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FA2C05
DeleteFileW.KERNEL32(?), ref: 00FA2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FA2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FA2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FA2CC0

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 79d19b132104ef20c0c842b5f264db1bd01270d911448f72cf95dd98a1466e69
Instruction ID: fe7839791b44103da15b4b153938eea9cc7893b71495bcd9b1093cebd4b19357
Opcode Fuzzy Hash: 79d19b132104ef20c0c842b5f264db1bd01270d911448f72cf95dd98a1466e69
Instruction Fuzzy Hash: AFB170B2E00119ABDF24DFA8CC85EDEB77DEF49350F0040A6FA09E7151EA349A449F61

Function 00F33B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F33B0F,SwapMouseButtons,00000004,?), ref: 00F33B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F33B0F,SwapMouseButtons,00000004,?), ref: 00F33B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F33B0F,SwapMouseButtons,00000004,?), ref: 00F33B83

Strings

Control Panel\Mouse, xrefs: 00F33B3E

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: dbfccbd7bb190fe72e55d26ab593666458a59fcfaa1b1fac2a756e657481d8aa
Instruction ID: 47edc4b4aca99d0688dca13a0d45693a358ac06bd91461119ad2a9b55d091165
Opcode Fuzzy Hash: dbfccbd7bb190fe72e55d26ab593666458a59fcfaa1b1fac2a756e657481d8aa
Instruction Fuzzy Hash: 94112AB5910208FFDB20CFA5DC45EAEBBB8EF44764F104459E805D7110D2319E40A7A0

Function 011A06D0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 011A0EFD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011A0F21
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011A0F43

Memory Dump Source

Source File: 00000000.00000002.1720483954.000000000119F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119f000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction ID: 90ee59ee2bbac0628459af21797da824f9b709429a56807e7d27e5d59b2461cd
Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
Instruction Fuzzy Hash: 7E623D34A14258DBEB28CFA4C850BDEB776EF58300F5091A9D20DEB390E7759E81CB59

Function 00F3DB37 Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00F3DB7B
DispatchMessageW.USER32(?), ref: 00F3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F3DB9F
TranslateAcceleratorW.USER32(?,?,?), ref: 00F81CC9

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeek
String ID:
API String ID: 234387968-0
Opcode ID: fa906bdf31ed56a46539d5c1293e4cc478c670b4cdf0e388b754cd76dc180205
Instruction ID: 237f4a812b2b4c643042d1fbf935e2a7bd16b46ba5d0f46289a524b9b99eb855
Opcode Fuzzy Hash: fa906bdf31ed56a46539d5c1293e4cc478c670b4cdf0e388b754cd76dc180205
Instruction Fuzzy Hash: 8331BC30605385DFE735CB24EC49FEA7BB8BB46320F044259E09987281C779E588EF22

Function 00F33923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F733A2

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F33A04

Strings

Line: , xrefs: 00F733EB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 2e9f76291a9fb61336a0f492c49c73df4fb5f0ed82018ef2fb83a8d79a122596
Instruction ID: e58e82c0a93e1d15113e30aaebaba8316aac6513067529aec5390da507c601bb
Opcode Fuzzy Hash: 2e9f76291a9fb61336a0f492c49c73df4fb5f0ed82018ef2fb83a8d79a122596
Instruction Fuzzy Hash: 0631A171809304AAD725EB20DC46BEBB7D8AB40734F00852EF5D993195EF789A49E7C2

Function 00F4FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F50668

Part of subcall function 00F532A4: RaiseException.KERNEL32(?,?,?,00F5068A,?,01001444,?,?,?,?,?,?,00F5068A,00F31129,00FF8738,00F31129), ref: 00F53304

__CxxThrowException@8.LIBVCRUNTIME ref: 00F50685

Strings

Unknown exception, xrefs: 00F50692

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b460fe843c28f755bc4798e1ba8fa40348233c80bace7a4afc39bf6b3cb8f7a9
Instruction ID: d9fb1766352749563eaaffeda941ace99746cba2c94947fb9640f5312614cc91
Opcode Fuzzy Hash: b460fe843c28f755bc4798e1ba8fa40348233c80bace7a4afc39bf6b3cb8f7a9
Instruction Fuzzy Hash: 07F0FF20D0020D738B00BAA8DC46D9E7B6C5E00361B604430BE18924A2EF75EA6EE991

Function 00FA3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FA302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FA3044

Strings

aut, xrefs: 00FA3038

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 86ab9fcdbfd95065f24c0c177adc42a6765273236df75a6d7e307cc73427dc52
Instruction ID: 5fd49ccb54fad145c54ea93e5c068728c20152ae94c8e4b4b43d6195310f80f3
Opcode Fuzzy Hash: 86ab9fcdbfd95065f24c0c177adc42a6765273236df75a6d7e307cc73427dc52
Instruction Fuzzy Hash: FDD05E7250032C67DA20E7A4AD0EFDB3A6CDB04750F0002A1B659E30A1DAB4D984CAD0

Function 00FB7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00FB82F5
TerminateProcess.KERNEL32(00000000), ref: 00FB82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00FB84DD

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 8df8b5715f7f948f563830070f9f3be6548b18d9507f4c6e4c54483718cfc9a7
Instruction ID: fda47fd229df533673e1a09d2b1d3f0d4f894a4d689b1909a4a1914361c39181
Opcode Fuzzy Hash: 8df8b5715f7f948f563830070f9f3be6548b18d9507f4c6e4c54483718cfc9a7
Instruction Fuzzy Hash: C3127B71A083419FC724DF29C480B6ABBE5BF84364F04895DE8898B252DB35ED46DF92

Function 00F65AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9adace1a0b9394694f473f87bed5373bd9239633ef34c9680b13e4fadabe4eae
Instruction ID: 31b69fca516cdadd8ecdea0183f3308c0a7a753857b0702491009636753e9cb9
Opcode Fuzzy Hash: 9adace1a0b9394694f473f87bed5373bd9239633ef34c9680b13e4fadabe4eae
Instruction Fuzzy Hash: 7251A071D00609AFCB119FB8CD45FAE7BB8EF45B20F140059F805B7292D6799905FB61

Function 00F310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F31BF4
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F31BFC
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F31C07
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F31C12
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F31C1A
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F31C22

Part of subcall function 00F31B4A: RegisterWindowMessageW.USER32(00000004,?,00F312C4), ref: 00F31BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F3136A
OleInitialize.OLE32 ref: 00F31388
CloseHandle.KERNEL32(00000000,00000000), ref: 00F724AB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: baac4f9006dde5acc8cad47a400064deef46316576e30279fa6a37f4877403e0
Instruction ID: 81a72c640c90879aec6effd2fd86dccd6b513776203e2938ce6acf4b1a36e93c
Opcode Fuzzy Hash: baac4f9006dde5acc8cad47a400064deef46316576e30279fa6a37f4877403e0
Instruction Fuzzy Hash: 5071BDB4905201CFD3A6DF79E9456553AE0BB48352F58822EE0CADB299EB3BC601DF41

Function 00F354C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00F3556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00F3557D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 119c19b30e5468d4ea33b9daf8e599be42517396ba219640ae72763c420202a8
Instruction ID: d54f9023560f7a0b0ef18e5c81188eb82a6fbb81561d31a719223b968dcfd20c
Opcode Fuzzy Hash: 119c19b30e5468d4ea33b9daf8e599be42517396ba219640ae72763c420202a8
Instruction Fuzzy Hash: 27315071A00609FFDB14CF28C880B99B7B5FB44724F188629E91997240D771FE94EBD0

Function 00F9C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F33A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F9C259
KillTimer.USER32(?,00000001,?,?), ref: 00F9C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F9C270

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 67660d976181a47bbb4b6814d84d60b334618420d92e5f33747a27ac084b69be
Instruction ID: c3196a8fa1dc1d2094baca33cb9b2cbf763911a9584cd0ecff6c69912aab492d
Opcode Fuzzy Hash: 67660d976181a47bbb4b6814d84d60b334618420d92e5f33747a27ac084b69be
Instruction Fuzzy Hash: BB31B171904384AFFF32CF648855BE6BBEC9F06708F00449AD6DE93241C3745A84DB91

Function 00F686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00F685CC,?,00FF8CC8,0000000C), ref: 00F68704
GetLastError.KERNEL32(?,00F685CC,?,00FF8CC8,0000000C), ref: 00F6870E
__dosmaperr.LIBCMT ref: 00F68739

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: ae6c34b2ab1d96a6af72425d3ae1c45e694899c2026521aa74062b41aac3b9ec
Instruction ID: 8e632763ae69413c292c10be25699593f16ae07c272cf332e6a3810d8ed8946a
Opcode Fuzzy Hash: ae6c34b2ab1d96a6af72425d3ae1c45e694899c2026521aa74062b41aac3b9ec
Instruction Fuzzy Hash: 17012B33E0566016D6356234EC46B7E775A4B81FF4F39031DF9589B1D2DEA68C83B290

Function 00F73599 Relevance: 4.6, APIs: 3, Instructions: 51COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,00000000,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20), ref: 00F735BE
SizeofResource.KERNEL32(?,00000000,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20), ref: 00F735D3
LockResource.KERNEL32(00F350AA,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20,?), ref: 00F735E6

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 7db06acc6dc02b7450b19d6b60458cd3bfbeda835cac4074f3954a52d5f607e6
Instruction ID: 5b0177f29d62c7b95c587d999c6011f1551a51dd64ef31ae2b2e2f23dcf159e2
Opcode Fuzzy Hash: 7db06acc6dc02b7450b19d6b60458cd3bfbeda835cac4074f3954a52d5f607e6
Instruction Fuzzy Hash: 1A0145B0600603AFC7119FA4D808B3B7BB8EFC6321B144599F826D6190CB30E800EA71

Function 00FA2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00FA2CD4,?,?,?,00000004,00000001), ref: 00FA2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FA2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FA3006
CloseHandle.KERNEL32(00000000,?,00FA2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FA300D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: eb1d26463da4b061dd5a5dbcfbbcc229d8fb5e79504aea3ed54993c06fa14477
Instruction ID: 6c6b702ec25f6a91ee98b77caf2928e3214791d8b237778fb10c80af99d54cee
Opcode Fuzzy Hash: eb1d26463da4b061dd5a5dbcfbbcc229d8fb5e79504aea3ed54993c06fa14477
Instruction Fuzzy Hash: F2E0863268021477E2311756BD0EF8B3A1CDB86B75F144210F75D760D046A1150162E8

Function 00F41310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F417F6

Strings

CALL, xrefs: 00F417C6

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 34554ddd2243b61b6df36d93af6adc97f1f1a2229ce75f0df812c727e9430ca7
Instruction ID: 80d2b4b44797fbb8d0bcedbd3c31efa181f4132a16dd3bf9a4ab7ef42954fc0b
Opcode Fuzzy Hash: 34554ddd2243b61b6df36d93af6adc97f1f1a2229ce75f0df812c727e9430ca7
Instruction Fuzzy Hash: A5229D70A083019FC714DF14C894B6ABBF1BF85314F18891DF89A8B3A1D775E885EB92

Function 00FA6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA6F6B

Part of subcall function 00F34ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00FA6F5A, 00FA6F63

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 7be0d25f0a913a379952957f0a908adacab62d78d667d9e3ace1cfa964d0ca81
Instruction ID: 6483c21008278486e5b08001b79536d2afc62e07706e45b82706c54aef3b81ea
Opcode Fuzzy Hash: 7be0d25f0a913a379952957f0a908adacab62d78d667d9e3ace1cfa964d0ca81
Instruction Fuzzy Hash: 39B1A2715083019FCB14EF20CC91DAEB7E5AF95320F04891DF596972A2EB34ED49EB92

Function 00F32DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F72C8C

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

Part of subcall function 00F32DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F32DC4

Strings

X, xrefs: 00F72C5A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 863cb8aaea7b5bf0f6d10b248a8bb5d159ddda94a66d77e3397f2e01e58f8844
Instruction ID: f463f45a483bca0cf551e467205d2ee05d116a16dc0aabe6437f73c1fe522bfb
Opcode Fuzzy Hash: 863cb8aaea7b5bf0f6d10b248a8bb5d159ddda94a66d77e3397f2e01e58f8844
Instruction Fuzzy Hash: F2219671A0025C9BCB41EF94CC45BEE7BF8AF49324F00805AE505E7241DBB855899FA1

Function 00FA2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00FA2587

Strings

EA06, xrefs: 00FA25B9

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: d71f30130c5cd2e076a40f1839d58d6f0fdbf52dc409ca6f9940a87c32cbee8c
Instruction ID: 0ce25b54976abf60125f93f515e3ba98a171b11fbe8ba41e0558240d884f3fe3
Opcode Fuzzy Hash: d71f30130c5cd2e076a40f1839d58d6f0fdbf52dc409ca6f9940a87c32cbee8c
Instruction Fuzzy Hash: 7901F5B2D042187EDF18C7A8CC16EAEBBF89B05301F00455AE652D2181E4B8E7089B60

Function 00F33837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F33908

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 94f9ae23708f68211df26f09975abe23c9fc523eddfcd5c97098700491d5b570
Instruction ID: e8bd2233c130f8bd63353a330dd5aad0015a9c5f13a37dc633a250dd8d97b386
Opcode Fuzzy Hash: 94f9ae23708f68211df26f09975abe23c9fc523eddfcd5c97098700491d5b570
Instruction Fuzzy Hash: A331D271904300DFD721DF24D88579BBBE8FB49329F00092EF5D983280E775AA44DB92

Function 00F35745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F3949C,?,00008000), ref: 00F35773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00F3949C,?,00008000), ref: 00F74052

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6840d34cbed91b6a7a1e1cb360d9f14ed96c68c826708f8b1c78a520a715f364
Instruction ID: cefcaca706d1b3c1c15be1b0168cb16d97e3d6eabb9af5fbce955b5e48eb23b2
Opcode Fuzzy Hash: 6840d34cbed91b6a7a1e1cb360d9f14ed96c68c826708f8b1c78a520a715f364
Instruction Fuzzy Hash: BC018031545229B6E7314A2ACC0EF9B7F98EF42BB0F148201BE9C5A1E0C7B45854EBD0

Function 00F36E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,00F39879,?,?,?), ref: 00F36E33
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00F39879,?,?,?), ref: 00F36E69

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: ce418a1f0d5734e5d50af2f67a0c776b55c39539fdf6d43760120aef8c9b49bd
Instruction ID: 11174b1b41931399ae217413ae2c71350fcfa386460437d4a07630de4435d162
Opcode Fuzzy Hash: ce418a1f0d5734e5d50af2f67a0c776b55c39539fdf6d43760120aef8c9b49bd
Instruction Fuzzy Hash: 9E01F7713002047FEB186B7ADD0BF7F7AADDB85710F14403DF50ADA1E1E960AC006564

Function 011A06CD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 011A0EFD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011A0F21
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011A0F43

Memory Dump Source

Source File: 00000000.00000002.1720483954.000000000119F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119f000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: acf276a37833e8ab60457fef55e44b550baf57c7793e9285ae479067b26f279e
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 6B12DE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00F4FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00F4FD1F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4fc24fbe9be88c790d326802d0bc4626d1e04ff27b7ea0630cd032a832b58ecb
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2D31E275E0010A9BC718CF59D4C0A69FBB1FB49310B6486A5E80ACB656D731EEC5EBC0

Function 00F34ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F34E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E9C
Part of subcall function 00F34E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F34EAE
Part of subcall function 00F34E90: FreeLibrary.KERNEL32(00000000,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34EFD

Part of subcall function 00F34E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E62
Part of subcall function 00F34E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F34E74
Part of subcall function 00F34E59: FreeLibrary.KERNEL32(00000000,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E87

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 8185344328ffa1651327d8b951a6e7faec65d0b491ba7b0dcf2e9678d585e6fd
Instruction ID: 68660fb62f2bf9f7d39708997c0d09d5d1ff3b1832b52bb15a7fc5746620a706
Opcode Fuzzy Hash: 8185344328ffa1651327d8b951a6e7faec65d0b491ba7b0dcf2e9678d585e6fd
Instruction Fuzzy Hash: 7A11E732600205AACB14BB74DD12FAD77A59F40B21F14842EF546AB1C1EE78FA45BB50

Function 00F68402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00F68440

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f9bc575c94c84168df9a0bd83cccc896ef699e35affb92aece2257d3fb434347
Instruction ID: 5c0fea0aca42c7e61c827e34b9f0990598741de2daf00f78a963b6f8c5584909
Opcode Fuzzy Hash: f9bc575c94c84168df9a0bd83cccc896ef699e35affb92aece2257d3fb434347
Instruction Fuzzy Hash: A311487190410AAFCB05DF58E940ADA7BF4EF48310F104199F808AB302DA31DA22DBA5

Function 00F39A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00F3543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00F39A9C

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0b7ea997a93f81a942a680621b13ae0c18ec5cf972c5a3a4716dbaa11c9511b9
Instruction ID: bad57ab470bde8711a7f9bf587745c2699de1fd6a36a085749a993ac58d42e8c
Opcode Fuzzy Hash: 0b7ea997a93f81a942a680621b13ae0c18ec5cf972c5a3a4716dbaa11c9511b9
Instruction Fuzzy Hash: 20113A312087059FDB20CE05C881B66B7E9AB44764F14C52DE9AB86651C7F4A945EB60

Function 00F65000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F64C7D: RtlAllocateHeap.NTDLL(00000008,00F31129,00000000,?,00F62E29,00000001,00000364,?,?,?,00F5F2DE,00F63863,01001444,?,00F4FDF5,?), ref: 00F64CBE

_free.LIBCMT ref: 00F6506C

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 04d33c3adbb5d6006091d65ce312ddcb2a3ab86f8bf3ae03c7dd3bbcc804fca6
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 520126726047056BE3218F69DC81A5AFBE8FB89370F25051DE18493280EA30A805D6B4

Function 00F5E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 718d14819423378520daf09ab3ee4d0d422975cd17a89ab21a341648368bc2e1
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 21F02D32921E149AC7353A69CC05B5A37999F523B3F100715FE21931D1CB78D90AB9A5

Function 00F64C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00F31129,00000000,?,00F62E29,00000001,00000364,?,?,?,00F5F2DE,00F63863,01001444,?,00F4FDF5,?), ref: 00F64CBE

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1e9a81fc45117cf31e5a9ce07e9a4e22a2a0e623ca2af1dda1ec4006fdc17fe8
Instruction ID: b90b32f8c55102fe128cbab768761ead743bfc05cfcab3cedee7cb8e336cab72
Opcode Fuzzy Hash: 1e9a81fc45117cf31e5a9ce07e9a4e22a2a0e623ca2af1dda1ec4006fdc17fe8
Instruction Fuzzy Hash: D2F0B432A0222467DB217F669C09B5A3798AF817B1B144111BD19E7781CA34F801B6E0

Function 00F63820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 24842ec7ea6a4e9afa30148df44c0524b4cd87d4be9698ba5e3d336ec35b58aa
Instruction ID: dc6557735bf64e6eb3b4105e41d3d008fa7eb09b7bd8ec4a657f5b3868883ed3
Opcode Fuzzy Hash: 24842ec7ea6a4e9afa30148df44c0524b4cd87d4be9698ba5e3d336ec35b58aa
Instruction Fuzzy Hash: 7FE0653390122456E63126779D05BDA3749AB427B1F190121BD5597581DB25ED01B3E1

Function 00F34F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34F6D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 89863dc04121dab2bd7e94b1165e0072164e30ae4dd6ce552e837d414423016a
Instruction ID: 3b33e3b2d7e9857f41b6cdf2e404f08509f960df77ed4508c4183fc80664881e
Opcode Fuzzy Hash: 89863dc04121dab2bd7e94b1165e0072164e30ae4dd6ce552e837d414423016a
Instruction Fuzzy Hash: DDF01C71505751CFDB349F75D490912B7E4AF1433971889AEE1EA83611C731B844EF50

Function 00F32DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F32DC4

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1160767055506a78d41c8c47cadf9a53feee97ca3879741c0aa2bdbc8cb5e7f1
Instruction ID: 0bb9ea6d82c86d7bfa876251b671c2465bbcfd7f0818c69e262a37bd64e93781
Opcode Fuzzy Hash: 1160767055506a78d41c8c47cadf9a53feee97ca3879741c0aa2bdbc8cb5e7f1
Instruction Fuzzy Hash: 8CE0CD72A001245BC71092589C06FDA77DDDFC8790F054071FD0DD7248D964AD849691

Function 00FA2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00FA26B5

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 3cb17d7fc8be661524d6952a562375e84517281c519b3355382f48c8b5b0af19
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: E1E04FB060AB005FDF3D5A2CA9517B677E89F4A311F00086EF69F82352E57268459A4D

Function 00F32B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F33837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F33908

SetCurrentDirectoryW.KERNEL32(?), ref: 00F32B6B

Part of subcall function 00F330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F3314E

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectory
String ID:
API String ID: 2619246295-0
Opcode ID: cf424881186949db127045d469ac93f555dbba7ff88bbc1b431d79e9a526e5b2
Instruction ID: 7cba9fef76d9419a4c8eab5d41ce282b3e859ba8708b8b23bb77ac5f91907e7d
Opcode Fuzzy Hash: cf424881186949db127045d469ac93f555dbba7ff88bbc1b431d79e9a526e5b2
Instruction Fuzzy Hash: 54E0C23270824807CA09FB74AC529BDF7599BD5375F40153EF286831A3CF7D8A49A352

Function 00F7039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00F70704,?,?,00000000,?,00F70704,00000000,0000000C), ref: 00F703B7

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7066e603521015cc981bc968a756a9999dd613e4e7d51e9b01758365827cb4c8
Instruction ID: db1040b6e8ae096eb3fe68a5d86efb09314944d89bf253344ea7627a283d06ff
Opcode Fuzzy Hash: 7066e603521015cc981bc968a756a9999dd613e4e7d51e9b01758365827cb4c8
Instruction Fuzzy Hash: EDD06C3204010DBBDF028F85DD06EDA3BAAFB48714F014000FE1856020C732E821AB90

Function 00F31CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F31CBC

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 767ddd735556f1ac4fefac3ff07a24db44879abf47c7fa3025a9c78a82407216
Instruction ID: 2c2704f0bd9474643d1bd0323a23434cc4b21109299ad972a0468de871746e72
Opcode Fuzzy Hash: 767ddd735556f1ac4fefac3ff07a24db44879abf47c7fa3025a9c78a82407216
Instruction Fuzzy Hash: D2C09236280308EFF3268B80BD4FF107765A348B01F088401F68EAA5D7C7B76861EB94

Function 00FA744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00F35745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F3949C,?,00008000), ref: 00F35773

GetLastError.KERNEL32(00000002,00000000), ref: 00FA76DE

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: a2a00397ab4bfabfea82dd0bc5008df3af95ff9ebf828a426383b5750a3bceb8
Instruction ID: 88a9bed469f426a39fbc461d0053d1f95d18846af73b2d35092315090d56a963
Opcode Fuzzy Hash: a2a00397ab4bfabfea82dd0bc5008df3af95ff9ebf828a426383b5750a3bceb8
Instruction Fuzzy Hash: 268193706087019FCB15EF28C891B6AB7E1BF89360F04451DF8865B3A2DB74ED45EB92

Function 011A16D0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 011A16E1

Memory Dump Source

Source File: 00000000.00000002.1720483954.000000000119F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119f000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 3469be9eb7b6d39b24e81f4f0e09c0c485ac26e492deb8291ca75d086c2fa60f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 94E0E67494010EEFDB00EFB4D54969E7FB4EF04301F500161FD05D2281DB709D508A62

Non-executed Functions

Function 00FC9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FC961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FC965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FC969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FC96C9
SendMessageW.USER32 ref: 00FC96F2
GetKeyState.USER32(00000011), ref: 00FC978B
GetKeyState.USER32(00000009), ref: 00FC9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FC97AE
GetKeyState.USER32(00000010), ref: 00FC97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FC97E9
SendMessageW.USER32 ref: 00FC9810
SendMessageW.USER32(?,00001030,?,00FC7E95), ref: 00FC9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FC992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FC9941
SetCapture.USER32(?), ref: 00FC994A
ClientToScreen.USER32(?,?), ref: 00FC99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FC99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FC99D6
ReleaseCapture.USER32 ref: 00FC99E1
GetCursorPos.USER32(?), ref: 00FC9A19
ScreenToClient.USER32(?,?), ref: 00FC9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FC9A80
SendMessageW.USER32 ref: 00FC9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FC9AEB
SendMessageW.USER32 ref: 00FC9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FC9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FC9B4A
GetCursorPos.USER32(?), ref: 00FC9B68
ScreenToClient.USER32(?,?), ref: 00FC9B75
GetParent.USER32(?), ref: 00FC9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FC9BFA
SendMessageW.USER32 ref: 00FC9C2B
ClientToScreen.USER32(?,?), ref: 00FC9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FC9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FC9CDE
SendMessageW.USER32 ref: 00FC9D01
ClientToScreen.USER32(?,?), ref: 00FC9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FC9D82

Part of subcall function 00F49944: GetWindowLongW.USER32(?,000000EB), ref: 00F49952

GetWindowLongW.USER32(?,000000F0), ref: 00FC9E05

Strings

@GUI_DRAGID, xrefs: 00FC997D
F, xrefs: 00FC9D07

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 569893073e6c0fda8e2cafa74a96301abfa8b215389fbe9f03484840085997dc
Instruction ID: 03699eae7e643aabda349c6524a332903ed8f156269aaa4dd5dd64aa9a1c6343
Opcode Fuzzy Hash: 569893073e6c0fda8e2cafa74a96301abfa8b215389fbe9f03484840085997dc
Instruction Fuzzy Hash: 32428D31608206AFD725CF24CE4AFAABBE5FF48320F14061DF599872A1D7B1D950EB91

Function 00FC4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00FC48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00FC4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00FC4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00FC494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00FC495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00FC497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00FC49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00FC49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00FC4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FC4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FC4A7E
IsMenu.USER32(?), ref: 00FC4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FC4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FC4B20
GetWindowLongW.USER32(?,000000F0), ref: 00FC4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00FC4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00FC4C82
wsprintfW.USER32 ref: 00FC4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FC4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FC4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FC4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FC4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FC4D5A

Strings

%d/%02d/%02d, xrefs: 00FC4CA8

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 5b5ee2a83ad1ca9a1cc87a8b92c39df7977b3e85bcad0d859634c0f4e7999d2a
Instruction ID: 569443d7e3f5b33a97ad315d7ecbf2645168d6d58de6cf60d25f3de2bf60de2f
Opcode Fuzzy Hash: 5b5ee2a83ad1ca9a1cc87a8b92c39df7977b3e85bcad0d859634c0f4e7999d2a
Instruction Fuzzy Hash: A512257190021AABEB248F24CE5AFAE7BF8EF45720F10411DF51ADB2E1D774A940EB50

Function 00F4F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00000000), ref: 00F4F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F8F474
IsIconic.USER32(00000000), ref: 00F8F47D
ShowWindow.USER32(00000000,00000009), ref: 00F8F48A
SetForegroundWindow.USER32(00000000), ref: 00F8F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F8F4AA
GetCurrentThreadId.KERNEL32 ref: 00F8F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F8F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F8F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F8F4D6
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F8F4DE
SetForegroundWindow.USER32(00000000), ref: 00F8F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F4F6
keybd_event.USER32(00000012,00000000), ref: 00F8F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F50B
keybd_event.USER32(00000012,00000000), ref: 00F8F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F519
keybd_event.USER32(00000012,00000000), ref: 00F8F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F528
keybd_event.USER32(00000012,00000000), ref: 00F8F52D
SetForegroundWindow.USER32(00000000), ref: 00F8F530
AttachThreadInput.USER32(?,?,00000000), ref: 00F8F557

Strings

Shell_TrayWnd, xrefs: 00F8F46F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 913ed849ed511c916dcac2ccfa4d350b5baa2547c7d3b5e7240978a1439ad566
Instruction ID: 66b94b354b41e1a1a33ae42bf411182ef4e4d23600a58afc0fbb8b98ad124024
Opcode Fuzzy Hash: 913ed849ed511c916dcac2ccfa4d350b5baa2547c7d3b5e7240978a1439ad566
Instruction Fuzzy Hash: B8315071A4021CBEEB206BB55D4AFBF7E6CEB44B50F140426FA09EB1D1C6B15900BBA0

Function 00F91201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00F916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9170D
Part of subcall function 00F916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9173A
Part of subcall function 00F916C3: GetLastError.KERNEL32 ref: 00F9174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F91286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F912A8
CloseHandle.KERNEL32(?), ref: 00F912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F912D1
GetProcessWindowStation.USER32 ref: 00F912EA
SetProcessWindowStation.USER32(00000000), ref: 00F912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F91310

Part of subcall function 00F910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F911FC), ref: 00F910D4
Part of subcall function 00F910BF: CloseHandle.KERNEL32(?,?,00F911FC), ref: 00F910E9

Strings

default, xrefs: 00F9130B
, xrefs: 00F9125A
winsta0, xrefs: 00F912CC

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: e644470e008a09e89c0676a6d39edb359b9a27e111a4c6a417b528246a43a9c2
Instruction ID: 534511dd67dbfaed8130fe2ad68ad1bc4081947cfdb4c9fe9fcdc7bfa6173b78
Opcode Fuzzy Hash: e644470e008a09e89c0676a6d39edb359b9a27e111a4c6a417b528246a43a9c2
Instruction Fuzzy Hash: 98819E71D0020AABEF10DFA8DD49FEE7BB9FF09714F044129FA14A61A0C7358954EB60

Function 00F90B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F91114
Part of subcall function 00F910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91120
Part of subcall function 00F910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F9112F
Part of subcall function 00F910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91136
Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F90BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F90C00
GetLengthSid.ADVAPI32(?), ref: 00F90C17
GetAce.ADVAPI32(?,00000000,?), ref: 00F90C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F90C6D
GetLengthSid.ADVAPI32(?), ref: 00F90C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F90C8C
HeapAlloc.KERNEL32(00000000), ref: 00F90C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F90CB4
CopySid.ADVAPI32(00000000), ref: 00F90CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F90CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F90D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F90D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90D45
HeapFree.KERNEL32(00000000), ref: 00F90D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90D55
HeapFree.KERNEL32(00000000), ref: 00F90D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90D65
HeapFree.KERNEL32(00000000), ref: 00F90D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F90D78
HeapFree.KERNEL32(00000000), ref: 00F90D7F

Part of subcall function 00F91193: GetProcessHeap.KERNEL32(00000008,00F90BB1,?,00000000,?,00F90BB1,?), ref: 00F911A1
Part of subcall function 00F91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F90BB1,?), ref: 00F911A8
Part of subcall function 00F91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F90BB1,?), ref: 00F911B7

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: fdc5efa5f37bb8cbe081b1409070b53ebbfce131e8420d66f424ef408294f2b0
Instruction ID: 2c5628d3e8a78c255399cba5f805be21554b4a02120895d2eb56ef3fe84ed4ca
Opcode Fuzzy Hash: fdc5efa5f37bb8cbe081b1409070b53ebbfce131e8420d66f424ef408294f2b0
Instruction Fuzzy Hash: 96715972D0020AAFEF109FA5DD45FAEBBBCBF04314F044515E918E7291DB75A905EBA0

Function 00FAEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00FCCC08), ref: 00FAEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FAEB37
GetClipboardData.USER32(0000000D), ref: 00FAEB43
CloseClipboard.USER32 ref: 00FAEB4F
GlobalLock.KERNEL32(00000000), ref: 00FAEB87
CloseClipboard.USER32 ref: 00FAEB91
GlobalUnlock.KERNEL32(00000000), ref: 00FAEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00FAEBC9
GetClipboardData.USER32(00000001), ref: 00FAEBD1
GlobalLock.KERNEL32(00000000), ref: 00FAEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00FAEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00FAEC38
GetClipboardData.USER32(0000000F), ref: 00FAEC44
GlobalLock.KERNEL32(00000000), ref: 00FAEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FAEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FAEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FAECD2
GlobalUnlock.KERNEL32(00000000), ref: 00FAECF3
CountClipboardFormats.USER32 ref: 00FAED14
CloseClipboard.USER32 ref: 00FAED59

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 7ad2b238354473658119414eda9b9f1fbcc78891afb35a3d2ef01ef6013c0353
Instruction ID: 401867b89ef2be3a35334e9ce4f8fbcb2032bcdd99ec595356ace42521f577a0
Opcode Fuzzy Hash: 7ad2b238354473658119414eda9b9f1fbcc78891afb35a3d2ef01ef6013c0353
Instruction Fuzzy Hash: 50610175204306AFD300EF20CD89F6AB7A4AF85764F14441DF85A872A2CB71DD06EBA2

Function 00FA698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FA69BE
FindClose.KERNEL32(00000000), ref: 00FA6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FA6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FA6A75

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00FA6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FA6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FA6B6A
%02d, xrefs: 00FA6C00, 00FA6C0A, 00FA6C5A, 00FA6CAA, 00FA6CFA, 00FA6D4A
%03d, xrefs: 00FA6DA2
%4d, xrefs: 00FA6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00FA6B32

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 108612fb7c021735c0400c8c0b04df359be105cbc1a2cb29f6fbbf66184f9aad
Instruction ID: a4512fbb2d151209966a2b84d20d6ab7dc2a81c7b0999f1288b4cb6ef4112b2d
Opcode Fuzzy Hash: 108612fb7c021735c0400c8c0b04df359be105cbc1a2cb29f6fbbf66184f9aad
Instruction Fuzzy Hash: FFD185B2508304AFC314EBA0CD85EABB7ECAF89714F44491DF589D7151EB78DA04DB62

Function 00FA9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FA9663
GetFileAttributesW.KERNEL32(?), ref: 00FA96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00FA96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00FA96D3
FindClose.KERNEL32(00000000), ref: 00FA96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00FA96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA974A
SetCurrentDirectoryW.KERNEL32(00FF6B7C), ref: 00FA9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FA9772
FindClose.KERNEL32(00000000), ref: 00FA977F
FindClose.KERNEL32(00000000), ref: 00FA978F

Strings

*.*, xrefs: 00FA96F5

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fddc28b1b18f32b89e12057ec3f86f788145ae9278b4ee576d12a2d21aea8d3a
Instruction ID: 3e724c934f26e5c69ba7210438ba08ebd6a2ff2254e9da7aaadeaf3062dc6fe3
Opcode Fuzzy Hash: fddc28b1b18f32b89e12057ec3f86f788145ae9278b4ee576d12a2d21aea8d3a
Instruction Fuzzy Hash: 7E31E27290420D6ADF10EFB4ED09EEE77AC9F4A320F1040A5FA18E31A0DB74D944AE60

Function 00FA979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FA97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00FA9819
FindClose.KERNEL32(00000000), ref: 00FA9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00FA9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA9890
SetCurrentDirectoryW.KERNEL32(00FF6B7C), ref: 00FA98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FA98B8
FindClose.KERNEL32(00000000), ref: 00FA98C5
FindClose.KERNEL32(00000000), ref: 00FA98D5

Part of subcall function 00F9DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F9DB00

Strings

*.*, xrefs: 00FA983B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b729705b0e19e12b443814714582942f4bc860658ee7b18565003aafd9071aed
Instruction ID: 683f03b214e84b412490dfbb79b6152c1d8145e5db5689572f755bff1fff1463
Opcode Fuzzy Hash: b729705b0e19e12b443814714582942f4bc860658ee7b18565003aafd9071aed
Instruction Fuzzy Hash: 2F31C37290421D6ADB10EFB4EC49EEE77AC9F47330F5041A5E914E30A0DBB8D945EB60

Function 00FBBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00FBBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00FBBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FBC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FBC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FBC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FBC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00FBC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FBC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FBC382
RegCloseKey.ADVAPI32(00000000), ref: 00FBC38F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: f929b00cfc22f4341cb614adc22c8ad176e04bb712e599c7101c391993d6f0b3
Instruction ID: caeb6d2617d56eca89b4920ffa1d8d5e41bc986afe137168bd7eac8f28405e05
Opcode Fuzzy Hash: f929b00cfc22f4341cb614adc22c8ad176e04bb712e599c7101c391993d6f0b3
Instruction Fuzzy Hash: D5025B71604200AFC714DF29C891E6ABBE5AF89318F58849DF84ADB2A2D731EC45DF91

Function 00FA8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FA8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FA8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FA8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FA8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FA838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8395

Strings

*.*, xrefs: 00FA839B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 37825269ef1e855fba01f60e208668ee6d289bf34000b041fbaee4c4ec31ebad
Instruction ID: bf71991163eede01e58258ccf49e5ef5aa8fc3107ad5d29bcac5c57266d25b20
Opcode Fuzzy Hash: 37825269ef1e855fba01f60e208668ee6d289bf34000b041fbaee4c4ec31ebad
Instruction Fuzzy Hash: BD618DB25083059FCB10EF60C841AAEB3E8FF89360F04491EF989D7251DB75E946DB92

Function 00F9D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

Part of subcall function 00F9E199: GetFileAttributesW.KERNEL32(?,00F9CF95), ref: 00F9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F9D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F9D1DD
MoveFileW.KERNEL32(?,?), ref: 00F9D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F9D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F9D237

Part of subcall function 00F9D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F9D21C,?,?), ref: 00F9D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00F9D253
FindClose.KERNEL32(00000000), ref: 00F9D264

Strings

\*.*, xrefs: 00F9D0CD, 00F9D0D6, 00F9D0EB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 93cedabef000a39a38fe3a00d352f22c9982e6571aec1978d63f8750e059673a
Instruction ID: 895fff2caea2a56d673fd1de845b39729cbbdb5c94e15afb2e793249bd0fd341
Opcode Fuzzy Hash: 93cedabef000a39a38fe3a00d352f22c9982e6571aec1978d63f8750e059673a
Instruction Fuzzy Hash: AB617C31C0510DAADF05EBE0CE929EDB7B5AF54320F704065E442B71A1EB78AF09EB60

Function 00FAED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FAED91
EmptyClipboard.USER32 ref: 00FAED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00FAEDAC
CloseClipboard.USER32 ref: 00FAEEA3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f936661ce0d9d7d87428582a5f07f749d5c323930f3530bacf1f55a2be0a2600
Instruction ID: 6b87a5878e411813d747dbac8365415b5949abe794322030a38a804b69c15d87
Opcode Fuzzy Hash: f936661ce0d9d7d87428582a5f07f749d5c323930f3530bacf1f55a2be0a2600
Instruction Fuzzy Hash: 2941EC75604211AFE320CF25D989F19BBE0EF05329F05C09DE4198B662C735EC42EBD0

Function 00F9E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9170D
Part of subcall function 00F916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9173A
Part of subcall function 00F916C3: GetLastError.KERNEL32 ref: 00F9174A

ExitWindowsEx.USER32(?,00000000), ref: 00F9E932

Strings

@, xrefs: 00F9E925
, xrefs: 00F9E920
SeShutdownPrivilege, xrefs: 00F9E902
, xrefs: 00F9E95C

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8b2c127e45420fd496b25820c647ee7f388b6e2327181da1bf35342dbd00b877
Instruction ID: b1410a36289ed5971e17b6e3aee559f1343b4637550da814c13f20a0bf600ccb
Opcode Fuzzy Hash: 8b2c127e45420fd496b25820c647ee7f388b6e2327181da1bf35342dbd00b877
Instruction Fuzzy Hash: 6101D673E10215ABFF64A6B49D86FBB726CAB14760F150821FD03E31D1D9A55C40B1D0

Function 00FB1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FB1276
WSAGetLastError.WSOCK32 ref: 00FB1283
bind.WSOCK32(00000000,?,00000010), ref: 00FB12BA
WSAGetLastError.WSOCK32 ref: 00FB12C5
closesocket.WSOCK32(00000000), ref: 00FB12F4
listen.WSOCK32(00000000,00000005), ref: 00FB1303
WSAGetLastError.WSOCK32 ref: 00FB130D
closesocket.WSOCK32(00000000), ref: 00FB133C

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 69b3b0daaa46edfc03d0bbd8a1bf990f09bb794ba62f828967c76ad39a539a54
Instruction ID: 8edb029f9820aa30f8cadd1204946c8129908ad36132d78382e1f93b45b9d465
Opcode Fuzzy Hash: 69b3b0daaa46edfc03d0bbd8a1bf990f09bb794ba62f828967c76ad39a539a54
Instruction Fuzzy Hash: 8641D131A001009FD710DF25C999B6ABBE5BF46328F588088E85A8F2D2C731EC81DFE0

Function 00F9D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

Part of subcall function 00F9E199: GetFileAttributesW.KERNEL32(?,00F9CF95), ref: 00F9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F9D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F9D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F9D481
FindClose.KERNEL32(00000000), ref: 00F9D498
FindClose.KERNEL32(00000000), ref: 00F9D4A1

Strings

\*.*, xrefs: 00F9D3F2

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 16e5b4b157de8dd438049e9870f68b1f3f672f519cb3ae38a8c2e48c2a9a8f59
Instruction ID: 4684b7dbbdf799868627d98a0aab3a09d11fa2b9e2a0d0ee3be0098cea873a51
Opcode Fuzzy Hash: 16e5b4b157de8dd438049e9870f68b1f3f672f519cb3ae38a8c2e48c2a9a8f59
Instruction Fuzzy Hash: 5331AE3140C3459BC704EF64DD929AFB7A8AE91324F504A1DF4D5931A1EB34EA09EBA3

Function 00F6E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00F6E645

Strings

1#IND, xrefs: 00F6F83D
1#SNAN, xrefs: 00F6F844
1#INF, xrefs: 00F6F852
1#QNAN, xrefs: 00F6F84B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fc7635dacc55c666b1f99923e768132e3c4a565d0d225f4c840f9764bec82cb6
Instruction ID: 6e9f9d183786c1314d3eefc0c32bea864f6d68523aef12fb186d5ec723408137
Opcode Fuzzy Hash: fc7635dacc55c666b1f99923e768132e3c4a565d0d225f4c840f9764bec82cb6
Instruction Fuzzy Hash: 60C25D72E046288FDB25CF28DD407EAB7B5EB45315F1441EAD80EE7241E778AE85AF40

Function 00FA648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA64DC
CoInitialize.OLE32(00000000), ref: 00FA6639
CoCreateInstance.OLE32(00FCFCF8,00000000,00000001,00FCFB68,?), ref: 00FA6650
CoUninitialize.OLE32 ref: 00FA68D4

Strings

.lnk, xrefs: 00FA64BA, 00FA6524, 00FA65E0

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: a807a3e25635b64fe1b65b468b9535fb546300655e68038722060574964c9747
Instruction ID: 260c9c6e996505db9fbd9bde3f07dab6cb9d67b1c0d06f697b0399aaa6066e53
Opcode Fuzzy Hash: a807a3e25635b64fe1b65b468b9535fb546300655e68038722060574964c9747
Instruction Fuzzy Hash: A8D149B1508301AFC314EF24C881A6BB7E8FF99714F04496DF595CB2A1EB74E909DB92

Function 00FB22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00FB22E8

Part of subcall function 00FAE4EC: GetWindowRect.USER32(?,?), ref: 00FAE504

GetDesktopWindow.USER32 ref: 00FB2312
GetWindowRect.USER32(00000000), ref: 00FB2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FB2355
GetCursorPos.USER32(?), ref: 00FB2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FB23DF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 04585feceee80c063956bbdcad973534db269b35056c5f27c130b63949e155bb
Instruction ID: d313c1f98dbfdf9dcb920968b91fd3a18ff19216bc8e56dbaaba6f8340e1f867
Opcode Fuzzy Hash: 04585feceee80c063956bbdcad973534db269b35056c5f27c130b63949e155bb
Instruction Fuzzy Hash: 6531BE72504319ABDB20DF55CC49F9BB7E9FF88310F040919F98997191DB34E909DB92

Function 00FA9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FA9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FA9C8B

Part of subcall function 00FA3874: GetInputState.USER32 ref: 00FA38CB
Part of subcall function 00FA3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FA9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FA9C75

Strings

*.*, xrefs: 00FA9B5D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 9dd74fb6eae7ee452db06a2875d77958681f175b8d1732b0ac1d5901921ca754
Instruction ID: 2bf99127ac93f0e4897ea5a521d6af9ba03f46a13c2d1ff7eeb493589ee77eb2
Opcode Fuzzy Hash: 9dd74fb6eae7ee452db06a2875d77958681f175b8d1732b0ac1d5901921ca754
Instruction Fuzzy Hash: 1641B3B1D0860A9FCF14DFA4CD45AEE7BB4EF46320F104065E915A3191DB709E44EF60

Function 00F4997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F49A4E
GetSysColor.USER32(0000000F), ref: 00F49B23
SetBkColor.GDI32(?,00000000), ref: 00F49B36

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: db31dd9fc1accd064f11d40895757f1db21b6ef810f5592c50597c01dbad6590
Instruction ID: 339451f0320c5facff4b5e6b4148a86d8d17b4cee7d2b723625e697445a7cd91
Opcode Fuzzy Hash: db31dd9fc1accd064f11d40895757f1db21b6ef810f5592c50597c01dbad6590
Instruction Fuzzy Hash: 99A1D67170C554AEE725BA288C49FBF3E9DDB82360F240209F902C6595CAADDE41F371

Function 00FB1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FB307A
Part of subcall function 00FB304E: _wcslen.LIBCMT ref: 00FB309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FB185D
WSAGetLastError.WSOCK32 ref: 00FB1884
bind.WSOCK32(00000000,?,00000010), ref: 00FB18DB
WSAGetLastError.WSOCK32 ref: 00FB18E6
closesocket.WSOCK32(00000000), ref: 00FB1915

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: fcc3d2ae6d6b87370b0ba4f01ea0bc22a9fedf2ee5207b2adc48c8d90dfe25c1
Instruction ID: 24c6fd9b955d982b44c1d9fbaa13e3269262d48b75391c13e7f73230532a0965
Opcode Fuzzy Hash: fcc3d2ae6d6b87370b0ba4f01ea0bc22a9fedf2ee5207b2adc48c8d90dfe25c1
Instruction Fuzzy Hash: F351A375A00200AFDB10EF24C896F6A77E5AB44728F488458FA09AF3D3D775ED419BE1

Function 00FC1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FC1CC0
IsWindowEnabled.USER32 ref: 00FC1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00FC1CDB
IsIconic.USER32 ref: 00FC1CE9
IsZoomed.USER32 ref: 00FC1CF7

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 186291802796267f917c9ab62d101c8fc0cbd8d89286f3934bcd4ad89a395543
Instruction ID: 1640b8f4fd94a481fbd33643fd6fc65a1982e3c68eb92eb268071997955093bf
Opcode Fuzzy Hash: 186291802796267f917c9ab62d101c8fc0cbd8d89286f3934bcd4ad89a395543
Instruction Fuzzy Hash: AB219131B402125FD720CF2AC986F667BA5FF86325F19805CE84A8B252C775D852EB90

Function 00F38060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00F383E8
VUUU, xrefs: 00F383FA
VUUU, xrefs: 00F75DF0
VUUU, xrefs: 00F3843C
ERCP, xrefs: 00F3813C

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ee52fa150b0d321bfdb7a40187e847aa1df6fa56cd09dbe25d69c2a65509f32b
Instruction ID: ccb206e368d3a2de535de7a2017c52432a152b50cb44cab20740162e0ee78aa5
Opcode Fuzzy Hash: ee52fa150b0d321bfdb7a40187e847aa1df6fa56cd09dbe25d69c2a65509f32b
Instruction Fuzzy Hash: 2BA29371E0061ACBDF24CF58C8417ADB7B1BF44760F2481AAE819A7385DB749D82EF91

Function 00FBA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FBA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00FBA6BA

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Process32NextW.KERNEL32(00000000,?), ref: 00FBA79C
CloseHandle.KERNEL32(00000000), ref: 00FBA7AB

Part of subcall function 00F4CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F73303,?), ref: 00F4CE8A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 86c7df3beb99b879152f725562ecd00e544d890bb312d4565a3e2269a18fa584
Instruction ID: e952985726c4c6164ac70ecce323637fe16b94d1d9661649b42a205d0cfb413f
Opcode Fuzzy Hash: 86c7df3beb99b879152f725562ecd00e544d890bb312d4565a3e2269a18fa584
Instruction Fuzzy Hash: 55514A71508300AFD710EF25CC86A6BBBE8FF89764F40891DF98997261EB74D904DB92

Function 00F9AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F9AAAC
SetKeyboardState.USER32(00000080), ref: 00F9AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F9AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F9AB88

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f5d18c84b19043642d570f376c1c0d9fa022b954b63eff00ee03375952a034cf
Instruction ID: 84b26512794eea4bbef3bfcd3afc16b8fcbea11d98860e4f2d26e1f7e0b090a1
Opcode Fuzzy Hash: f5d18c84b19043642d570f376c1c0d9fa022b954b63eff00ee03375952a034cf
Instruction Fuzzy Hash: 59312430E40608AFFF358F698C05BFA7BA6AB84324F04421AF185921D1D7798981F7E2

Function 00F6BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F6BB7F

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

GetTimeZoneInformation.KERNEL32 ref: 00F6BB91
WideCharToMultiByte.KERNEL32(00000000,?,0100121C,000000FF,?,0000003F,?,?), ref: 00F6BC09
WideCharToMultiByte.KERNEL32(00000000,?,01001270,000000FF,?,0000003F,?,?,?,0100121C,000000FF,?,0000003F,?,?), ref: 00F6BC36

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 3a3393a00e8615118f91c5e83397b1771ac243358cd2ee72d5b2f8c92ceaee43
Instruction ID: a760362af1c38ac17ff297b0b86d7cf4ed79384dc4f4143c063475f2ad4df88d
Opcode Fuzzy Hash: 3a3393a00e8615118f91c5e83397b1771ac243358cd2ee72d5b2f8c92ceaee43
Instruction Fuzzy Hash: 743125B1D04205EFCB22DF69CC8193DBBB8FF45360B14426AE090DB2A1C7319E90EB50

Function 00FACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00FACE89
GetLastError.KERNEL32(?,00000000), ref: 00FACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00FACEFE

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 9178ad57a408a5ecb3548ab1fa65db3e3bece15722e6f9493a136343ef9fafe0
Instruction ID: b600487fd7936f17155f0743db1ac62cf8d19f33793b144bb68377d82d91f49a
Opcode Fuzzy Hash: 9178ad57a408a5ecb3548ab1fa65db3e3bece15722e6f9493a136343ef9fafe0
Instruction Fuzzy Hash: 43219DB1900305AFEB20DF65C989BA677F8EF41364F10442EE646D2151EB74EE08EBE0

Function 00F98298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F982AA

Strings

|, xrefs: 00F982DA
(, xrefs: 00F982F0

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 7b15840c823dc404f91f911aeb2c9398c87c033900f5900e88bd78b5886b8b55
Instruction ID: 0cdc97bb4d5d29443912151404a34bf28db9f072396bfb275a3c25cc152b1610
Opcode Fuzzy Hash: 7b15840c823dc404f91f911aeb2c9398c87c033900f5900e88bd78b5886b8b55
Instruction Fuzzy Hash: E6324575A007059FDB28CF59C480A6AB7F0FF48760B15C46EE49ADB3A1EB70E942DB40

Function 00FA5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FA5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00FA5D17
FindClose.KERNEL32(?), ref: 00FA5D5F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ed91b32ba8357fc8619851cacd35296df03f164f9a3ec1c01b54cd873e5ec3da
Instruction ID: f02920a7837386bc3212e0bf5300015ba264873835c4f688e01561c97bd87b0b
Opcode Fuzzy Hash: ed91b32ba8357fc8619851cacd35296df03f164f9a3ec1c01b54cd873e5ec3da
Instruction Fuzzy Hash: A6519AB5A046019FC714CF28C894E96B7E4FF4A324F14855DE99A8B3A2CB30ED05DF91

Function 00F62622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00F6271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F62724
UnhandledExceptionFilter.KERNEL32(?), ref: 00F62731

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cdf737d026b92135263f75efab4f4f6bcc9c507a7eb3e68a87698a4ad58b6377
Instruction ID: aa50f0e8ea0ae37ae49c27ff518e97c8f8771975117eb63e6f47ee331c601a5f
Opcode Fuzzy Hash: cdf737d026b92135263f75efab4f4f6bcc9c507a7eb3e68a87698a4ad58b6377
Instruction Fuzzy Hash: A131C474D0121C9BCB61DF64DD89BD8B7B8AF08310F5041EAE80CA7260EB349F859F84

Function 00FA51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FA5238
SetErrorMode.KERNEL32(00000000), ref: 00FA52A1

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6359fc18905a1f505a57147ead1fffdae33d494a7169f398c26ac87118af7034
Instruction ID: 25308d00f9d389e5db33958872251870396adf2caadd8542dde3d59c72c643cc
Opcode Fuzzy Hash: 6359fc18905a1f505a57147ead1fffdae33d494a7169f398c26ac87118af7034
Instruction Fuzzy Hash: E5313A75A00518DFDB00DF55D884EADBBB4FF49318F088099E809AB362DB35E856DBA0

Function 00F916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F50668
Part of subcall function 00F4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F50685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9173A
GetLastError.KERNEL32 ref: 00F9174A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 97821d14503cc32ce119b547540ad195ac43feb3331fcbf774becb41f1472092
Instruction ID: 1d73f5e0a609695443ed52554b5a6938f32c067dc32830fb674ef069f4d237cc
Opcode Fuzzy Hash: 97821d14503cc32ce119b547540ad195ac43feb3331fcbf774becb41f1472092
Instruction Fuzzy Hash: 4011C4B2800309AFE7189F54DC86D6ABBB9FF44714B24852EE45A53241EB70BC419A60

Function 00F9D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F9D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00F9D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F9D650

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 1fa91a21925db4634610c38ed7c7f2d9a9150e5d9e9e3b1ef4d52b183993a902
Instruction ID: 82710b4f6cba75c2fae74ca30833235fc0d938af2c221553868c2f7bda83094f
Opcode Fuzzy Hash: 1fa91a21925db4634610c38ed7c7f2d9a9150e5d9e9e3b1ef4d52b183993a902
Instruction Fuzzy Hash: 66115E75E05228BFEB108F95ED45FAFBBBCEB45B60F108115F908E7290D6704A059BE1

Function 00F91663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F9168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F916A1
FreeSid.ADVAPI32(?), ref: 00F916B1

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0529607bfb9d72f8595a7e4e500431417560792c2ffd438632801ec39053edff
Instruction ID: 203dfa4fc99da7a89ff49698e5287be191b9e1af6ca1893c29c269716ebed428
Opcode Fuzzy Hash: 0529607bfb9d72f8595a7e4e500431417560792c2ffd438632801ec39053edff
Instruction Fuzzy Hash: 19F0F471D9030DFBEF00DFE49D8AEAEBBBCFB08604F504565E901E2181E774AA449A94

Function 00F54CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00F628E9,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002,00000000,?,00F628E9), ref: 00F54D09
TerminateProcess.KERNEL32(00000000,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002,00000000,?,00F628E9), ref: 00F54D10
ExitProcess.KERNEL32 ref: 00F54D22

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 570357bd04352184225b5c1956ea6cc634ad48091d85f4c342d496ede00e59a4
Instruction ID: 8eed791bf6e56a8e43d58c724d6483611a38a1c6b5fa293ec39c1b3ceaf7f569
Opcode Fuzzy Hash: 570357bd04352184225b5c1956ea6cc634ad48091d85f4c342d496ede00e59a4
Instruction Fuzzy Hash: EFE0B631800148ABCF11AF54EE0AE583B79FB41796B144018FD098B122CB3AED86EA90

Function 00F8D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F8D28C

Strings

X64, xrefs: 00F8D2A8

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 3fa63bfafea569ae8f68cd65697c7dec05111c013a0c5c4c7c9d7ecfd28ccd59
Instruction ID: 8affc8792f5aa33faeba8ff73963a464c8ab88c62b45b373dcb90dfedea52fe6
Opcode Fuzzy Hash: 3fa63bfafea569ae8f68cd65697c7dec05111c013a0c5c4c7c9d7ecfd28ccd59
Instruction Fuzzy Hash: 36D0CAB680112DEACB94DBA0EC89EDAB7BCBB04305F100292F50AE2040DB309648AF20

Function 00F5CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 53e11532cc5bffaa92608796a89bfb0d3eefd482cd5f151d3e5ad8e2eeb07810
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 92022D71E002199FDF14CFA9C8806ADBBF1EF48325F25816AD91AE7380D731AA45DBD0

Function 00FA68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FA6918
FindClose.KERNEL32(00000000), ref: 00FA6961

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6e5a2ea2020aa0e1fa7b3ca92c6fd3114713f3c41d38b0dbf2c762599cf29d6f
Instruction ID: b440da97c987798acfe0d4217469125397ef1408ad72631ca1f5205f208f438f
Opcode Fuzzy Hash: 6e5a2ea2020aa0e1fa7b3ca92c6fd3114713f3c41d38b0dbf2c762599cf29d6f
Instruction Fuzzy Hash: 391190756042009FC710DF29D889A16BBE5FF89328F19C699E4698F6A2CB34EC05DBD1

Function 00FA37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FB4891,?,?,00000035,?), ref: 00FA37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FB4891,?,?,00000035,?), ref: 00FA37F4

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e6fb443bbc6874027ea47ee164e6835f36383902ed750b087bc5e83f9d6b0f50
Instruction ID: 186bd173f8de30a037d8943a0a617b0de1436a2dbe76103e62f59a3658dbee96
Opcode Fuzzy Hash: e6fb443bbc6874027ea47ee164e6835f36383902ed750b087bc5e83f9d6b0f50
Instruction Fuzzy Hash: 2AF0E5B16083292AE72057669C4DFEB3AAEEFC5771F000165F50DD3281D9A09904D6F0

Function 00F9B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F9B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00F9B270

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: f70912de191e22726b971de77cc032a313982c01ba9d507813fc5c2cb273f007
Instruction ID: 095445b84ff9a808050496ba57074bbc00f0a1a0cbfd93a5eada5d0fa99c56fa
Opcode Fuzzy Hash: f70912de191e22726b971de77cc032a313982c01ba9d507813fc5c2cb273f007
Instruction Fuzzy Hash: 6FF06D7180424DABEF058FA0C806BAE7BB0FF04305F00800AF955A6191C3798201AF94

Function 00F910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F911FC), ref: 00F910D4
CloseHandle.KERNEL32(?,?,00F911FC), ref: 00F910E9

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: fab778ba468e582eef7dfeb3c54878eadc10911aff95ad5bfa567784fb0db6a0
Instruction ID: 94ef9995e96c1322fdc4169d3f848e2dc2477998fda235c94d9ee14a8570df20
Opcode Fuzzy Hash: fab778ba468e582eef7dfeb3c54878eadc10911aff95ad5bfa567784fb0db6a0
Instruction Fuzzy Hash: 3FE04F32404600AEF7252B11FD06E737BA9FB04320B14882DF8AA814B1DB626C90FB50

Function 00F3CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00F80C40

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 443b4785c68925d4647f3e324aba287fca2cc049b5089f5f7ade8a30ab294587
Instruction ID: 085123a96a1dbe96973f7ed86b3b036869eb82dbd4223379f0519aae45861312
Opcode Fuzzy Hash: 443b4785c68925d4647f3e324aba287fca2cc049b5089f5f7ade8a30ab294587
Instruction Fuzzy Hash: B832BE35D00218DBCF14EF94C885BEDB7B5BF05324F548059E806BB292DB79AD49EBA0

Function 00F6676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F66766,?,?,00000008,?,?,00F6FEFE,00000000), ref: 00F66998

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 59df2218c0b081d387816f73ea2a629e1059bff8c75c314c7d54a755f44f353c
Instruction ID: 00b12ad79de2b50be961b6d601fee8a84e142033f36bbb95643e2300e9ddfcd6
Opcode Fuzzy Hash: 59df2218c0b081d387816f73ea2a629e1059bff8c75c314c7d54a755f44f353c
Instruction Fuzzy Hash: 14B12B32A10609DFD719CF28C48AB657BE0FF45364F298658E899CF2A2C735E991DB40

Function 00F4B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00F8851F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 270566680d017628e8b518a002b3efb9227ba676a96b725a6ba5dfd5d088e012
Instruction ID: fb80c71abb233f13bcbf9e7b15aaaec826656c41d927b7e4368a4d5a816650f7
Opcode Fuzzy Hash: 270566680d017628e8b518a002b3efb9227ba676a96b725a6ba5dfd5d088e012
Instruction Fuzzy Hash: B8126071D002299BDB14DF58C8817EEBBB5FF48710F54819AE849EB252DB349E81EB90

Function 00FAEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FAEABD

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fef0bc0a11e18e4d4922d2d1ba156fe79f57e3f94747abed20775f4fcd4e0406
Instruction ID: a11397f7d31d0ebb43f08428c9c3635026f12abedef3f44a0f0e21c70bb6e7b2
Opcode Fuzzy Hash: fef0bc0a11e18e4d4922d2d1ba156fe79f57e3f94747abed20775f4fcd4e0406
Instruction Fuzzy Hash: 59E04F762002049FC710EF69D805E9AF7E9AF99770F00841AFD49DB351DB74EC40ABA0

Function 00F509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F503EE), ref: 00F509DA

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5157a7beacb02eb715061046f38e2089e4fe336aa7a375b2a62594e3bcb19a7e
Instruction ID: fada75bd749f0a14cee2ba4346b6865cfc1e244b74d9559c94e70a1662f1b379
Opcode Fuzzy Hash: 5157a7beacb02eb715061046f38e2089e4fe336aa7a375b2a62594e3bcb19a7e
Instruction Fuzzy Hash:

Function 00F5781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00F5798B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 7ca8006ddbb72bebf824a7218cef32f4ebfdd5efc998caa8230a32d7101dde20
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 68516A72E0CB055BDB387528A85D7BF63859B12363F280509DF82D7692C619DE0EF361

Function 00F66DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7a73798764c0114fbf470992fa2e2ad1ec736c6baf2f5ad112361ec32afb16
Instruction ID: 9ce41943db2bb6b3d906f9ecbe0288824c9628d047b7a2ade852174bd5917f8d
Opcode Fuzzy Hash: 4b7a73798764c0114fbf470992fa2e2ad1ec736c6baf2f5ad112361ec32afb16
Instruction Fuzzy Hash: 88324622D2AF414DD723A634CC22335634AAFB73D9F14C737F81AB59A5EB29C4836140

Function 00F4CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c02b9e24f49f6ad4655dc17f9fad17ea7c3f4830a75a66fb7b8cf8e57729b02
Instruction ID: 753009225e8c38a4174f339edfc0fc9569c3eb96040b52d9fb67618baa161ac5
Opcode Fuzzy Hash: 4c02b9e24f49f6ad4655dc17f9fad17ea7c3f4830a75a66fb7b8cf8e57729b02
Instruction Fuzzy Hash: 7D320832E001558BDF28EF29C4D46FD7BA1EF45320F28856ADA599B291D234DD81FBE0

Function 00F37920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1188b48095a723a4ed2169ec1c5da22aa675c6d2bd8c149badacdce2e43ff127
Instruction ID: e6a708b933df47b1ada736e8f6e7ce9b65109f61f0685da2893a61080ac4c913
Opcode Fuzzy Hash: 1188b48095a723a4ed2169ec1c5da22aa675c6d2bd8c149badacdce2e43ff127
Instruction Fuzzy Hash: CF22E2B0E0460ADFDF14DF64C841BAEB7B5FF44320F208129E816A7291EB79AD14EB51

Function 00F391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9795e63b79a3a17afa1c42f1189462337f0752d276f2f14b44d987f062c983ea
Instruction ID: 5feda049f2ab20929efd7eed60457e27b45a77e5447ca5741f2b497885658801
Opcode Fuzzy Hash: 9795e63b79a3a17afa1c42f1189462337f0752d276f2f14b44d987f062c983ea
Instruction Fuzzy Hash: E302C9B1E00109EBDF05DF54D841AAEBBB5FF48310F10816AE81A9B291EB75ED14EB91

Function 00F69EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183b1a66db54233ae572f645c5f14f8257c2ede333676d8de1ca35153c6a171a
Instruction ID: c8d02267ac7aa0af9556d7be5a6ae5c0a6aa267f864302ac815fdca454af1fee
Opcode Fuzzy Hash: 183b1a66db54233ae572f645c5f14f8257c2ede333676d8de1ca35153c6a171a
Instruction Fuzzy Hash: 25B11120E2AF444DD32396398931336B75DAFBB2D5F92D31BFC2674D22EB2286835141

Function 00F51C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 8cab826f732e3b511f41c46b7e0c8a15c8c6172b9a10cb92c4d75a7c111c9462
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: A29177339080A34ADB294639853567EFFF16A523B371A079DDDF2CA1C1EE10A95CF620

Function 00F519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9a22468c55fccbea025610127bad335e4c079c62c04e1f49bf4afe5371d5a7ea
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 759177736090A349DB2E427A857427DFFE16A923B331A079DD9F2CA1C1FD14A55CF620

Function 00F57A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0caf91f67bcedb3ed14278e37c6a83261d41d4c8386aaa09e8710d298fe3e2
Instruction ID: a1a9275cb07d36afcc7641ca0b947f7ffcdc2762c2cbdbc294570726c008b332
Opcode Fuzzy Hash: fb0caf91f67bcedb3ed14278e37c6a83261d41d4c8386aaa09e8710d298fe3e2
Instruction Fuzzy Hash: 45617831A0870966DA34B928BC99BBE3384DF81363F140919EF43DB295DA199E4FB315

Function 00F57CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbaa452d3aaa45e5720b6d1cc5760d33cddaecc180d5e0053b8748e02df844c
Instruction ID: f5d9c42dea02fc2af633262cefb09e8eb07d5e54e33c8bb89093d969778b7b00
Opcode Fuzzy Hash: dbbaa452d3aaa45e5720b6d1cc5760d33cddaecc180d5e0053b8748e02df844c
Instruction Fuzzy Hash: 88619B31E0870957DA3879287C56BBF33A89F41763F100959EF43DB281EA16AD4FB251

Function 00F51706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 52ced95e8dffbc645951d4de2489d1e0430ec2f7b9a9ebba00e7f7988bb47f9d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D48156739090A309DB69423D853467EFFE17A923B371A079DD9F2CA1C1EE14A55CF620

Function 00FA2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0f79772ac88e6f2a3c1afb829d6d1061d357a38b5b19be355ecb2ba845e236
Instruction ID: 96f9727f363dc6c91deba2dc8c13041258782de077c4565a6ccaca3bdb7c763c
Opcode Fuzzy Hash: 4d0f79772ac88e6f2a3c1afb829d6d1061d357a38b5b19be355ecb2ba845e236
Instruction Fuzzy Hash: 6621B7727206118BD728CF79C92367E73E5AB54320F15862EE4A7C37C5DE7AA904DB80

Function 00FB2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FB2B30
DeleteObject.GDI32(00000000), ref: 00FB2B43
DestroyWindow.USER32 ref: 00FB2B52
GetDesktopWindow.USER32 ref: 00FB2B6D
GetWindowRect.USER32(00000000), ref: 00FB2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FB2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FB2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2CF8
GetClientRect.USER32(00000000,?), ref: 00FB2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FB2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D80
GlobalLock.KERNEL32(00000000), ref: 00FB2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D98
GlobalUnlock.KERNEL32(00000000), ref: 00FB2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2DA8
GlobalFree.KERNEL32(00000000), ref: 00FB2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FCFC38,00000000), ref: 00FB2DDB
GlobalFree.KERNEL32(00000000), ref: 00FB2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FB2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FB2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB303F

Strings

static, xrefs: 00FB2D3A, 00FB2E91
DISPLAY, xrefs: 00FB2EA2
AutoIt v3, xrefs: 00FB2CF2
, xrefs: 00FB2FC5

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 10556a92cca5b9ff756b9c5180eb3d51d234f9f5011ae7c713ead71d3e318f4d
Instruction ID: e1cdc61f8c6ca3d39b99cba0674b06e384a9396d30d75ffe4e17439e92ca3be4
Opcode Fuzzy Hash: 10556a92cca5b9ff756b9c5180eb3d51d234f9f5011ae7c713ead71d3e318f4d
Instruction Fuzzy Hash: A2025071900209AFDB14DF65CD89EAE7BB9EF48720F048558F919AB2A1CB74DD01EF60

Function 00FC70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FC712F
GetSysColorBrush.USER32(0000000F), ref: 00FC7160
GetSysColor.USER32(0000000F), ref: 00FC716C
SetBkColor.GDI32(?,000000FF), ref: 00FC7186
SelectObject.GDI32(?,?), ref: 00FC7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00FC71C0
GetSysColor.USER32(00000010), ref: 00FC71C8
CreateSolidBrush.GDI32(00000000), ref: 00FC71CF
FrameRect.USER32(?,?,00000000), ref: 00FC71DE
DeleteObject.GDI32(00000000), ref: 00FC71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00FC7230
FillRect.USER32(?,?,?), ref: 00FC7262
GetWindowLongW.USER32(?,000000F0), ref: 00FC7284

Part of subcall function 00FC73E8: GetSysColor.USER32(00000012), ref: 00FC7421
Part of subcall function 00FC73E8: SetTextColor.GDI32(?,?), ref: 00FC7425
Part of subcall function 00FC73E8: GetSysColorBrush.USER32(0000000F), ref: 00FC743B
Part of subcall function 00FC73E8: GetSysColor.USER32(0000000F), ref: 00FC7446
Part of subcall function 00FC73E8: GetSysColor.USER32(00000011), ref: 00FC7463
Part of subcall function 00FC73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FC7471
Part of subcall function 00FC73E8: SelectObject.GDI32(?,00000000), ref: 00FC7482
Part of subcall function 00FC73E8: SetBkColor.GDI32(?,00000000), ref: 00FC748B
Part of subcall function 00FC73E8: SelectObject.GDI32(?,?), ref: 00FC7498
Part of subcall function 00FC73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00FC74B7
Part of subcall function 00FC73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FC74CE
Part of subcall function 00FC73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00FC74DB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: f34165a8d8f1675bb216d87a527b27ab569a3855bf8c20153b2f1c670bd8f119
Instruction ID: e55dcfcc280f93c5d21d12e0eeacc1eedb1c538e374d915b2179c4cbf6ad0353
Opcode Fuzzy Hash: f34165a8d8f1675bb216d87a527b27ab569a3855bf8c20153b2f1c670bd8f119
Instruction Fuzzy Hash: ACA1AE72408306AFD700AF60DE4AF5B7BA9FB89320F140A19F966971E1D731E944EF91

Function 00F48D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F48E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F86AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F86AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F86F43

Part of subcall function 00F48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F48BE8,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F48FC5

SendMessageW.USER32(?,00001053), ref: 00F86F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F86F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F86FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F86FB7

Strings

0, xrefs: 00F86DCF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: b6a49ede93b3c7fe607014f88b787c4917c13d1245d6b083e9ae1158801c304d
Instruction ID: feb7b183bce0b994a37ca0324ea98b18cc397280fc53e756ba12c4c4774e179e
Opcode Fuzzy Hash: b6a49ede93b3c7fe607014f88b787c4917c13d1245d6b083e9ae1158801c304d
Instruction Fuzzy Hash: 4912AD31A00201EFDB25EF14C945BEABBE5FB45320F144469F999CB251CB36EC92EB91

Function 00FB2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00FB273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FB286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FB28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FB28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FB2900
GetClientRect.USER32(00000000,?), ref: 00FB290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FB2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FB2964
GetStockObject.GDI32(00000011), ref: 00FB2974
SelectObject.GDI32(00000000,00000000), ref: 00FB2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FB2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FB2991
DeleteDC.GDI32(00000000), ref: 00FB299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FB29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00FB29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FB2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FB2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00FB2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FB2A77
GetStockObject.GDI32(00000011), ref: 00FB2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FB2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FB2A97

Strings

static, xrefs: 00FB294F, 00FB2A71
DISPLAY, xrefs: 00FB295A
AutoIt v3, xrefs: 00FB28F8
msctls_progress32, xrefs: 00FB2A13

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a19e29bf816f70cb41ff88a3ea916a11489904107cca888bc437343128d78804
Instruction ID: e1c11f037eb9c8d5df01b31244f52ecb49b458781bd7aaed6b9c39d3f5754524
Opcode Fuzzy Hash: a19e29bf816f70cb41ff88a3ea916a11489904107cca888bc437343128d78804
Instruction Fuzzy Hash: 21B16FB1A00209AFEB24DF69CD4AFAE7BA9EB48710F148115F914E72D0DB74ED40DB94

Function 00FA4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA4AED
GetDriveTypeW.KERNEL32(?,00FCCB68,?,\\.\,00FCCC08), ref: 00FA4BCA
SetErrorMode.KERNEL32(00000000,00FCCB68,?,\\.\,00FCCC08), ref: 00FA4D36

Strings

SCSI, xrefs: 00FA4C8A
SAS, xrefs: 00FA4CC9
1394, xrefs: 00FA4C9F
Unknown, xrefs: 00FA4BED, 00FA4C83
SSD, xrefs: 00FA4C4A
RAMDisk, xrefs: 00FA4BF4
\\.\, xrefs: 00FA4B3F
FileBackedVirtual, xrefs: 00FA4CEC
iSCSI, xrefs: 00FA4CC2
Virtual, xrefs: 00FA4CE5
ATA, xrefs: 00FA4C98
Fixed, xrefs: 00FA4C09
MMC, xrefs: 00FA4CDE
USB, xrefs: 00FA4CB4
Fibre, xrefs: 00FA4CAD
Network, xrefs: 00FA4C02
RAID, xrefs: 00FA4CBB
Removable, xrefs: 00FA4C10, 00FA4C15
SSA, xrefs: 00FA4CA6
ATAPI, xrefs: 00FA4C91
CDROM, xrefs: 00FA4BFB
PhysicalDrive, xrefs: 00FA4B76
SATA, xrefs: 00FA4CD0

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ec71fc57c768452d7dbef71e11587e7680cdf96e33d4e9b3882fed144ccbd1c0
Instruction ID: cb75527d09e51b625944fd92ccccae06e69da24c196a3c73379e7f64bd76f09f
Opcode Fuzzy Hash: ec71fc57c768452d7dbef71e11587e7680cdf96e33d4e9b3882fed144ccbd1c0
Instruction Fuzzy Hash: 8B61A7B160520A9BCB04DF14CA81A7C77B0AF86760B244415F90AEB6A1DFF5FD41FB52

Function 00FC73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FC7421
SetTextColor.GDI32(?,?), ref: 00FC7425
GetSysColorBrush.USER32(0000000F), ref: 00FC743B
GetSysColor.USER32(0000000F), ref: 00FC7446
CreateSolidBrush.GDI32(?), ref: 00FC744B
GetSysColor.USER32(00000011), ref: 00FC7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FC7471
SelectObject.GDI32(?,00000000), ref: 00FC7482
SetBkColor.GDI32(?,00000000), ref: 00FC748B
SelectObject.GDI32(?,?), ref: 00FC7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00FC74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FC74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00FC74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FC752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FC7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00FC7572
DrawFocusRect.USER32(?,?), ref: 00FC757D
GetSysColor.USER32(00000011), ref: 00FC758E
SetTextColor.GDI32(?,00000000), ref: 00FC7596
DrawTextW.USER32(?,00FC70F5,000000FF,?,00000000), ref: 00FC75A8
SelectObject.GDI32(?,?), ref: 00FC75BF
DeleteObject.GDI32(?), ref: 00FC75CA
SelectObject.GDI32(?,?), ref: 00FC75D0
DeleteObject.GDI32(?), ref: 00FC75D5
SetTextColor.GDI32(?,?), ref: 00FC75DB
SetBkColor.GDI32(?,?), ref: 00FC75E5

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 7fb9c02e331808835c349958a91fca3a7893dc4e895b92574bcda791b6d85e65
Instruction ID: e908876455d3fc1e72ba01ed9b9b6e6050f07d05821e18987fedec8a2a1730a6
Opcode Fuzzy Hash: 7fb9c02e331808835c349958a91fca3a7893dc4e895b92574bcda791b6d85e65
Instruction Fuzzy Hash: AC617D72D00219AFDF009FA4DD4AEEEBFB9EB08320F144515F919AB2A1D7719940EF90

Function 00FC0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FC1128
GetDesktopWindow.USER32 ref: 00FC113D
GetWindowRect.USER32(00000000), ref: 00FC1144
GetWindowLongW.USER32(?,000000F0), ref: 00FC1199
DestroyWindow.USER32(?), ref: 00FC11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FC11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FC120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FC121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00FC1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FC1245
IsWindowVisible.USER32(00000000), ref: 00FC12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FC12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FC12D0
GetWindowRect.USER32(00000000,?), ref: 00FC12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00FC130E
GetMonitorInfoW.USER32(00000000,?), ref: 00FC1328
CopyRect.USER32(?,?), ref: 00FC133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00FC13AA

Strings

tooltips_class32, xrefs: 00FC11E6
(, xrefs: 00FC131B
0, xrefs: 00FC10D3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a4f9cdc81bda229b62aa4df36acd3fa0a26d646c16bde4ecd2eba6672ba65050
Instruction ID: 8d3d0e814b6086cbe759c3f6f430da6540a252a9311d5c9846af09a7c2a4031d
Opcode Fuzzy Hash: a4f9cdc81bda229b62aa4df36acd3fa0a26d646c16bde4ecd2eba6672ba65050
Instruction Fuzzy Hash: C6B1AE71A08341AFD700DF64CA86F6ABBE4FF85314F00891CF9999B262C771E854EB91

Function 00F90D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F91114
Part of subcall function 00F910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91120
Part of subcall function 00F910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F9112F
Part of subcall function 00F910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91136
Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F90DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F90E29
GetLengthSid.ADVAPI32(?), ref: 00F90E40
GetAce.ADVAPI32(?,00000000,?), ref: 00F90E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F90E96
GetLengthSid.ADVAPI32(?), ref: 00F90EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F90EB5
HeapAlloc.KERNEL32(00000000), ref: 00F90EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F90EDD
CopySid.ADVAPI32(00000000), ref: 00F90EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F90F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F90F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F90F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90F6E
HeapFree.KERNEL32(00000000), ref: 00F90F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90F7E
HeapFree.KERNEL32(00000000), ref: 00F90F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90F8E
HeapFree.KERNEL32(00000000), ref: 00F90F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00F90FA1
HeapFree.KERNEL32(00000000), ref: 00F90FA8

Part of subcall function 00F91193: GetProcessHeap.KERNEL32(00000008,00F90BB1,?,00000000,?,00F90BB1,?), ref: 00F911A1
Part of subcall function 00F91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F90BB1,?), ref: 00F911A8
Part of subcall function 00F91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F90BB1,?), ref: 00F911B7

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9eb9af8f8a8ade3411cb128ef6c4ce60af3fd81f638c43bb7b7f3c399ce58ce7
Instruction ID: a3fc36f41eb12a3c7a06c85312fe3eab98b7e6b9081018f0dc024f2268bb5177
Opcode Fuzzy Hash: 9eb9af8f8a8ade3411cb128ef6c4ce60af3fd81f638c43bb7b7f3c399ce58ce7
Instruction Fuzzy Hash: 6D714B7290020AAFEF209FA5DD45FAEBBB8FF04314F044125F919E7191DB319A05EBA0

Function 00FBC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FCCC08,00000000,?,00000000,?,?), ref: 00FBC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FBC5A4
_wcslen.LIBCMT ref: 00FBC5F4
_wcslen.LIBCMT ref: 00FBC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FBC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FBC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FBC84D
RegCloseKey.ADVAPI32(?), ref: 00FBC881
RegCloseKey.ADVAPI32(00000000), ref: 00FBC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FBC960

Strings

REG_BINARY, xrefs: 00FBC913
REG_QWORD, xrefs: 00FBC8C3
REG_MULTI_SZ, xrefs: 00FBC6F5
REG_EXPAND_SZ, xrefs: 00FBC5CD
REG_DWORD, xrefs: 00FBC804
REG_SZ, xrefs: 00FBC644

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 96eedef4973d4ae16283020d223522a62980cf3dff60448b9e4eb3d6c09719a9
Instruction ID: cbaabcb3d7b0f250eef16801d0df621c554b431f794cc139e4fc665506da5669
Opcode Fuzzy Hash: 96eedef4973d4ae16283020d223522a62980cf3dff60448b9e4eb3d6c09719a9
Instruction Fuzzy Hash: FD126B756042019FDB14DF15C881A6AB7E5EF88724F18885CF88A9B3A2DB35FD41EF81

Function 00FC091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FC09C6
_wcslen.LIBCMT ref: 00FC0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FC0A54
_wcslen.LIBCMT ref: 00FC0A8A
_wcslen.LIBCMT ref: 00FC0B06
_wcslen.LIBCMT ref: 00FC0B81

Part of subcall function 00F4F9F2: _wcslen.LIBCMT ref: 00F4F9FD

Part of subcall function 00F92BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F92BFA

Strings

EXPAND, xrefs: 00FC0BF8
GETTOTALCOUNT, xrefs: 00FC09F2, 00FC0A17
ISCHECKED, xrefs: 00FC0CE1
SELECT, xrefs: 00FC0D11
EXISTS, xrefs: 00FC0B7C, 00FC0B97
COLLAPSE, xrefs: 00FC0B01, 00FC0B1C
GETTEXT, xrefs: 00FC0C97
UNCHECK, xrefs: 00FC0D3E
GETSELECTED, xrefs: 00FC0C4E
CHECK, xrefs: 00FC0A85, 00FC0AA0
GETITEMCOUNT, xrefs: 00FC0C1E

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: b507728c92a0df4dec8a9752b92f6054985f83a105e5eb2f11d4e3963b9509a6
Instruction ID: d6c15008b1e6e7a526085bd417a93c92bfcce61d72bb9921094873e5e486ca1a
Opcode Fuzzy Hash: b507728c92a0df4dec8a9752b92f6054985f83a105e5eb2f11d4e3963b9509a6
Instruction Fuzzy Hash: 2FE18E36608302DFCB14EF24C951A2AB7E1BF94324F14495CF89697362DB35ED46EB81

Function 00FBC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
_wcslen.LIBCMT ref: 00FBC9F1
_wcslen.LIBCMT ref: 00FBCA68
_wcslen.LIBCMT ref: 00FBCA9E
_wcslen.LIBCMT ref: 00FBCAF9
_wcslen.LIBCMT ref: 00FBCB2F
_wcslen.LIBCMT ref: 00FBCB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 00FBCAF3, 00FBCAF8
HKU, xrefs: 00FBCBF0
HKCU, xrefs: 00FBCBCE
HKLM, xrefs: 00FBCA98, 00FBCA9D
HKCR, xrefs: 00FBCB29, 00FBCB2E
HKEY_CURRENT_USER, xrefs: 00FBCBBD
HKEY_LOCAL_MACHINE, xrefs: 00FBCA62, 00FBCA67
HKEY_USERS, xrefs: 00FBCBDF
HKCC, xrefs: 00FBCBAC
HKEY_CURRENT_CONFIG, xrefs: 00FBCB79, 00FBCB7E

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 3e560894d8cf7475ee522e759cb1c04aceef3457eace07187ae319e30fe60b87
Instruction ID: 9cb8c3907a784f9755f8d602f05838abea83baee2ba9340d4f213dfc1b599ed6
Opcode Fuzzy Hash: 3e560894d8cf7475ee522e759cb1c04aceef3457eace07187ae319e30fe60b87
Instruction Fuzzy Hash: 85710533A0016A8BCB20EE2ACC516FF37959FA0774B214128FC559B295E638CD44BBE0

Function 00FC833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FC835A
_wcslen.LIBCMT ref: 00FC836E
_wcslen.LIBCMT ref: 00FC8391
_wcslen.LIBCMT ref: 00FC83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FC83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032), ref: 00FC844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FC8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FC84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FC8501
FreeLibrary.KERNEL32(?), ref: 00FC850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FC851D
DestroyIcon.USER32(?), ref: 00FC852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FC8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FC8555

Strings

.icl, xrefs: 00FC8368
.exe, xrefs: 00FC8388
.dll, xrefs: 00FC83AB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: dc9cdc1252d02316bd7191c25e36761a1ebc75c1c6325182a25932f5d8d9a501
Instruction ID: 380161ba1c99d7085f43142495bf64f78b0e59c7a85f9f97196aeb4be1537fe6
Opcode Fuzzy Hash: dc9cdc1252d02316bd7191c25e36761a1ebc75c1c6325182a25932f5d8d9a501
Instruction Fuzzy Hash: 6A61D17194021ABAEB18DF64CD42FFE77A8BF04761F10450AF915D70D1DBB4A981EBA0

Function 00F37778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 00F378D9
#pragma compile, xrefs: 00F377D3
#comments-start, xrefs: 00F3785F, 00F378B1
Bad directive syntax error, xrefs: 00F7519A
", xrefs: 00F75153
', xrefs: 00F75169
#OnAutoItStartRegister, xrefs: 00F37817
Unterminated group of comments, xrefs: 00F7528C
#cs, xrefs: 00F37873, 00F378C5
#include-once, xrefs: 00F3782F
#ce, xrefs: 00F378ED
#notrayicon, xrefs: 00F377E7
#include, xrefs: 00F37847
Cannot parse #include, xrefs: 00F75279
#requireadmin, xrefs: 00F377FF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 9a0b826e17f618b6c92d42264236fc5a61e51ba56115fed22e0bc5216470af55
Instruction ID: a84ec6fc7c7f0fe7d6a197115242a1aa9e2640a9afead965ab15f28e706ab996
Opcode Fuzzy Hash: 9a0b826e17f618b6c92d42264236fc5a61e51ba56115fed22e0bc5216470af55
Instruction Fuzzy Hash: E481F8B1A04305BBDB20BF60CC43FAE7BA4AF14760F044025FD09AA192EBB4D915F792

Function 00FA3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FA3EF8
_wcslen.LIBCMT ref: 00FA3F03
_wcslen.LIBCMT ref: 00FA3F5A
_wcslen.LIBCMT ref: 00FA3F98
GetDriveTypeW.KERNEL32(?), ref: 00FA3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FA401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FA4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FA4087

Strings

close, xrefs: 00FA3EFE, 00FA3F18
wait, xrefs: 00FA4044
set cd door , xrefs: 00FA4028
type cdaudio alias cd wait, xrefs: 00FA4001
closed, xrefs: 00FA3F08, 00FA3F2D, 00FA3F46, 00FA3F7E, 00FA3F97
close cd wait, xrefs: 00FA4072
open, xrefs: 00FA3F54, 00FA3F59
open , xrefs: 00FA3FE5

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 6defe51fbd53e519bb3fdb4e5f63c059c12814f394984a62d3d35c73ed84c1e8
Instruction ID: c1e972f4b3355ca5a41505009d972899e98cad9da24b62c9972ac018f5b6740f
Opcode Fuzzy Hash: 6defe51fbd53e519bb3fdb4e5f63c059c12814f394984a62d3d35c73ed84c1e8
Instruction Fuzzy Hash: 2771F1B2A042059FC310EF34C88186AB7F4EF95768F10892DF996D7261EB34ED45EB91

Function 00F95A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F95A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F95A40
SetWindowTextW.USER32(?,?), ref: 00F95A57
GetDlgItem.USER32(?,000003EA), ref: 00F95A6C
SetWindowTextW.USER32(00000000,?), ref: 00F95A72
GetDlgItem.USER32(?,000003E9), ref: 00F95A82
SetWindowTextW.USER32(00000000,?), ref: 00F95A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F95AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F95AC3
GetWindowRect.USER32(?,?), ref: 00F95ACC
_wcslen.LIBCMT ref: 00F95B33
SetWindowTextW.USER32(?,?), ref: 00F95B6F
GetDesktopWindow.USER32 ref: 00F95B75
GetWindowRect.USER32(00000000), ref: 00F95B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F95BD3
GetClientRect.USER32(?,?), ref: 00F95BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00F95C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F95C2F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: bd7d5e7c448d1f2d2df73926b493b9dafa9c9a56abdd9347780085d896dad067
Instruction ID: be1150821d3602bda9881e389f3f206f8de8891c4aad724cbc3feafdc4c5ba96
Opcode Fuzzy Hash: bd7d5e7c448d1f2d2df73926b493b9dafa9c9a56abdd9347780085d896dad067
Instruction Fuzzy Hash: AB717D31900A099FEB21DFA8CE86E6EBBF5FF48B14F104518E586A35A0D775E940EB50

Function 00FAFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00FAFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00FAFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00FAFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00FAFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00FAFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00FAFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00FAFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00FAFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00FAFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00FAFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00FAFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00FAFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00FAFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00FAFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00FAFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00FAFECC
GetCursorInfo.USER32(?), ref: 00FAFEDC
GetLastError.KERNEL32 ref: 00FAFF1E

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 505ed4a2adf25ca910e8f29a05ddae1dac348ad8dac4d39909af35960b9684eb
Instruction ID: e8e5c6ac02071980a931e482eeb162708c007547ec666296f0dfbfd7e29a6485
Opcode Fuzzy Hash: 505ed4a2adf25ca910e8f29a05ddae1dac348ad8dac4d39909af35960b9684eb
Instruction Fuzzy Hash: 0A4153B0D043196FDB109FBA8C85C5EBFE8FF05364B50462AE11DEB281DB7899019F91

Function 00F500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F500C6

Part of subcall function 00F500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0100070C,00000FA0,6D004D92,?,?,?,?,00F723B3,000000FF), ref: 00F5011C
Part of subcall function 00F500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F723B3,000000FF), ref: 00F50127
Part of subcall function 00F500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F723B3,000000FF), ref: 00F50138
Part of subcall function 00F500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F5014E
Part of subcall function 00F500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F5015C
Part of subcall function 00F500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F5016A
Part of subcall function 00F500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F50195
Part of subcall function 00F500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F501A0

___scrt_fastfail.LIBCMT ref: 00F500E7

Part of subcall function 00F500A3: __onexit.LIBCMT ref: 00F500A9

Strings

SleepConditionVariableCS, xrefs: 00F50154
kernel32.dll, xrefs: 00F50133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F50122
WakeAllConditionVariable, xrefs: 00F50162
InitializeConditionVariable, xrefs: 00F50148

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 4acd2b02cc7a8bb834b82a4c6a113fc258165372590a0722b089bb0c404f1184
Instruction ID: d0c265db2c2697ad45573fbd77fc5cff02eba1a9d7faa3c91d59fd085d86330f
Opcode Fuzzy Hash: 4acd2b02cc7a8bb834b82a4c6a113fc258165372590a0722b089bb0c404f1184
Instruction Fuzzy Hash: 54212932E40B156BE7215B64AD07F6A7794EB04B62F04013AFD0A972C1DF788808BAD2

Function 00F930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F9318D
_wcslen.LIBCMT ref: 00F931F8

Strings

INSTANCE, xrefs: 00F93453
REGEXPCLASS, xrefs: 00F93255, 00F93266
CLASSNN, xrefs: 00F931F3, 00F93204
CLASS, xrefs: 00F93188, 00F931A5
TEXT, xrefs: 00F9347C
NAME, xrefs: 00F93335, 00F93346

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 213b8210681e746af9b23e2ccd1a06c955995ec56b88f0f262deb1af20cf1307
Instruction ID: 2fde87fc10329123395a966cb27b32b83a89e27edbe8fc7a558f10eb5729715f
Opcode Fuzzy Hash: 213b8210681e746af9b23e2ccd1a06c955995ec56b88f0f262deb1af20cf1307
Instruction Fuzzy Hash: F1E1E532E00516ABDF18DFA8C841BFDBBB0BF44720F558119E956E7250DB30AE89B790

Function 00FA44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00FCCC08), ref: 00FA4527
_wcslen.LIBCMT ref: 00FA453B
_wcslen.LIBCMT ref: 00FA4599
_wcslen.LIBCMT ref: 00FA45F4
_wcslen.LIBCMT ref: 00FA463F
_wcslen.LIBCMT ref: 00FA46A7

Part of subcall function 00F4F9F2: _wcslen.LIBCMT ref: 00F4F9FD

GetDriveTypeW.KERNEL32(?,00FF6BF0,00000061), ref: 00FA4743

Strings

fixed, xrefs: 00FA4635, 00FA463A
removable, xrefs: 00FA45EA, 00FA45EF
cdrom, xrefs: 00FA458F, 00FA4594
unknown, xrefs: 00FA4708
network, xrefs: 00FA469D, 00FA46A2
all, xrefs: 00FA4531, 00FA4536
ramdisk, xrefs: 00FA46F1

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 1e8c691230f5e28235f2dbe1093497a327eac7fd65c8cb68caf52e857a148589
Instruction ID: 8debabd50ec9d430ac24d090e94d07a30bd45bf3e8f557fd2b3600ef20f4a8a9
Opcode Fuzzy Hash: 1e8c691230f5e28235f2dbe1093497a327eac7fd65c8cb68caf52e857a148589
Instruction Fuzzy Hash: DEB1F3B1A083029FC710DF28C891A6AB7E5AFD6720F50491DF596C7291D7B4E844EB52

Function 00FBAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FBB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB1D4
_wcslen.LIBCMT ref: 00FBB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB236
_wcslen.LIBCMT ref: 00FBB332

Part of subcall function 00FA05A7: GetStdHandle.KERNEL32(000000F6), ref: 00FA05C6

_wcslen.LIBCMT ref: 00FBB34B
_wcslen.LIBCMT ref: 00FBB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FBB3B6
GetLastError.KERNEL32(00000000), ref: 00FBB407
CloseHandle.KERNEL32(?), ref: 00FBB439
CloseHandle.KERNEL32(00000000), ref: 00FBB44A
CloseHandle.KERNEL32(00000000), ref: 00FBB45C
CloseHandle.KERNEL32(00000000), ref: 00FBB46E
CloseHandle.KERNEL32(?), ref: 00FBB4E3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: b960a38c2ae9494decaa987e98d6a56c6189259855bda8eb3e2d130c8409fa75
Instruction ID: 6ab12c387c357484ad5410bcbe329366d93a58aa8c4e0962813b340e5e65857e
Opcode Fuzzy Hash: b960a38c2ae9494decaa987e98d6a56c6189259855bda8eb3e2d130c8409fa75
Instruction Fuzzy Hash: 10F19F719083409FC714EF25C891B6EBBE1AF85324F18855DF8998B2A2CB75EC44EF52

Function 00FB3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FCCC08), ref: 00FB40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FB40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00FCCC08), ref: 00FB40F2
FreeLibrary.KERNEL32(00000000,?,00FCCC08), ref: 00FB413E
StringFromGUID2.OLE32(?,?,00000028,?,00FCCC08), ref: 00FB41A8
SysFreeString.OLEAUT32(00000009), ref: 00FB4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FB42C8
SysFreeString.OLEAUT32(?), ref: 00FB42F2

Strings

kernel32.dll, xrefs: 00FB40B6
GetModuleHandleExW, xrefs: 00FB40C7

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 497ef0101a77e3297b6811868fce23313b6cc535d0c727b527dad5ec2af79d09
Instruction ID: 59587c4ee8c120b881d554fde51683c10f44e456e8ae9788f19254292173befd
Opcode Fuzzy Hash: 497ef0101a77e3297b6811868fce23313b6cc535d0c727b527dad5ec2af79d09
Instruction Fuzzy Hash: F7125A75A00109EFDB14DF95C984EAEBBB5FF45314F288098E9099B252C731ED42EFA0

Function 00F3326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01001990), ref: 00F72F8D
GetMenuItemCount.USER32(01001990), ref: 00F7303D
GetCursorPos.USER32(?), ref: 00F73081
SetForegroundWindow.USER32(00000000), ref: 00F7308A
TrackPopupMenuEx.USER32(01001990,00000000,?,00000000,00000000,00000000), ref: 00F7309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F730A9

Strings

0, xrefs: 00F3327D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 43a558747d1c2ee681dc8f5b95c07c3af6e9b92d28e4f3c8e645572bf0f688b4
Instruction ID: 75e578a325d3afbe5ae1d335def2b58f5f5d15f71d4a771b4a82e8a5a66d1752
Opcode Fuzzy Hash: 43a558747d1c2ee681dc8f5b95c07c3af6e9b92d28e4f3c8e645572bf0f688b4
Instruction Fuzzy Hash: 9A71F831A44205BEFB218F24DD49F9ABF64FF05374F248216F5186A1D0C7B1A910FB92

Function 00FC6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00FC6DEB

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FC6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FC6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FC6E94
DestroyWindow.USER32(?), ref: 00FC6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F30000,00000000), ref: 00FC6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FC6EFD
GetDesktopWindow.USER32 ref: 00FC6F16
GetWindowRect.USER32(00000000), ref: 00FC6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FC6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FC6F4D

Part of subcall function 00F49944: GetWindowLongW.USER32(?,000000EB), ref: 00F49952

Strings

0, xrefs: 00FC6D98
tooltips_class32, xrefs: 00FC6E58, 00FC6EDD

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 801f489f7bb0161b933c6e35af0360377dc7ffe417e39a74dcba22fc91282842
Instruction ID: 1ac532e1532bc993db52865d9d0ed51d7e739ddfafeaaee443c12884164b1ae3
Opcode Fuzzy Hash: 801f489f7bb0161b933c6e35af0360377dc7ffe417e39a74dcba22fc91282842
Instruction Fuzzy Hash: C5718870908245AFDB21CF18DA49FAABBE9FF88314F04041EF989C7261D775E906EB15

Function 00FC911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

DragQueryPoint.SHELL32(?,?), ref: 00FC9147

Part of subcall function 00FC7674: ClientToScreen.USER32(?,?), ref: 00FC769A
Part of subcall function 00FC7674: GetWindowRect.USER32(?,?), ref: 00FC7710
Part of subcall function 00FC7674: PtInRect.USER32(?,?,00FC8B89), ref: 00FC7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00FC91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FC91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FC91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FC9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00FC923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00FC9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00FC9277
DragFinish.SHELL32(?), ref: 00FC927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FC9371

Strings

@GUI_DRAGID, xrefs: 00FC92E9
@GUI_DRAGFILE, xrefs: 00FC9320
@GUI_DROPID, xrefs: 00FC929E

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 8fbd0b3f14f5deb6153dc172c0242e2202049d0c90da3aedc42f3116ca0b279b
Instruction ID: 254f8717566e425b96ba3570ad7bf024f611cacf55ecc7d044f58885e51eeb45
Opcode Fuzzy Hash: 8fbd0b3f14f5deb6153dc172c0242e2202049d0c90da3aedc42f3116ca0b279b
Instruction Fuzzy Hash: 4B616D71108305AFD701DF64DD86EAFBBE8EF88760F00091DF595931A0DBB49A49EB92

Function 00FAC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FAC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FAC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FAC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FAC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FAC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FAC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FAC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FAC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FAC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FAC5F0
InternetCloseHandle.WININET(00000000), ref: 00FAC5FB

Strings

, xrefs: 00FAC575

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4f389247796b208d338d8cb5a91ce61f60fb8aab64bfa0c6a07ec65cf1b21406
Instruction ID: f917366a960b87665276e6bcbc479fd0cdd8e82de3894f9f853ddb018840593b
Opcode Fuzzy Hash: 4f389247796b208d338d8cb5a91ce61f60fb8aab64bfa0c6a07ec65cf1b21406
Instruction Fuzzy Hash: 45513AB1900609BFDB219F64C989AAA7BFCEF09754F044419F94A97610DB34E944ABE0

Function 00FC856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00FC8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00FC85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00FC85AD
CloseHandle.KERNEL32(00000000), ref: 00FC85BA
GlobalLock.KERNEL32(00000000), ref: 00FC85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00FC85D7
GlobalUnlock.KERNEL32(00000000), ref: 00FC85E0
CloseHandle.KERNEL32(00000000), ref: 00FC85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FC85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FCFC38,?), ref: 00FC8611
GlobalFree.KERNEL32(00000000), ref: 00FC8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00FC8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00FC8671
DeleteObject.GDI32(00000000), ref: 00FC8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FC86AF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 3e87838f3414c94749df61304f5d79f6060fe3c669c4ea693d5b6d5ae0f2d35c
Instruction ID: bbf36b35a1350d7c7cb4fc6188b693d26294457e46557b364a2204e984bc4f06
Opcode Fuzzy Hash: 3e87838f3414c94749df61304f5d79f6060fe3c669c4ea693d5b6d5ae0f2d35c
Instruction Fuzzy Hash: 5A414C71600209AFDB11CFA5CE4AEAA7BB8FF89761F14405CF909E7260DB709D01EB60

Function 00FA14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FA1502
VariantCopy.OLEAUT32(?,?), ref: 00FA150B
VariantClear.OLEAUT32(?), ref: 00FA1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FA15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00FA1657
VariantInit.OLEAUT32(?), ref: 00FA1708
SysFreeString.OLEAUT32(?), ref: 00FA178C
VariantClear.OLEAUT32(?), ref: 00FA17D8
VariantClear.OLEAUT32(?), ref: 00FA17E7
VariantInit.OLEAUT32(00000000), ref: 00FA1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FA1625
Default, xrefs: 00FA16AF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 1f280dbe9143d0500af73bde3182e6296eb9135531cfec4c6c76c079c7cc8894
Instruction ID: 6acd70143e4e90f734995a71b2826e453f5a1f2977e7f9b6ca71089110e48e83
Opcode Fuzzy Hash: 1f280dbe9143d0500af73bde3182e6296eb9135531cfec4c6c76c079c7cc8894
Instruction Fuzzy Hash: 70D121B2E00505DFDB00DFA5D895B79B7B0BF46710F1A805AE84AAB180DB34DC04FBA1

Function 00FBB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FBB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00FBB80A
RegCloseKey.ADVAPI32(?), ref: 00FBB87E
RegCloseKey.ADVAPI32(?), ref: 00FBB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00FBB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FBB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00FBB922
FreeLibrary.KERNEL32(00000000), ref: 00FBB983
RegCloseKey.ADVAPI32(00000000), ref: 00FBB994

Strings

advapi32.dll, xrefs: 00FBB8ED
RegDeleteKeyExW, xrefs: 00FBB8FE

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5c5784204634ac1aade661c74f33eff46d759cb9faf3be0c6ec681ae171ed315
Instruction ID: af39a60c11e986a985d3903d6effe1b6a1b964355b1b74d5088338a1c740f40c
Opcode Fuzzy Hash: 5c5784204634ac1aade661c74f33eff46d759cb9faf3be0c6ec681ae171ed315
Instruction Fuzzy Hash: 6EC19E35608201AFD710DF15C895F6ABBE1FF84328F14845CE49A8B2A2CBB5EC45EF91

Function 00FB255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FB25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FB25E8
CreateCompatibleDC.GDI32(?), ref: 00FB25F4
SelectObject.GDI32(00000000,?), ref: 00FB2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FB266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FB26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FB26D0
SelectObject.GDI32(?,?), ref: 00FB26D8
DeleteObject.GDI32(?), ref: 00FB26E1
DeleteDC.GDI32(?), ref: 00FB26E8
ReleaseDC.USER32(00000000,?), ref: 00FB26F3

Strings

(, xrefs: 00FB268D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e32d956b010210115bb7e34ba0b17eb4d37761ac49d962160315021ca394f567
Instruction ID: eb68bea57e184fe44dd51f09d2220d1630d1022774bc6c07dec81793a3c52cc9
Opcode Fuzzy Hash: e32d956b010210115bb7e34ba0b17eb4d37761ac49d962160315021ca394f567
Instruction Fuzzy Hash: 696101B5D00219EFCF04CFA9C985EAEBBB6FF48310F248529E959A7250D734A941DF90

Function 00F6DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00F6DAA1

Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D659
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D66B
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D67D
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D68F
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6A1
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6B3
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6C5
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6D7
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6E9
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6FB
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D70D
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D71F
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D731

_free.LIBCMT ref: 00F6DA96

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F6DAB8
_free.LIBCMT ref: 00F6DACD
_free.LIBCMT ref: 00F6DAD8
_free.LIBCMT ref: 00F6DAFA
_free.LIBCMT ref: 00F6DB0D
_free.LIBCMT ref: 00F6DB1B
_free.LIBCMT ref: 00F6DB26
_free.LIBCMT ref: 00F6DB5E
_free.LIBCMT ref: 00F6DB65
_free.LIBCMT ref: 00F6DB82
_free.LIBCMT ref: 00F6DB9A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 78c0c0fe0a2a59f2e4f4b39e4dd74ce4d560f06dc434dfc6e657a4835ae38283
Instruction ID: 149657d1e4e543c7087c729544c4d2274dfc451570661603e17bf4def5e265cd
Opcode Fuzzy Hash: 78c0c0fe0a2a59f2e4f4b39e4dd74ce4d560f06dc434dfc6e657a4835ae38283
Instruction Fuzzy Hash: F7317831F046049FEB25AA78EC41B6AB7F9FF80360F154529E048D7192DB38AC80FB20

Function 00F9365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F9369C
_wcslen.LIBCMT ref: 00F936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F93797
GetClassNameW.USER32(?,?,00000400), ref: 00F9380C
GetDlgCtrlID.USER32(?), ref: 00F9385D
GetWindowRect.USER32(?,?), ref: 00F93882
GetParent.USER32(?), ref: 00F938A0
ScreenToClient.USER32(00000000), ref: 00F938A7
GetClassNameW.USER32(?,?,00000100), ref: 00F93921
GetWindowTextW.USER32(?,?,00000400), ref: 00F9395D

Strings

%s%u, xrefs: 00F93734

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 350f32c68f281133a9fc180abf8ab1b370edeffdf0b0947acf7958bc67352964
Instruction ID: 4eec8736a8089507d306a7dc9e624f13af24040caa394f733c4756bfdd595125
Opcode Fuzzy Hash: 350f32c68f281133a9fc180abf8ab1b370edeffdf0b0947acf7958bc67352964
Instruction Fuzzy Hash: 5D910671604306AFEB19DF64C885FAAF7A9FF44350F004529F999C2190DB34EA49EBD1

Function 00F94954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00F94994
GetWindowTextW.USER32(?,?,00000400), ref: 00F949DA
_wcslen.LIBCMT ref: 00F949EB
CharUpperBuffW.USER32(?,00000000), ref: 00F949F7
_wcsstr.LIBVCRUNTIME ref: 00F94A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00F94A64
GetWindowTextW.USER32(?,?,00000400), ref: 00F94A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00F94AE6
GetClassNameW.USER32(?,?,00000400), ref: 00F94B20
GetWindowRect.USER32(?,?), ref: 00F94B8B

Strings

ThumbnailClass, xrefs: 00F94A6F, 00F94AF1

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a2cadb11b4b01b3b6542ec490fc612561f9a86c37a8c721be4e29aa7f47dc50f
Instruction ID: fa9a739ea90c5a9bf6338f18c58e6ce1b5fa3ec96dba76236b3040a5e5ccdead
Opcode Fuzzy Hash: a2cadb11b4b01b3b6542ec490fc612561f9a86c37a8c721be4e29aa7f47dc50f
Instruction Fuzzy Hash: B491B1714082099FEF04CF14C981FAA77E8FF94324F048469FD899A196DB34ED46EBA1

Function 00FBCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FBCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FBCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FBCD48

Part of subcall function 00FBCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FBCCAA
Part of subcall function 00FBCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FBCCBD
Part of subcall function 00FBCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FBCCCF
Part of subcall function 00FBCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FBCD05
Part of subcall function 00FBCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FBCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FBCCF3

Strings

advapi32.dll, xrefs: 00FBCCB8
RegDeleteKeyExW, xrefs: 00FBCCC9

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3a6be05363cd40b892ce73a6cce3aede31eeeaf6237daa19828a6d860ae7a155
Instruction ID: c04407a8eb1e671e596d15bc7a804c4a72e70d178c1dc79ace12d29e72ec2033
Opcode Fuzzy Hash: 3a6be05363cd40b892ce73a6cce3aede31eeeaf6237daa19828a6d860ae7a155
Instruction Fuzzy Hash: 49318BB5D0112DBBDB208B52DC89EFFBB7CEF55750F000165E909E3200DA309A45BAE0

Function 00FA3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FA3D40
_wcslen.LIBCMT ref: 00FA3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FA3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FA3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00FA3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FA3E55
CloseHandle.KERNEL32(00000000), ref: 00FA3E60
CloseHandle.KERNEL32(00000000), ref: 00FA3E6B

Strings

\, xrefs: 00FA3D77
\??\%s, xrefs: 00FA3D5B
:, xrefs: 00FA3D82

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1f8cf21eb2fdd0d3c2e5b6459728ecd50cb8fc9b451cc6169a34cd7e8b28ca2a
Instruction ID: 31576d08b160e98a608794492a132caece0a75883f14cd6dc2508215c0837392
Opcode Fuzzy Hash: 1f8cf21eb2fdd0d3c2e5b6459728ecd50cb8fc9b451cc6169a34cd7e8b28ca2a
Instruction Fuzzy Hash: D631B2B290020DABDB219BA0DC49FEF37BCEF89750F1041B5FA09D6060EB749744AB64

Function 00F9E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F9EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F9EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F9EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F9EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F9EAA7

Strings

play PlayMe, xrefs: 00F9EAA2
status PlayMe mode, xrefs: 00F9EA58
play PlayMe wait, xrefs: 00F9EA91
alias PlayMe, xrefs: 00F9EA36
open , xrefs: 00F9EA0C
close PlayMe, xrefs: 00F9EA6E, 00F9EA9B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: f838091cd4ca58ffd68aa3c102fc88985350e031c5218c9dccdee7b7d285a97f
Instruction ID: 0d16d2f6821b76aa03174a0553aff53207717314eb875158d68bb9dfa45ad78c
Opcode Fuzzy Hash: f838091cd4ca58ffd68aa3c102fc88985350e031c5218c9dccdee7b7d285a97f
Instruction Fuzzy Hash: 3B114231A9021D79EB20E761DC4AEFB7A7CEFD1B50F4004297901E20E1DEB45905E6B1

Function 00F99F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F9A012
SetKeyboardState.USER32(?), ref: 00F9A07D
GetAsyncKeyState.USER32(000000A0), ref: 00F9A09D
GetKeyState.USER32(000000A0), ref: 00F9A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00F9A0E3
GetKeyState.USER32(000000A1), ref: 00F9A0F4
GetAsyncKeyState.USER32(00000011), ref: 00F9A120
GetKeyState.USER32(00000011), ref: 00F9A12E
GetAsyncKeyState.USER32(00000012), ref: 00F9A157
GetKeyState.USER32(00000012), ref: 00F9A165
GetAsyncKeyState.USER32(0000005B), ref: 00F9A18E
GetKeyState.USER32(0000005B), ref: 00F9A19C

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4dd174d6e3051018583d459eae3181ac5751eb9e2d57c67e67dc794fdaed1209
Instruction ID: 722a90fc3e3f5705a1ac8274fa2aa14fe1a7c0d73a7a4236c6eb4bd5c822751f
Opcode Fuzzy Hash: 4dd174d6e3051018583d459eae3181ac5751eb9e2d57c67e67dc794fdaed1209
Instruction Fuzzy Hash: D151FB30D0878829FF35DB6489117EAFFB49F11394F08459DD5C2571C2DA949A8CEBE2

Function 00F95CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F95CE2
GetWindowRect.USER32(00000000,?), ref: 00F95CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F95D59
GetDlgItem.USER32(?,00000002), ref: 00F95D69
GetWindowRect.USER32(00000000,?), ref: 00F95D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F95DCF
GetDlgItem.USER32(?,000003E9), ref: 00F95DDD
GetWindowRect.USER32(00000000,?), ref: 00F95DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F95E31
GetDlgItem.USER32(?,000003EA), ref: 00F95E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F95E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00F95E67

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f14ac7661052388b3e2c61a4018b02128c28d633f8629c26d0d508b824478e48
Instruction ID: 77c97003e24e40ea0a6cc76c17049d4f120765b6a5043d0db858789ce951dd90
Opcode Fuzzy Hash: f14ac7661052388b3e2c61a4018b02128c28d633f8629c26d0d508b824478e48
Instruction Fuzzy Hash: BC511FB1E00609AFDF18DF68CE8AEAE7BB5EB48710F108129F519E7290D7709E04DB50

Function 00F48BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F48BE8,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F48FC5

DestroyWindow.USER32(?), ref: 00F48C81
KillTimer.USER32(00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F48D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00F86973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F48BBA,00000000), ref: 00F869D4
DeleteObject.GDI32(00000000), ref: 00F869E6

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d60af06578d1413c3beea4aa0c6798d023df6ea3d52a193ccb52717d3a7c6819
Instruction ID: 8b2bec7a2a3d9ecba77412f0685ee46f6885bc830bee73bc0a97ce58cb277266
Opcode Fuzzy Hash: d60af06578d1413c3beea4aa0c6798d023df6ea3d52a193ccb52717d3a7c6819
Instruction Fuzzy Hash: 1061CE31902611DFDB369F14DA89B697BF1FB40362F104518E5829B5A0CB3AE982FF90

Function 00F49838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F49944: GetWindowLongW.USER32(?,000000EB), ref: 00F49952

GetSysColor.USER32(0000000F), ref: 00F49862

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 827ceba26f481ba5122201670c8a62472622292cc01698b3ff839e8707c19894
Instruction ID: e318cc86b52e3b8e0dc3d376120a4fb58b3416926d5fc30b4b06804c795a8eb1
Opcode Fuzzy Hash: 827ceba26f481ba5122201670c8a62472622292cc01698b3ff839e8707c19894
Instruction Fuzzy Hash: FA4193316086449FDB209F3C9C49FBA3B65AB46330F684615FDA68B1E1D771D842FB50

Function 00F996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00F99717
LoadStringW.USER32(00000000,?,00F7F7F8,00000001), ref: 00F99720

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00F99742
LoadStringW.USER32(00000000,?,00F7F7F8,00000001), ref: 00F99745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00F99866

Strings

Line %d:, xrefs: 00F997A0
%s (%d) : ==> %s: %s %s, xrefs: 00F9984A
Line %d (File "%s"):, xrefs: 00F9978F
Error: , xrefs: 00F9981D
^ ERROR, xrefs: 00F997FB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 5eb3bcd8a39cbaae61690e69bdcb45d6b74be6308f93bb52b243a1ba5899db33
Instruction ID: 81b5d27c674b5df8ad07d555ca5ed1410481daf934987e2d2c4f18e9c5e4705b
Opcode Fuzzy Hash: 5eb3bcd8a39cbaae61690e69bdcb45d6b74be6308f93bb52b243a1ba5899db33
Instruction Fuzzy Hash: C8414172804119AADF04FBE4CE46EEE7778AF55350F504029F605B2092EFB95F48EB61

Function 00F906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F90804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F9082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F90837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F9083C

Strings

SOFTWARE\Classes\, xrefs: 00F9070E
\CLSID, xrefs: 00F90724
\IPC$, xrefs: 00F90784

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 36d52a45ca7ec39a08d1b54ceb1ef8f9a659e7d9433dda86edaca25872f79a22
Instruction ID: e2e7311fc196e056edeac4c3c5979f9af5878f0b929ec3d9d5fd3ebb172ac72b
Opcode Fuzzy Hash: 36d52a45ca7ec39a08d1b54ceb1ef8f9a659e7d9433dda86edaca25872f79a22
Instruction Fuzzy Hash: 14411572C1022DAFDF25EBA4DC85CEDB778BF44760F444129E905A31A1EB749E04EBA0

Function 00FC3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FC403B
CreateCompatibleDC.GDI32(00000000), ref: 00FC4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FC4055
SelectObject.GDI32(00000000,00000000), ref: 00FC405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FC4068
DeleteDC.GDI32(00000000), ref: 00FC4072
GetWindowLongW.USER32(?,000000EC), ref: 00FC407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00FC4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00FC409E

Strings

static, xrefs: 00FC3FD3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 2e197a870bf7502f297ecf4982768d2301d9d448a1f95c5de50e76138a49e232
Instruction ID: e843e4a6ef1f803dcd292e6e2072158d18896d244257aad96374b06369c69eb9
Opcode Fuzzy Hash: 2e197a870bf7502f297ecf4982768d2301d9d448a1f95c5de50e76138a49e232
Instruction Fuzzy Hash: 1631603254121AAFDF219FA4CE46FDA3B68FF0D360F110215FA58E61A0C775D811EB90

Function 00FB3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FB3C5C
CoInitialize.OLE32(00000000), ref: 00FB3C8A
CoUninitialize.OLE32 ref: 00FB3C94
_wcslen.LIBCMT ref: 00FB3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00FB3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FB3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FB3F0E
CoGetObject.OLE32(?,00000000,00FCFB98,?), ref: 00FB3F2D
SetErrorMode.KERNEL32(00000000), ref: 00FB3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FB3FC4
VariantClear.OLEAUT32(?), ref: 00FB3FD8

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a8a848bd030888a968ff1a96b289fee350a62a0f38528c94a69070af192f4e58
Instruction ID: 6b8d1f27818f3c5a2f7047111b86d1f82f512a49871e8fc4a0e99594e8050edf
Opcode Fuzzy Hash: a8a848bd030888a968ff1a96b289fee350a62a0f38528c94a69070af192f4e58
Instruction Fuzzy Hash: 93C16571A083059FC700DF6AC98496BBBE9FF88754F14491DF98A9B250DB30EE05DB92

Function 00FA7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FA7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FA7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00FA7BA3
CoCreateInstance.OLE32(00FCFD08,00000000,00000001,00FF6E6C,?), ref: 00FA7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FA7C74
CoTaskMemFree.OLE32(?,?), ref: 00FA7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00FA7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FA7D7A
CoTaskMemFree.OLE32(00000000), ref: 00FA7D81
CoTaskMemFree.OLE32(00000000), ref: 00FA7DD6
CoUninitialize.OLE32 ref: 00FA7DDC

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a01710bf135d224f0ee5ee3e5117758b83a1ac2149ea8e0610634915f9b3ea37
Instruction ID: 45b851ece2dabaa4f9660431b8692bbfb352127f642e35c6f91edf2660dc90b5
Opcode Fuzzy Hash: a01710bf135d224f0ee5ee3e5117758b83a1ac2149ea8e0610634915f9b3ea37
Instruction Fuzzy Hash: A6C12AB5A04209AFCB14DF64C884DAEBBF9FF49314F148499E81ADB261D730ED45DB90

Function 00FC541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FC5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FC5515
CharNextW.USER32(00000158), ref: 00FC5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FC5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FC559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FC55AC

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a2211eb8d84b397c2f2fc48326b85ea64a963300dbaa9d34a2dd2c8c315a18fb
Instruction ID: 12315f7587b12d2d6a6bdcdf005a06aa7a6685f7133302051bbdbcac9e2f6568
Opcode Fuzzy Hash: a2211eb8d84b397c2f2fc48326b85ea64a963300dbaa9d34a2dd2c8c315a18fb
Instruction Fuzzy Hash: E5618C3190060AABDF10DF54CE86FFE7B79AB05B24F104549F529AB290D774AA80FB60

Function 00F8FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F8FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00F8FB08
VariantInit.OLEAUT32(?), ref: 00F8FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F8FB3A
VariantCopy.OLEAUT32(?,?), ref: 00F8FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F8FBA1
VariantClear.OLEAUT32(?), ref: 00F8FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F8FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F8FBCC
VariantClear.OLEAUT32(?), ref: 00F8FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F8FBE9

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 778c0629e75a9e59f533a16dedd576b1dab48ab3b41209ac9ffd1d17a0837369
Instruction ID: 49f29a5b5c426a335b05a4a283f50cb6861d5fb6bf7db8f0a9a453ec613672cb
Opcode Fuzzy Hash: 778c0629e75a9e59f533a16dedd576b1dab48ab3b41209ac9ffd1d17a0837369
Instruction Fuzzy Hash: D9413E35A002199FCB04EF64CC55DEEBBB9FF48354F008069E95AA7261DB34A949DFA0

Function 00F99C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F99CA1
GetAsyncKeyState.USER32(000000A0), ref: 00F99D22
GetKeyState.USER32(000000A0), ref: 00F99D3D
GetAsyncKeyState.USER32(000000A1), ref: 00F99D57
GetKeyState.USER32(000000A1), ref: 00F99D6C
GetAsyncKeyState.USER32(00000011), ref: 00F99D84
GetKeyState.USER32(00000011), ref: 00F99D96
GetAsyncKeyState.USER32(00000012), ref: 00F99DAE
GetKeyState.USER32(00000012), ref: 00F99DC0
GetAsyncKeyState.USER32(0000005B), ref: 00F99DD8
GetKeyState.USER32(0000005B), ref: 00F99DEA

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 70262764f96fb4e6db3467ff1b609c9f216945bcb30152afe092db66e2b2a953
Instruction ID: 28dfbae6ecd68f4c5b64f4fdcb2206f03fd6a22bd98bdd821e419fce05e7bf42
Opcode Fuzzy Hash: 70262764f96fb4e6db3467ff1b609c9f216945bcb30152afe092db66e2b2a953
Instruction Fuzzy Hash: 4241FB30D0C7CA69FF31976889443B5BEA06F12364F09405EC9C6575C1EBE559C8EBA2

Function 00FB055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FB05BC
inet_addr.WSOCK32(?), ref: 00FB061C
gethostbyname.WSOCK32(?), ref: 00FB0628
IcmpCreateFile.IPHLPAPI ref: 00FB0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FB06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FB06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00FB07B9
WSACleanup.WSOCK32 ref: 00FB07BF

Strings

Ping, xrefs: 00FB0676

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 775331aac6fcde505f5b63050df891c247b1f0f6bd2164d1afecf7b6b9f48fe2
Instruction ID: 049ea33b6bbbc06ecf263832ea710dacdae9f9177335b61f5eb384826478eac4
Opcode Fuzzy Hash: 775331aac6fcde505f5b63050df891c247b1f0f6bd2164d1afecf7b6b9f48fe2
Instruction Fuzzy Hash: 539190359042019FD720DF16C989F5BBBE0EF44328F1885A9F4698B6A2CB34EC45EF91

Function 00FB8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00FB8CF3

Part of subcall function 00F98E54: _wcslen.LIBCMT ref: 00F98E77

_wcslen.LIBCMT ref: 00FB8D4E
_wcslen.LIBCMT ref: 00FB8D9C
_wcslen.LIBCMT ref: 00FB8DDC
_wcslen.LIBCMT ref: 00FB8E6E

Strings

winapi, xrefs: 00FB8D96, 00FB8D9B
none, xrefs: 00FB8E65, 00FB8E6A
stdcall, xrefs: 00FB8DD6, 00FB8DDB
cdecl, xrefs: 00FB8D48, 00FB8D4D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 9fbd70ee54cc8b8a5b4103ae8e829ec7aa7382f93b2d11c43d96368431e75ee5
Instruction ID: 1e7d594a5d76813f62bd2c5120aa038ab9ce5733999bae18bdb0cbe033a58d9d
Opcode Fuzzy Hash: 9fbd70ee54cc8b8a5b4103ae8e829ec7aa7382f93b2d11c43d96368431e75ee5
Instruction Fuzzy Hash: AB51B431A041169BCB14DFA9C9419FEB7A9BFA4364B204229E916E7284DF34DD42EB90

Function 00FB372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00FB3774
CoUninitialize.OLE32 ref: 00FB377F
CoCreateInstance.OLE32(?,00000000,00000017,00FCFB78,?), ref: 00FB37D9
IIDFromString.OLE32(?,?), ref: 00FB384C
VariantInit.OLEAUT32(?), ref: 00FB38E4
VariantClear.OLEAUT32(?), ref: 00FB3936

Strings

Invalid parameter, xrefs: 00FB3865
NULL Pointer assignment, xrefs: 00FB381E
Failed to create object, xrefs: 00FB37E4, 00FB389A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: eb982f6945005277971bdb00f1113a59ff4bd84590d5741b2886b0d1bebfdeb2
Instruction ID: 71203e1948a633ae1b964c811771d907e82e5d04f393c8e22586653aaeb84f1a
Opcode Fuzzy Hash: eb982f6945005277971bdb00f1113a59ff4bd84590d5741b2886b0d1bebfdeb2
Instruction Fuzzy Hash: 3B61A072648301AFD710DF55C889FAABBE8EF44710F104809F98597291DB74EE48EF92

Function 00FA3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FA33CF

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FA33F0

Strings

^ ERROR , xrefs: 00FA349E
"%s" (%d) : ==> %s:, xrefs: 00FA3522
"%s" (%d) : ==> %s:%s%s, xrefs: 00FA3504
Line %d (File "%s"):, xrefs: 00FA3443, 00FA345C
Error: , xrefs: 00FA34D1
Incorrect parameters to object property !, xrefs: 00FA34AB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3db9bf5284ec299a4178235bdbf994389a53bf5aef737b1c5997afea289b71f1
Instruction ID: abc96c998d0a60460aa83cef109a2984c73a7ead069de1c2744ce0c9ab345738
Opcode Fuzzy Hash: 3db9bf5284ec299a4178235bdbf994389a53bf5aef737b1c5997afea289b71f1
Instruction Fuzzy Hash: 6A51AF72C0420AAADF15EBA0CD42EEEB778EF04350F148065F505B2062EB796F58FB61

Function 00F9B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F9B5FC
_wcslen.LIBCMT ref: 00F9B608
_wcslen.LIBCMT ref: 00F9B64D
_wcslen.LIBCMT ref: 00F9B68C
_wcslen.LIBCMT ref: 00F9B6C7

Strings

KEYS, xrefs: 00F9B647, 00F9B64C
REMOVE, xrefs: 00F9B602, 00F9B607
APPEND, xrefs: 00F9B6C1, 00F9B6C6
EXISTS, xrefs: 00F9B686, 00F9B68B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 15c678affaf7e9dd1d3683b260248f96aa16453c259ec714e60f54862508eaf0
Instruction ID: 07a26ffc8577a8d7c52217ee75912d7809c62f8561b482f97eae0f952e396c99
Opcode Fuzzy Hash: 15c678affaf7e9dd1d3683b260248f96aa16453c259ec714e60f54862508eaf0
Instruction Fuzzy Hash: 74412933E0002A9BDF206F7DDE905BE77A5AFA0774B244269E521D7280E735EC81E790

Function 00FA5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FA5416
GetLastError.KERNEL32 ref: 00FA5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00FA54A7

Strings

UNKNOWN, xrefs: 00FA5444
NOTREADY, xrefs: 00FA544B
READONLY, xrefs: 00FA5452
INVALID, xrefs: 00FA5459
READY, xrefs: 00FA5460, 00FA5468

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: bb3865c5d1271ec33d5025df8f147470122dbe883347dfcd756c25e93168de0e
Instruction ID: 48f67fac31e8f2fd4aca3afd361f8e45e7e3de4b273941e06446c0127d511585
Opcode Fuzzy Hash: bb3865c5d1271ec33d5025df8f147470122dbe883347dfcd756c25e93168de0e
Instruction Fuzzy Hash: E231F6B5E006089FC710DF68C894FAD7BB4EF4A715F188055E905CB262DB75ED82EB90

Function 00FC3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00FC3C79
SetMenu.USER32(?,00000000), ref: 00FC3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC3D10
IsMenu.USER32(?), ref: 00FC3D24
CreatePopupMenu.USER32 ref: 00FC3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FC3D5B
DrawMenuBar.USER32 ref: 00FC3D63

Strings

F, xrefs: 00FC3D4E
0, xrefs: 00FC3C54

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d684f56ae8d796371fa051afbd8c64b1041bd40fc93df12d7311be71491d5b1a
Instruction ID: 6ff02fe79cb447c9b7e60be39fb78189235908ce49de8dd603f53e31d95b2ae6
Opcode Fuzzy Hash: d684f56ae8d796371fa051afbd8c64b1041bd40fc93df12d7311be71491d5b1a
Instruction Fuzzy Hash: 2F416B75A0120AAFDB14CF64D945FAA7BB5FF49350F14442CF946A7350D731AA10EF90

Function 00F91EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00F91F64
GetDlgCtrlID.USER32 ref: 00F91F6F
GetParent.USER32 ref: 00F91F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F91F8E
GetDlgCtrlID.USER32(?), ref: 00F91F97
GetParent.USER32(?), ref: 00F91FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F91FAE

Strings

ListBox, xrefs: 00F91F21
ComboBox, xrefs: 00F91EEC

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 7b8f06b1f26041458dd8ec0875ed9102810f30b0ae6b9414a3e47052a5eae302
Instruction ID: 16432aff97d5b140d1b1fb6071863736ba5e691a06ad26cc1183d4a399ab4ccf
Opcode Fuzzy Hash: 7b8f06b1f26041458dd8ec0875ed9102810f30b0ae6b9414a3e47052a5eae302
Instruction Fuzzy Hash: 0421A171900118ABDF05AFA0DD45DEEBBA4AF05354F000115F959A72A1CBB95908FB60

Function 00F91FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00F92043
GetDlgCtrlID.USER32 ref: 00F9204E
GetParent.USER32 ref: 00F9206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F9206D
GetDlgCtrlID.USER32(?), ref: 00F92076
GetParent.USER32(?), ref: 00F9208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F9208D

Strings

ListBox, xrefs: 00F92002
ComboBox, xrefs: 00F91FCD

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 274e2ea72996d73d00af598608b44fc35f602e0950107b456470d65a4b5ae87e
Instruction ID: cc254eb822844e6668c6ebd7ace859d9749f7d0c9121d1d0cdf3aa23bb4b8907
Opcode Fuzzy Hash: 274e2ea72996d73d00af598608b44fc35f602e0950107b456470d65a4b5ae87e
Instruction Fuzzy Hash: 8521C675D00218BBDF10AFA0DD85EFEBBB8EF05350F004015FA59A72A1DAB98915FB60

Function 00FC3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FC3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FC3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00FC3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FC3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FC3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FC3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FC3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FC3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FC3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FC3C13

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5ac84ca32a61a6abc052ab2544124e4ebd15d4fbae1892689e0a7b84d14b3f3e
Instruction ID: 562e3ed2c662157bec28f26f5ffd456e94c87504aeea7e43eb0124f541e90559
Opcode Fuzzy Hash: 5ac84ca32a61a6abc052ab2544124e4ebd15d4fbae1892689e0a7b84d14b3f3e
Instruction Fuzzy Hash: 82618A75900209AFDB21DFA8CD82FEE77F8EB49310F104099FA15A7291C774AE41EB60

Function 00F9B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F9B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B165
GetWindowThreadProcessId.USER32(00000000), ref: 00F9B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F9B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B21D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ced843a24019cee4a9af76562f8f2b805da9b8b9515d148408b338a8acd65a5d
Instruction ID: 443fe473f319dad72ee74a8c4a2b268f7df20070dab4c1542467327f6268bd77
Opcode Fuzzy Hash: ced843a24019cee4a9af76562f8f2b805da9b8b9515d148408b338a8acd65a5d
Instruction Fuzzy Hash: C5318E71900208AFEF27DF25EE59F6D7BA9FB51321F104005FA49DB180D7B9A941AF60

Function 00F62C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F62C94

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F62CA0
_free.LIBCMT ref: 00F62CAB
_free.LIBCMT ref: 00F62CB6
_free.LIBCMT ref: 00F62CC1
_free.LIBCMT ref: 00F62CCC
_free.LIBCMT ref: 00F62CD7
_free.LIBCMT ref: 00F62CE2
_free.LIBCMT ref: 00F62CED
_free.LIBCMT ref: 00F62CFB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fff07eedab689fd0cc18de3ad0e1491b5924cd43b6e445a17670f7b9e4301654
Instruction ID: f4c6f0741a3caaf91430f43c648b3d966ee635c43ef3545d57da6ec4f3d05347
Opcode Fuzzy Hash: fff07eedab689fd0cc18de3ad0e1491b5924cd43b6e445a17670f7b9e4301654
Instruction Fuzzy Hash: CA119376600508AFCB86EF58DC82CDD3BB5FF45390F4144A5FA489B222DA35EA50BB90

Function 00F31410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F31459
OleUninitialize.OLE32(?,00000000), ref: 00F314F8
UnregisterHotKey.USER32(?), ref: 00F316DD
DestroyWindow.USER32(?), ref: 00F724B9
FreeLibrary.KERNEL32(?), ref: 00F7251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F7254B

Strings

close all, xrefs: 00F31454

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8e9d24970c0c0c1de697817e5c56754b61cb947b3bd04b2ffce5db95d0d9c4b2
Instruction ID: 98cc149dda759772c176dfb8e06b24e6958e4f2fda640995b777aea3469ffa16
Opcode Fuzzy Hash: 8e9d24970c0c0c1de697817e5c56754b61cb947b3bd04b2ffce5db95d0d9c4b2
Instruction Fuzzy Hash: F4D15D31B01212CFCB19EF15C995B29F7A4BF05720F1482AEE44E6B252DB31AD16EF91

Function 00FA7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FA7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA7FC1
GetFileAttributesW.KERNEL32(?), ref: 00FA7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FA8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FA80B0

Strings

*.*, xrefs: 00FA8066

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: b3f0ae08c70bd98d2baa4b11effb83ce407b0a448fdfeef45ad247938c4cafcc
Instruction ID: 4a9232e54d78c92b1787c806c9f0d3bd0253001d78927372218881dfb484f70d
Opcode Fuzzy Hash: b3f0ae08c70bd98d2baa4b11effb83ce407b0a448fdfeef45ad247938c4cafcc
Instruction Fuzzy Hash: 8C81B6B29083459BCB24EF14CC84E6AB3E8BF86360F144C5EF885D7250DB75DD45AB92

Function 00F35BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F35C7A

Part of subcall function 00F35D0A: GetClientRect.USER32(?,?), ref: 00F35D30
Part of subcall function 00F35D0A: GetWindowRect.USER32(?,?), ref: 00F35D71
Part of subcall function 00F35D0A: ScreenToClient.USER32(?,?), ref: 00F35D99

GetDC.USER32 ref: 00F746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F74708
SelectObject.GDI32(00000000,00000000), ref: 00F74716
SelectObject.GDI32(00000000,00000000), ref: 00F7472B
ReleaseDC.USER32(?,00000000), ref: 00F74733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F747C4

Strings

U, xrefs: 00F74693

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9b21069ce189c107668efe47718cd70e7c7972419e81fc03463c65be25d90e6f
Instruction ID: 1bb59ce9ead5bb54b22e4679ee97f02ac37ca840790558e85ab75d0b45f876e2
Opcode Fuzzy Hash: 9b21069ce189c107668efe47718cd70e7c7972419e81fc03463c65be25d90e6f
Instruction Fuzzy Hash: 1671E331800205DFCF268F64C985AB97BB5FF4A374F14822AED595A166C335A842FF52

Function 00FA359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00FA35E4

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

LoadStringW.USER32(01002390,?,00000FFF,?), ref: 00FA360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00FA3742
"%s" (%d) : ==> %s:%s%s, xrefs: 00FA3724
Line %d (File "%s"):, xrefs: 00FA366B
Error: , xrefs: 00FA36EF
^ ERROR, xrefs: 00FA36C9

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 51c99bd79b5922a0b19f7ffa0352812e3c8ca2c27c78610fac24b7f9f8e9a639
Instruction ID: 6e0e56901b1e43a64bbaa6e88a36b814de6e3df7cea12e50b2aa92a2c6b34d09
Opcode Fuzzy Hash: 51c99bd79b5922a0b19f7ffa0352812e3c8ca2c27c78610fac24b7f9f8e9a639
Instruction Fuzzy Hash: 12517FB1C0421ABADF15EBA0CC42EEDBB38EF05310F144125F505721A1EB795B99EFA1

Function 00FAC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FAC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FAC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FAC2CA
GetLastError.KERNEL32 ref: 00FAC322
SetEvent.KERNEL32(?), ref: 00FAC336
InternetCloseHandle.WININET(00000000), ref: 00FAC341

Strings

, xrefs: 00FAC2BB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 00222de189e2b816f14e23de31e6652af7be13e2aedf4931ebb30c30315c2930
Instruction ID: f212d4c8f5f657b54561bae51e2178dd62098b8ebbeb9eafaf745ceb07e03215
Opcode Fuzzy Hash: 00222de189e2b816f14e23de31e6652af7be13e2aedf4931ebb30c30315c2930
Instruction Fuzzy Hash: F2313CB1900708AFDB219F649D89AAB7AECEF4A754B14851AE44AD3200DB34D905ABE1

Function 00F9989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F73AAF,?,?,Bad directive syntax error,00FCCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F998BC
LoadStringW.USER32(00000000,?,00F73AAF,?), ref: 00F998C3

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F99987

Strings

Line %d:, xrefs: 00F99912
Error: , xrefs: 00F99955
Line %d (File "%s"):, xrefs: 00F9992D
%s (%d) : ==> %s.: %s %s, xrefs: 00F998F1
., xrefs: 00F9996D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b8cdc8a700ec38246cb773ca7b7fcd75961c2627a0dae64ef504ff4b6989699b
Instruction ID: 480f5deb6655b149ee8326a176b243bccef97857bde37e65dd447420bab6984c
Opcode Fuzzy Hash: b8cdc8a700ec38246cb773ca7b7fcd75961c2627a0dae64ef504ff4b6989699b
Instruction Fuzzy Hash: 25217E3284421EABDF15EF90CC06EEE7775FF18710F044419F619660A2EBB99618FB51

Function 00F9209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00F920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F9214D

Strings

smallicons, xrefs: 00F92115
SHELLDLL_DefView, xrefs: 00F920CC
list, xrefs: 00F9212F
largeicons, xrefs: 00F920E1
details, xrefs: 00F920FB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 9ef880bb506e650a2689cccfb7f93859b9148fb661d004e7b1cb0724a8a2d801
Instruction ID: 8620007239390e547cb34bb8bc4017937f3e3a070a92d0bf2b03d9565582689e
Opcode Fuzzy Hash: 9ef880bb506e650a2689cccfb7f93859b9148fb661d004e7b1cb0724a8a2d801
Instruction Fuzzy Hash: C6112C7768870ABAFE412620DC07DF6379CCF04725F200016FB08A50F1FE65A8957654

Function 00F6CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00F6CEB7
_free.LIBCMT ref: 00F6CF22
_free.LIBCMT ref: 00F6CF48
_free.LIBCMT ref: 00F6CF71
_free.LIBCMT ref: 00F6CFA9
_free.LIBCMT ref: 00F6CFDA
_free.LIBCMT ref: 00F6D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00F6D09C
_free.LIBCMT ref: 00F6D0B5

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1f91536b9fadee9a954d6b27211a667c8ea56d252377a6a2413d2522efba2367
Instruction ID: 8b097932f773483763a6a941e9d9163f722cabdda4b0d3cb024eeb82f30e4dd4
Opcode Fuzzy Hash: 1f91536b9fadee9a954d6b27211a667c8ea56d252377a6a2413d2522efba2367
Instruction Fuzzy Hash: 71611471E04201AFDB25AFB49C81B7E7BA5AF05360F04416EF9C597286DB3A9901B7F0

Function 00FC50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00FC5186
ShowWindow.USER32(?,00000000), ref: 00FC51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00FC51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00FC51D1

Part of subcall function 00FC6FBA: DeleteObject.GDI32(00000000), ref: 00FC6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00FC520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FC521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FC524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00FC5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00FC5296

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: de6fce36560383631556a80dde7c62efd7c4b849d4d2720910e98973b9df669f
Instruction ID: 69b27162bb7fadfa40e1169b71e1c7a93656fe00b9e9c27203b0018bb28b23a5
Opcode Fuzzy Hash: de6fce36560383631556a80dde7c62efd7c4b849d4d2720910e98973b9df669f
Instruction Fuzzy Hash: 97519E30E40A0ABEEB209F24CE4BFD93BA5EB05B24F584009F519962E1C375B9C0FB40

Function 00F48B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F86890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F48874,00000000,00000000,00000000,000000FF,00000000), ref: 00F86901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F8691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F48874,00000000,00000000,00000000,000000FF,00000000), ref: 00F8692D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a91ba30bdeef007cbd74a9d76a10ac04f58d78544bd00eeea10bf5bdaaeef7dc
Instruction ID: bf2628e696e8e071abaa49ecee489cc53f579910cff3b8689a848d4febb3d969
Opcode Fuzzy Hash: a91ba30bdeef007cbd74a9d76a10ac04f58d78544bd00eeea10bf5bdaaeef7dc
Instruction Fuzzy Hash: BC515970A00209EFDB20DF24CD46FAA7BB5EF88760F104518F95AD72A0DB75E991EB50

Function 00FAC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FAC182
GetLastError.KERNEL32 ref: 00FAC195
SetEvent.KERNEL32(?), ref: 00FAC1A9

Part of subcall function 00FAC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FAC272
Part of subcall function 00FAC253: GetLastError.KERNEL32 ref: 00FAC322
Part of subcall function 00FAC253: SetEvent.KERNEL32(?), ref: 00FAC336
Part of subcall function 00FAC253: InternetCloseHandle.WININET(00000000), ref: 00FAC341

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: e4ba750544614502097c1c7d6ea8f41dcbd64d00c53f0cbe6a37bf2a70831f24
Instruction ID: fef2b9b27d6cb90788aa66820ddd76754683bf261d03f1c927f879a7a0c5b3ef
Opcode Fuzzy Hash: e4ba750544614502097c1c7d6ea8f41dcbd64d00c53f0cbe6a37bf2a70831f24
Instruction Fuzzy Hash: 42319EB1600609AFDB219FA5DE44BA6BBF8FF5A310B04441EF95A83610D731E814FBE0

Function 00F925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F93A57
Part of subcall function 00F93A3D: GetCurrentThreadId.KERNEL32 ref: 00F93A5E
Part of subcall function 00F93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F925B3), ref: 00F93A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F92601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F92605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F9260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F92623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F92627

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d405738c91864bc60abce1fe172088f1197b9e11d18e9f6b71cb0829ecda509e
Instruction ID: 06e3e566138b5313533b337b893cf5c0ee6e0568f8dde6f5255fa5047e2e5b9b
Opcode Fuzzy Hash: d405738c91864bc60abce1fe172088f1197b9e11d18e9f6b71cb0829ecda509e
Instruction Fuzzy Hash: 2F01D431790214BBFB20676A9C8BF593F59DB4EB12F110001F31CAF1D2C9F22444AAA9

Function 00F91803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F91449,?,?,00000000), ref: 00F9180C
HeapAlloc.KERNEL32(00000000,?,00F91449,?,?,00000000), ref: 00F91813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F91449,?,?,00000000), ref: 00F91828
GetCurrentProcess.KERNEL32(?,00000000,?,00F91449,?,?,00000000), ref: 00F91830
DuplicateHandle.KERNEL32(00000000,?,00F91449,?,?,00000000), ref: 00F91833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F91449,?,?,00000000), ref: 00F91843
GetCurrentProcess.KERNEL32(00F91449,00000000,?,00F91449,?,?,00000000), ref: 00F9184B
DuplicateHandle.KERNEL32(00000000,?,00F91449,?,?,00000000), ref: 00F9184E
CreateThread.KERNEL32(00000000,00000000,00F91874,00000000,00000000,00000000), ref: 00F91868

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a6ff852a584debf8b280a1b93f07f61544b7bf7f27ea8643a0dac64e7113351d
Instruction ID: ce7ccccbcb21f1b545234fb10912bfb16a0afcd3dacd343759382562c9b13e96
Opcode Fuzzy Hash: a6ff852a584debf8b280a1b93f07f61544b7bf7f27ea8643a0dac64e7113351d
Instruction Fuzzy Hash: 6F01BFB5240348BFE710AB66DD4EF5B3B6CEB89B11F044411FA05DB192C6759800DB60

Function 00FBA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00F9D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00F9D501
Part of subcall function 00F9D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00F9D50F
Part of subcall function 00F9D4DC: CloseHandle.KERNEL32(00000000), ref: 00F9D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FBA16D
GetLastError.KERNEL32 ref: 00FBA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FBA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FBA268
GetLastError.KERNEL32(00000000), ref: 00FBA273
CloseHandle.KERNEL32(00000000), ref: 00FBA2C4

Strings

SeDebugPrivilege, xrefs: 00FBA18F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 52dd98e2366e14d98656f295b29992a76f235aba22db7b672c65af3d784cdeb5
Instruction ID: b02c4c8c95f4d0adeb9e1e462024e4247f1767a7260c913005f0d4fb3ff40372
Opcode Fuzzy Hash: 52dd98e2366e14d98656f295b29992a76f235aba22db7b672c65af3d784cdeb5
Instruction Fuzzy Hash: 6161A131604242AFD720DF19C895F55BBE1AF44328F18849CE46A8BBA3C776EC45DF92

Function 00F9BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F9BCFD
IsMenu.USER32(00000000), ref: 00F9BD1D
CreatePopupMenu.USER32 ref: 00F9BD53
GetMenuItemCount.USER32(01165C80), ref: 00F9BDA4
InsertMenuItemW.USER32(01165C80,?,00000001,00000030), ref: 00F9BDCC

Strings

2, xrefs: 00F9BD37
0, xrefs: 00F9BCA8

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: cba4152e251c85fdccad1f063f6a823e8c4f63a883ce65b0e481dcce89cf3f9e
Instruction ID: 0e61719ab0a0819842d873e2f3b089500d1b598d690836901d0e568f4a3cf600
Opcode Fuzzy Hash: cba4152e251c85fdccad1f063f6a823e8c4f63a883ce65b0e481dcce89cf3f9e
Instruction Fuzzy Hash: 2C51D170A00209DBFF11CFA9EA88BAEBBF4FF45324F14411AE405D7290D7749941EB91

Function 00F9C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F9C913

Strings

info, xrefs: 00F9C8B4
stop, xrefs: 00F9C8E4
blank, xrefs: 00F9C895
warning, xrefs: 00F9C8FC
question, xrefs: 00F9C8CC

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d418944562558cc12c77e9038faa1a4574b3bf4dd51b8a84a5ff8c6afae70c38
Instruction ID: 827c8d7fe599e0b04276fd26ba134b590669fcabfa8be543fef3a14bcc821457
Opcode Fuzzy Hash: d418944562558cc12c77e9038faa1a4574b3bf4dd51b8a84a5ff8c6afae70c38
Instruction Fuzzy Hash: 59110033A8930ABAFF056B549C83DAA7B9CDF15769B10002AF604E6192DB74AD4073E5

Function 00F9DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F9DE42
gethostname.WSOCK32(?,00000100), ref: 00F9DE5C
gethostbyname.WSOCK32(?), ref: 00F9DE69
inet_ntoa.WSOCK32(?), ref: 00F9DEAB
_strcat.LIBCMT ref: 00F9DEB9
WSACleanup.WSOCK32 ref: 00F9DEDE

Strings

0.0.0.0, xrefs: 00F9DE87

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 1cdc6ed60ce5a52880f22f52fe755e6df12b3b95dc4048a9ea1580f552850f8c
Instruction ID: d34fa532e441afb71486a62143c4ec39690239e0a56ebedc6d9167006e734e9e
Opcode Fuzzy Hash: 1cdc6ed60ce5a52880f22f52fe755e6df12b3b95dc4048a9ea1580f552850f8c
Instruction Fuzzy Hash: C4113671800109ABDF24BB60DC0BEEF37ACDF10721F110169F50997091EF749A84BAA0

Function 00F9ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F9ED2A
_wcslen.LIBCMT ref: 00F9ED3B
_wcslen.LIBCMT ref: 00F9ED79
_wcslen.LIBCMT ref: 00F9EDAF
_wcslen.LIBCMT ref: 00F9EDDF
_wcslen.LIBCMT ref: 00F9EDEF
_wcslen.LIBCMT ref: 00F9EE2B
_wcslen.LIBCMT ref: 00F9EE5A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a0f7e5e9f7d4d00d0b9771717efb8663b4049cd28b6b057da1f1a6c38c6e415c
Instruction ID: 39171252ec8f187d48992d126f802ad34ea456cae342bf39270cdf8da945fd72
Opcode Fuzzy Hash: a0f7e5e9f7d4d00d0b9771717efb8663b4049cd28b6b057da1f1a6c38c6e415c
Instruction Fuzzy Hash: A941B265C1021875DF11EBF48C8A9CFB7B8EF45311F508466EA18E3122FB38E249D3A5

Function 00F4F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,?,?,?,?,00000005,?,?,00F4F8B0,00000005,00000000), ref: 00F4F953
ShowWindow.USER32(FFFFFFFF,00000006,?,?,?,?,00000005,?,?,00F4F8B0,00000005,00000000), ref: 00F8F3D1
ShowWindow.USER32(FFFFFFFF,?,?,?,?,?,00000005,?,?,00F4F8B0,00000005,00000000), ref: 00F8F454

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: bf60cd3a61fe0f655412e55c30edb87e4501d8894395e3537eb113ebb6c109e6
Instruction ID: ff0cd6909c41fd8ee0396dabbab53e08f7effb3d49b604922d9575ab560d859b
Opcode Fuzzy Hash: bf60cd3a61fe0f655412e55c30edb87e4501d8894395e3537eb113ebb6c109e6
Instruction Fuzzy Hash: 9E413B31A18640BED7399F28CD88B6A7F91AF56320F14443DE88F53660C732A888FB51

Function 00FC2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FC2D1B
GetDC.USER32(00000000), ref: 00FC2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FC2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00FC2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FC2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FC2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FC5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00FC2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FC2DE1

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5b3de7f600d99fa2f699bbd0c12e164d7ad65a2bc6f29f56a1086ddbb73076cf
Instruction ID: 1df263becc5009b442f24b95207ba55718f795c6955a319820b7bee4ee98c451
Opcode Fuzzy Hash: 5b3de7f600d99fa2f699bbd0c12e164d7ad65a2bc6f29f56a1086ddbb73076cf
Instruction Fuzzy Hash: 3B318B72201214BFEB118F548E8AFEB3BA9EF59721F084055FE099B291C6759C41DBA0

Function 00F95622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F95637
_memcmp.LIBVCRUNTIME ref: 00F95659
_memcmp.LIBVCRUNTIME ref: 00F95671
_memcmp.LIBVCRUNTIME ref: 00F95684
_memcmp.LIBVCRUNTIME ref: 00F9569E
_memcmp.LIBVCRUNTIME ref: 00F956B1
_memcmp.LIBVCRUNTIME ref: 00F956C9
_memcmp.LIBVCRUNTIME ref: 00F956E4

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0f07bcf1d6cb21f5e8eab80baf54bbc3e85b81d8f5ba53ac9ee75cfb7d3ecc93
Instruction ID: 83d55d4e5326150de52a84ca164190786bada12305a5a498d99994093df9cc15
Opcode Fuzzy Hash: 0f07bcf1d6cb21f5e8eab80baf54bbc3e85b81d8f5ba53ac9ee75cfb7d3ecc93
Instruction Fuzzy Hash: 52213A62F4090A77FA159D208E93FBA734DBF51B91F400024FE049A541F724FE18B7A6

Function 00FB4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00FB502E, 00FB5383
Not an Object type, xrefs: 00FB5007

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 44101eb7786fbb970139b5d3724655a22747fd81021fb3c89fc287d3e02f26fd
Instruction ID: e67c65d8a13b8ca435ddd919b18ac7848cb12bfe9e7744cc8c47259162e6f17b
Opcode Fuzzy Hash: 44101eb7786fbb970139b5d3724655a22747fd81021fb3c89fc287d3e02f26fd
Instruction Fuzzy Hash: 1BD1EC71A0060AAFDF10DFA9C880BEEB7B5BF48754F148069E915AB280E774DD45DFA0

Function 00F71522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00F715CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F71651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F716E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F716FB

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F71777
__freea.LIBCMT ref: 00F717A2
__freea.LIBCMT ref: 00F717AE

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9fb93cf540668aa19f5110a743e8f913f88fe02be32ba3005e4d76b080ecde18
Instruction ID: c355d6a0854e5fef48adfa5a83f3fd6fa7b75be8c114fd17bc4825693d8c5b1b
Opcode Fuzzy Hash: 9fb93cf540668aa19f5110a743e8f913f88fe02be32ba3005e4d76b080ecde18
Instruction Fuzzy Hash: 2C91E972E002165ADF288E7CCC41EEE7BB5BF45720F18865AE809E7140D735DD49E7A2

Function 00FB4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FB4648
VariantInit.OLEAUT32(?), ref: 00FB4749
VariantClear.OLEAUT32(?), ref: 00FB4753
VariantClear.OLEAUT32(?), ref: 00FB47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00FB472C
Null Object assignment in FOR..IN loop, xrefs: 00FB45D8, 00FB4706, 00FB47BE

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 312d84e09f280afffc34c17b6098f924fe9da3761646bae1de57daaead6957c3
Instruction ID: 58adcbcaa3e07216c8e19873b7213d93130a4f85e21e5a84d83824af8c521fe0
Opcode Fuzzy Hash: 312d84e09f280afffc34c17b6098f924fe9da3761646bae1de57daaead6957c3
Instruction Fuzzy Hash: CA918271E00219ABDF20CF66C944FEEBBB9AF45720F108559E505AB282D770A945DFA0

Function 00FA1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00FA125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FA1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00FA12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA1430

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 5128f450fba227871a9a28dc9eaea11ff6983f7edfd78113ae10de96c6f6e317
Instruction ID: fac13f3e811d0e54b938b7b9a742abac063dc05f1aec0379687a03ebeb524c2b
Opcode Fuzzy Hash: 5128f450fba227871a9a28dc9eaea11ff6983f7edfd78113ae10de96c6f6e317
Instruction Fuzzy Hash: 9691E6B1E002099FDB00DF98C885BBE77B5FF46325F164029E941EB291D778E945EB90

Function 00F4948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5dae07ea525b743813cd26840e974860c7ea799bac5a0f18f93977ed48b7846a
Instruction ID: 88fa6172958918ca1419e835d425b4355d02cf37769c299c72b3d5da56e6afef
Opcode Fuzzy Hash: 5dae07ea525b743813cd26840e974860c7ea799bac5a0f18f93977ed48b7846a
Instruction Fuzzy Hash: 01912871E44219AFCB10DFA9CC84AEEBFB8FF49320F244159E915B7251D378A941EB60

Function 00FB3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FB396B
CharUpperBuffW.USER32(?,?), ref: 00FB3A7A
_wcslen.LIBCMT ref: 00FB3A8A
VariantClear.OLEAUT32(?), ref: 00FB3C1F

Part of subcall function 00FA0CDF: VariantInit.OLEAUT32(00000000), ref: 00FA0D1F
Part of subcall function 00FA0CDF: VariantCopy.OLEAUT32(?,?), ref: 00FA0D28
Part of subcall function 00FA0CDF: VariantClear.OLEAUT32(?), ref: 00FA0D34

Strings

AUTOIT.ERROR, xrefs: 00FB3A80, 00FB3A85
Incorrect Parameter format, xrefs: 00FB39A6, 00FB3BA1

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 0989ea8c6d0c7ccda54a1fd939b6ac90b6ab5bb8f30e450c8a70efcfee0b44ae
Instruction ID: 94c5b8781c4eff2b0e30bac6a968ff606a1de6f42630eacc59e5225866a13ce3
Opcode Fuzzy Hash: 0989ea8c6d0c7ccda54a1fd939b6ac90b6ab5bb8f30e450c8a70efcfee0b44ae
Instruction Fuzzy Hash: 47913675A083059FC704EF25C88196AB7E5BF88324F14892DF88997351DB34EE45EF92

Function 00FB4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00F9000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?,?,00F9035E), ref: 00F9002B
Part of subcall function 00F9000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90046
Part of subcall function 00F9000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90054
Part of subcall function 00F9000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?), ref: 00F90064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FB4C51
_wcslen.LIBCMT ref: 00FB4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FB4DCF
CoTaskMemFree.OLE32(?), ref: 00FB4DDA

Strings

NULL Pointer assignment, xrefs: 00FB4E23, 00FB4E52

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b0e300ec7ef065fcbbc514f1caa359b92cda2067cc70a2616502c603e42cc0b0
Instruction ID: e30c6d2a873ff69eb17a38e74bf793399945412841a283dac941502e25bc3fdf
Opcode Fuzzy Hash: b0e300ec7ef065fcbbc514f1caa359b92cda2067cc70a2616502c603e42cc0b0
Instruction Fuzzy Hash: AE911671D0021DAFDF14DFA5CC91AEEB7B8BF48310F108169E915A7291DB74AA44EFA0

Function 00FC20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FC2183
GetMenuItemCount.USER32(00000000), ref: 00FC21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FC21DD
_wcslen.LIBCMT ref: 00FC2213
GetMenuItemID.USER32(?,?), ref: 00FC224D
GetSubMenu.USER32(?,?), ref: 00FC225B

Part of subcall function 00F93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F93A57
Part of subcall function 00F93A3D: GetCurrentThreadId.KERNEL32 ref: 00F93A5E
Part of subcall function 00F93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F925B3), ref: 00F93A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FC22E3

Part of subcall function 00F9E97B: Sleep.KERNEL32 ref: 00F9E9F3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c8992d118db4b69f63e474608d94486fd79e16d8c80a5f80da998ef943ff92b9
Instruction ID: fca90c13dc46fdff3ec4498fa4246aea8f6052bb9046697920af51f5db19a856
Opcode Fuzzy Hash: c8992d118db4b69f63e474608d94486fd79e16d8c80a5f80da998ef943ff92b9
Instruction Fuzzy Hash: 40718E75E00206AFDB54EF64C942FAEB7F1EF48320F148459E816EB341D738AD41AB90

Function 00FC7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01165B40), ref: 00FC7F37
IsWindowEnabled.USER32(01165B40), ref: 00FC7F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00FC801E
SendMessageW.USER32(01165B40,000000B0,?,?), ref: 00FC8051
IsDlgButtonChecked.USER32(?,?), ref: 00FC8089
GetWindowLongW.USER32(01165B40,000000EC), ref: 00FC80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FC80C3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a7c9d5c89eb35499d845a01c9883ac1d155b951869c30c00dbbafd3939fd442d
Instruction ID: bd51882eb656ea21542f2eafa2c4330420c1156ea6f0821bb3e8b6c3fda23153
Opcode Fuzzy Hash: a7c9d5c89eb35499d845a01c9883ac1d155b951869c30c00dbbafd3939fd442d
Instruction Fuzzy Hash: 0C71BF34A08346AFEB21AF64CEC6FAABBB5EF09360F14005DE95553251CB31A845FF90

Function 00F9AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F9AEF9
GetKeyboardState.USER32(?), ref: 00F9AF0E
SetKeyboardState.USER32(?), ref: 00F9AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F9AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F9AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F9AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F9B020

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 898a758c5ab2a417faf40bc7f9c8a9331b514608025077334aed0470737c4a35
Instruction ID: 1d9dd83d8c2c3e31ea27f98fc55a4fae7bebcd8fd7e38b04e582f279ec8b4e92
Opcode Fuzzy Hash: 898a758c5ab2a417faf40bc7f9c8a9331b514608025077334aed0470737c4a35
Instruction Fuzzy Hash: C851D1A1A047D53DFF3743348D49BBABEA95B06318F088589E1D9458D2C3D9ACC8F791

Function 00F9ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F9AD19
GetKeyboardState.USER32(?), ref: 00F9AD2E
SetKeyboardState.USER32(?), ref: 00F9AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F9ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F9ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F9AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F9AE38

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 42d1c60442cb784ff7be0458aa38a04342d56bbe6c1db5310b3b2ab3c7444861
Instruction ID: c41996d84e70317f353046b2aaca43859b5f1397a88bf9c91e99b7c4ed3d5c84
Opcode Fuzzy Hash: 42d1c60442cb784ff7be0458aa38a04342d56bbe6c1db5310b3b2ab3c7444861
Instruction Fuzzy Hash: CC51D5A1D047D53DFF3793358C55B7A7EA85B46310F088489E1D9468C2D294EC98F7D2

Function 00F6542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00F73CD6,?,?,?,?,?,?,?,?,00F65BA3,?,?,00F73CD6,?,?), ref: 00F65470
__fassign.LIBCMT ref: 00F654EB
__fassign.LIBCMT ref: 00F65506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F73CD6,00000005,00000000,00000000), ref: 00F6552C
WriteFile.KERNEL32(?,00F73CD6,00000000,00F65BA3,00000000,?,?,?,?,?,?,?,?,?,00F65BA3,?), ref: 00F6554B
WriteFile.KERNEL32(?,?,00000001,00F65BA3,00000000,?,?,?,?,?,?,?,?,?,00F65BA3,?), ref: 00F65584

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d42a9af1b3bf286618d9fbeed2ab7ebaf2030c7a0ba37f7a5818f2655aa06e73
Instruction ID: 4d5c1456a2f136d58c50f59d9c43b0430267d5aa722060bf6fa8a63f0cee9254
Opcode Fuzzy Hash: d42a9af1b3bf286618d9fbeed2ab7ebaf2030c7a0ba37f7a5818f2655aa06e73
Instruction Fuzzy Hash: B851DFB1E006499FDB10CFA8D846AEEBBF9EF08710F18411EF946F3291D6309A41DB60

Function 00F52D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F52D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00F52D53
_ValidateLocalCookies.LIBCMT ref: 00F52DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00F52E0C
_ValidateLocalCookies.LIBCMT ref: 00F52E61

Strings

csm, xrefs: 00F52DF6

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c8a663c2390f4e43e973773d04606ebb373973cc707460d5bfb0aeef2f00cc0f
Instruction ID: aa77299c459bc567a4c195cc1a1f228f1b5d5abc269d3407529d1dcd09fce808
Opcode Fuzzy Hash: c8a663c2390f4e43e973773d04606ebb373973cc707460d5bfb0aeef2f00cc0f
Instruction Fuzzy Hash: 9041E834E002089BCF10DF68CC45A9EBBB5BF46326F148255EE146B352D735DA09EBD0

Function 00FB10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FB307A
Part of subcall function 00FB304E: _wcslen.LIBCMT ref: 00FB309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FB1112
WSAGetLastError.WSOCK32 ref: 00FB1121
WSAGetLastError.WSOCK32 ref: 00FB11C9
closesocket.WSOCK32(00000000), ref: 00FB11F9

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 2a0ef10c9c87fd122812cc3daeea518ef75f3952ad7f2137a419058c82276be4
Instruction ID: b5c976218307d2e1381e8cb5b95845b53b58bca90738b4a8aba6aaf5840bd138
Opcode Fuzzy Hash: 2a0ef10c9c87fd122812cc3daeea518ef75f3952ad7f2137a419058c82276be4
Instruction Fuzzy Hash: 5D41D036600208AFDB109F29CC95BEABBA9FF45364F148059F909AB291C774AD41DFE0

Function 00F9CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F9CF22,?), ref: 00F9DDFD

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F9CF22,?), ref: 00F9DE16

lstrcmpiW.KERNEL32(?,?), ref: 00F9CF45
MoveFileW.KERNEL32(?,?), ref: 00F9CF7F
_wcslen.LIBCMT ref: 00F9D005
_wcslen.LIBCMT ref: 00F9D01B
SHFileOperationW.SHELL32(?), ref: 00F9D061

Strings

\*.*, xrefs: 00F9CFF3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 44f0a99d364e1bc74ef17fc3219208d88c95d082609533be5bf813fa61762c59
Instruction ID: 798038c7c8da9977500c7a0a1551f0061b0ee4cc95e207464b4c97a01ba858f4
Opcode Fuzzy Hash: 44f0a99d364e1bc74ef17fc3219208d88c95d082609533be5bf813fa61762c59
Instruction Fuzzy Hash: 0F415871D051185FEF12EBA4DD81EDDB7B8AF04384F1000E6E509E7141EA74A688DB50

Function 00FC2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FC2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00FC2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00FC2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FC2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FC2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00FC2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FC2F0B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a6bac163865a9f5be888c63df0f3e06919d170a28ccf99a38b944aaf13c2a55c
Instruction ID: 8cffeba59296894baebce81cd110e9f7d85ad5971e7da97e64dee41f5b893d1d
Opcode Fuzzy Hash: a6bac163865a9f5be888c63df0f3e06919d170a28ccf99a38b944aaf13c2a55c
Instruction Fuzzy Hash: 6D311931A04156AFDB61DF58DE86FA537E1FB4A720F150168F9449F2A1CB72EC40EB41

Function 00F97726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F97769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F9778F
SysAllocString.OLEAUT32(00000000), ref: 00F97792
SysAllocString.OLEAUT32(?), ref: 00F977B0
SysFreeString.OLEAUT32(?), ref: 00F977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00F977DE
SysAllocString.OLEAUT32(?), ref: 00F977EC

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f8e6235b0db88bcd2ed4a0cbd4bc709ea414c0c2789b7c63a6d3e45ee21c786c
Instruction ID: cc796317202ed4ff2e8db7fd06cc56a432131a937b43d5ef1d38b84e603ce071
Opcode Fuzzy Hash: f8e6235b0db88bcd2ed4a0cbd4bc709ea414c0c2789b7c63a6d3e45ee21c786c
Instruction Fuzzy Hash: 9F21C476A04319AFEF10EFE9CC89DBB77ACEB093647048025F908DB150D670DC45A7A1

Function 00F977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F97842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F97868
SysAllocString.OLEAUT32(00000000), ref: 00F9786B
SysAllocString.OLEAUT32 ref: 00F9788C
SysFreeString.OLEAUT32 ref: 00F97895
StringFromGUID2.OLE32(?,?,00000028), ref: 00F978AF
SysAllocString.OLEAUT32(?), ref: 00F978BD

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 64c239070df873630eada7400e4d7362ba8cd975b436ce56503a95b72c6157af
Instruction ID: 897c6a86ecf36a18a5b75055c2d706635aae71ff2ecb935f3ba1f0e7d60c4c9d
Opcode Fuzzy Hash: 64c239070df873630eada7400e4d7362ba8cd975b436ce56503a95b72c6157af
Instruction Fuzzy Hash: E4217731A14308AFEF10EFA8DC89DAA77ECFB097607148125F915CB1A1D674DC41DB64

Function 00FA04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FA04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FA052E

Strings

nul, xrefs: 00FA0567

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a48ff1ec74a7bdbbc197a68f0ee333138bf94b1f32c0cb059dbcc114a097e150
Instruction ID: f21d93a65fe0dc82b1eb36043876e90b48503e1c300d1c159a3db5e3d67f4d1e
Opcode Fuzzy Hash: a48ff1ec74a7bdbbc197a68f0ee333138bf94b1f32c0cb059dbcc114a097e150
Instruction Fuzzy Hash: 782191B5D003059FDB208F29EC05A9A7BB4AF46760F244A18E8A1D31E0DB709940EF60

Function 00FA05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FA05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FA0601

Strings

nul, xrefs: 00FA0639

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 42503efe5c6855636095ae7789e8034aad8362f63c81a9c2e836c23228e6679d
Instruction ID: df54424ff4cd0ed0065d456441b41f135855c0deb3ebef8f1fe7c4f48069cf96
Opcode Fuzzy Hash: 42503efe5c6855636095ae7789e8034aad8362f63c81a9c2e836c23228e6679d
Instruction Fuzzy Hash: FD2183B59003059FDB209F69AC05E9A77F4BF96734F200A19F9A1E73E0DB719860EB50

Function 00F6D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F6D7A3: _free.LIBCMT ref: 00F6D7CC

_free.LIBCMT ref: 00F6D82D

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F6D838
_free.LIBCMT ref: 00F6D843
_free.LIBCMT ref: 00F6D897
_free.LIBCMT ref: 00F6D8A2
_free.LIBCMT ref: 00F6D8AD
_free.LIBCMT ref: 00F6D8B8

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: d650bb73ab1b75fc19b729ebf519ff975ed6d7710430088d82a6002db4b53f5d
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: F4115B71B40B04AADA25BFB0CC47FCB7BFCAF40740F440825B299A6092DA69B505B662

Function 00F9DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F9DA74
LoadStringW.USER32(00000000), ref: 00F9DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F9DA91
LoadStringW.USER32(00000000), ref: 00F9DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F9DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F9DAB9

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 23d4a50ed12875d37a6ab0c047a63d2119aab1a315a33966e0655725abe4506d
Instruction ID: df3d85e96833a06ef0b816e6c9763479e904a114061c589aa2b3f0e94be33267
Opcode Fuzzy Hash: 23d4a50ed12875d37a6ab0c047a63d2119aab1a315a33966e0655725abe4506d
Instruction Fuzzy Hash: 280117F650020C7FEB11EBA49E8AEE7766CDB04701F404455F749E2041EA749E856F75

Function 00FA096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0115DAC0,0115DAC0), ref: 00FA097B
EnterCriticalSection.KERNEL32(0115DAA0,00000000), ref: 00FA098D
TerminateThread.KERNEL32(0115DAB8,000001F6), ref: 00FA099B
WaitForSingleObject.KERNEL32(0115DAB8,000003E8), ref: 00FA09A9
CloseHandle.KERNEL32(0115DAB8), ref: 00FA09B8
InterlockedExchange.KERNEL32(0115DAC0,000001F6), ref: 00FA09C8
LeaveCriticalSection.KERNEL32(0115DAA0), ref: 00FA09CF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5a2c2b89bcbfcde72cf81ccc04067a09d1a0f38b106c0385c0904bc696f4baed
Instruction ID: b13c9852d3bcff426178ce099224bb39a5ff3944b79f181bebb6ce438f9e4f68
Opcode Fuzzy Hash: 5a2c2b89bcbfcde72cf81ccc04067a09d1a0f38b106c0385c0904bc696f4baed
Instruction Fuzzy Hash: 5DF01972442A06BBD7415BA4EF8AED6BA39FF06712F402025F206928A0CB759465EFD0

Function 00F35D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F35D30
GetWindowRect.USER32(?,?), ref: 00F35D71
ScreenToClient.USER32(?,?), ref: 00F35D99
GetClientRect.USER32(?,?), ref: 00F35ED7
GetWindowRect.USER32(?,?), ref: 00F35EF8

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 69886b21d9eb3343aab4e6884466c18856ac9cdef58e31bb6452c2d0665d696a
Instruction ID: 0fcf1b24f651401454c33e10509d9f3dc5aa27d8b27c127de2a66b2f337702f8
Opcode Fuzzy Hash: 69886b21d9eb3343aab4e6884466c18856ac9cdef58e31bb6452c2d0665d696a
Instruction Fuzzy Hash: 0DB17A35A0074ADBDB10CFA9C5807EEB7F1FF48320F14841AE8A9D7250DB34AA91EB55

Function 00F601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F600D6
__allrem.LIBCMT ref: 00F600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F6010B
__allrem.LIBCMT ref: 00F60122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F60140

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 58678b1a9af3c042052dfda87c743ecbaf68b50661eb5899ee5a7509716764ac
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 0581F672A00706ABE7249F78CC41B6B73E9AF42334F24463AF951D7681EB74D948B790

Function 00FB1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00FB101C,00000000,?,?,00000000), ref: 00FB3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FB1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FB1DE1
WSAGetLastError.WSOCK32 ref: 00FB1DF2
inet_ntoa.WSOCK32(?), ref: 00FB1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00FB1EDB
_strlen.LIBCMT ref: 00FB1F35

Part of subcall function 00F939E8: _strlen.LIBCMT ref: 00F939F2

Part of subcall function 00F36D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00F4CF58,?,?,?), ref: 00F36DBA
Part of subcall function 00F36D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00F4CF58,?,?,?), ref: 00F36DED

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 8327ebaad63b5c93e2f4315cf800812d658ec9ae6b2605f9bd340134848d98d6
Instruction ID: f411383df65eccaf937b0551690ec13984b6095cd45aa47dce3ac0df2f8387cd
Opcode Fuzzy Hash: 8327ebaad63b5c93e2f4315cf800812d658ec9ae6b2605f9bd340134848d98d6
Instruction Fuzzy Hash: 55A1E031604300AFC320DF21CCA5F6A7BA5BF84328F94894CF5565B2A2CB75ED46EB91

Function 00F661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F582D9,00F582D9,?,?,?,00F6644F,00000001,00000001,8BE85006), ref: 00F66258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F6644F,00000001,00000001,8BE85006,?,?,?), ref: 00F662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F663D8
__freea.LIBCMT ref: 00F663E5

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

__freea.LIBCMT ref: 00F663EE
__freea.LIBCMT ref: 00F66413

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f6a5a3dfacb4b755b3fbdcac2cea45d04834f8cc7e21b20d569e6b5817b809f9
Instruction ID: 661cffd7ce330cc872c56ed4ce8c86223a28083d6fdd07e81600f501186a2267
Opcode Fuzzy Hash: f6a5a3dfacb4b755b3fbdcac2cea45d04834f8cc7e21b20d569e6b5817b809f9
Instruction Fuzzy Hash: AE51C372A00216ABDF258F64DD82EBF77A9EF44760F15462AFC05D7240EB34DC44E6A0

Function 00FBBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FBBD25
RegCloseKey.ADVAPI32(00000000), ref: 00FBBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FBBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FBBDF3
RegCloseKey.ADVAPI32(?), ref: 00FBBDFF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 9d1da0831895c156659ddb46e8adf2092a642e7ee1aaf41ec2eebb25ec31b8e4
Instruction ID: 7d869a2b9a01da0c2bd4e7deedfe650e886c982b2a96a3cd6fa4d36ca040e6bd
Opcode Fuzzy Hash: 9d1da0831895c156659ddb46e8adf2092a642e7ee1aaf41ec2eebb25ec31b8e4
Instruction Fuzzy Hash: E381BC71608241AFC714DF25C881E6ABBE5FF84318F14895CF4998B2A2CB75ED05EF92

Function 00F8F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00F8F7B9
SysAllocString.OLEAUT32(00000001), ref: 00F8F860
VariantCopy.OLEAUT32(00F8FA64,00000000), ref: 00F8F889
VariantClear.OLEAUT32(00F8FA64), ref: 00F8F8AD
VariantCopy.OLEAUT32(00F8FA64,00000000), ref: 00F8F8B1
VariantClear.OLEAUT32(?), ref: 00F8F8BB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ea214a1cbdf64d1a2c5643def45322ee16266fd00839d183385769e461eb9403
Instruction ID: db98c6b59cd22b95452b3a137c449cc956cb3b4e92d049a2c02fd263c1ece836
Opcode Fuzzy Hash: ea214a1cbdf64d1a2c5643def45322ee16266fd00839d183385769e461eb9403
Instruction Fuzzy Hash: D751D932A00310BEDF14BF65DC96BA9B3A4EF45320F249466E905DF291DB748C48E7A6

Function 00FA910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00FA94E5
_wcslen.LIBCMT ref: 00FA9506
_wcslen.LIBCMT ref: 00FA952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00FA9585

Strings

X, xrefs: 00FA9412

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 93d00e17fff04eccca06d6ebd704267e99e4f7d17d846ee5cae2f04ef2c26287
Instruction ID: fb3f2075051f50f42c67a6834994d7e0d2bb76a5c31450503cbe2922ea8c72be
Opcode Fuzzy Hash: 93d00e17fff04eccca06d6ebd704267e99e4f7d17d846ee5cae2f04ef2c26287
Instruction Fuzzy Hash: 4EE1A4719083409FC724DF24C881B6AB7E4BF85324F08856DF8899B2A2DB75ED05DB92

Function 00F4920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

BeginPaint.USER32(?,?,?), ref: 00F49241
GetWindowRect.USER32(?,?), ref: 00F492A5
ScreenToClient.USER32(?,?), ref: 00F492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F492D3
EndPaint.USER32(?,?,?,?,?), ref: 00F49321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F871EA

Part of subcall function 00F49339: BeginPath.GDI32(00000000), ref: 00F49357

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 0c246fef1cc3a881da84d4e74ebeea32ddd29bca5d46d24695972a2acfcb03e3
Instruction ID: 545b6b04968487f833eca11160505099abafa373a5eea883581d5b3943a866c9
Opcode Fuzzy Hash: 0c246fef1cc3a881da84d4e74ebeea32ddd29bca5d46d24695972a2acfcb03e3
Instruction Fuzzy Hash: 5B419131608301AFD721EF24CC89FBB7BA8EF46320F140269F998872E1C7759945EB61

Function 00FA07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FA080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FA0847
EnterCriticalSection.KERNEL32(?), ref: 00FA0863
LeaveCriticalSection.KERNEL32(?), ref: 00FA08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FA08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FA0921

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: aace6ead36f306f03ac2c42d19b69e1ca4382648410966ee2dda28674216b3d2
Instruction ID: 98d948fc84e3f77e3259e5ac559735b81e95e7d384df232913599d448724e8d6
Opcode Fuzzy Hash: aace6ead36f306f03ac2c42d19b69e1ca4382648410966ee2dda28674216b3d2
Instruction Fuzzy Hash: B7417C71900209EFDF149F54DC85AAAB7B8FF05310F1440A9ED049B297DB34DE65EBA4

Function 00FC81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,?,?,?,?,00F86C2A), ref: 00FC824C
EnableWindow.USER32(00000000,00000000), ref: 00FC8272
ShowWindow.USER32(?,00000000,?,?,?,?,00F86C2A), ref: 00FC82D1
ShowWindow.USER32(00000000,00000004,?,?,?,?,00F86C2A), ref: 00FC82E5
EnableWindow.USER32(00000000,00000001), ref: 00FC830B
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00FC832F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 9f2bfdf7c161bbfc78181579a81a0680b54aad369af3a07a06f4faaf45f96cbc
Instruction ID: ce1ed3d66f1645423ede8ba1bd3d08d3c20f4774d7f754127d66d38f2df23064
Opcode Fuzzy Hash: 9f2bfdf7c161bbfc78181579a81a0680b54aad369af3a07a06f4faaf45f96cbc
Instruction Fuzzy Hash: E341B934A01645EFDB22CF15CA8AFE47BE0FB06764F18516DE5484F262CB32A842EF50

Function 00F94C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F94C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F94CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F94CEA
_wcslen.LIBCMT ref: 00F94D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F94D10
_wcsstr.LIBVCRUNTIME ref: 00F94D1A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: c7e6ec4d9607032f06afde41200f15c5a326b7e0a17badc23a5ec39fa2d67fbf
Instruction ID: ca75e8ab7f81fc78c8bc3ce2b6c9a834c93541015d93d3956fabb2b3480534a4
Opcode Fuzzy Hash: c7e6ec4d9607032f06afde41200f15c5a326b7e0a17badc23a5ec39fa2d67fbf
Instruction Fuzzy Hash: B4212936A042047BFF155B35ED0AE7B7F9CDF55760F10402AF809CB191EA65EC01B6A0

Function 00FA581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

_wcslen.LIBCMT ref: 00FA587B
CoInitialize.OLE32(00000000), ref: 00FA5995
CoCreateInstance.OLE32(00FCFCF8,00000000,00000001,00FCFB68,?), ref: 00FA59AE
CoUninitialize.OLE32 ref: 00FA59CC

Strings

.lnk, xrefs: 00FA5876, 00FA58C1, 00FA5985

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 696904c6f9f25b335417546040b45a6984a56e7b00d98044bad99af8be55b215
Instruction ID: 398e7affa00d16a19d5dc451be9adb73797cd8db24a4da124c3b4d8a889c699c
Opcode Fuzzy Hash: 696904c6f9f25b335417546040b45a6984a56e7b00d98044bad99af8be55b215
Instruction Fuzzy Hash: 0FD166B5A047019FC714DF25C880A2ABBE5FF8AB20F14885DF8899B361D735EC45DB92

Function 00F9175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F90FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F90FCA
Part of subcall function 00F90FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F90FD6
Part of subcall function 00F90FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F90FE5
Part of subcall function 00F90FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F90FEC
Part of subcall function 00F90FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F91002

GetLengthSid.ADVAPI32(?,00000000,00F91335), ref: 00F917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F917BA
HeapAlloc.KERNEL32(00000000), ref: 00F917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F917DA
GetProcessHeap.KERNEL32(00000000,00000000,00F91335), ref: 00F917EE
HeapFree.KERNEL32(00000000), ref: 00F917F5

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: df23123833eaaf32221ddbd2587828e9b75b719c07658df5561bf436fab36b5e
Instruction ID: 2d5236ad9d3c61401fbf0c4ffd48a6434aeefe81b675b53bc36e4f5c3c6a62e0
Opcode Fuzzy Hash: df23123833eaaf32221ddbd2587828e9b75b719c07658df5561bf436fab36b5e
Instruction Fuzzy Hash: 7911AC3290020AFFEF119FA5CD4AFAF7BA9FB41365F144028F44597221C739A940EBA0

Function 00F914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00F91506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F91515
CloseHandle.KERNEL32(00000004), ref: 00F91520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F9154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F91563

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: fa42eaaf1faaeb196f894ccd1dafbe2b027d180b4e63cc8b23bd98b57a74b9d6
Instruction ID: b9444e9c2cc4f2321ac5cd28b7d10830b69c4d2d6b8b850e792eac43d4afa2b1
Opcode Fuzzy Hash: fa42eaaf1faaeb196f894ccd1dafbe2b027d180b4e63cc8b23bd98b57a74b9d6
Instruction Fuzzy Hash: C5111A7250024EABEF12CF98DE49FDA7BA9FF49754F054025FA05A2060C3768E61AB60

Function 00F53382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F53379,00F52FE5), ref: 00F53390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F5339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F533B7
SetLastError.KERNEL32(00000000,?,00F53379,00F52FE5), ref: 00F53409

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0c3c7c39c297814cfd10b2e4327c511d60e4356a88d768564804c1040825b960
Instruction ID: 8bfb04a77b69eb68bb435842096da64f7d912c9ac7fbddf3628a0db9fb5e17e4
Opcode Fuzzy Hash: 0c3c7c39c297814cfd10b2e4327c511d60e4356a88d768564804c1040825b960
Instruction Fuzzy Hash: B301B533A09329AEE615277C7D86A663E58DF053FB720022DFE10851F1EF554D0AB588

Function 00F62D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F65686,00F73CD6,?,00000000,?,00F65B6A,?,?,?,?,?,00F5E6D1,?,00FF8A48), ref: 00F62D78
_free.LIBCMT ref: 00F62DAB
_free.LIBCMT ref: 00F62DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00F5E6D1,?,00FF8A48,00000010,00F34F4A,?,?,00000000,00F73CD6), ref: 00F62DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00F5E6D1,?,00FF8A48,00000010,00F34F4A,?,?,00000000,00F73CD6), ref: 00F62DEC
_abort.LIBCMT ref: 00F62DF2

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 81b5c04f40282a77e11b73b5c8bb2c8a2e9ac8b2965e1a88b8c004082194b095
Instruction ID: 0450a4dc0566e9defa97b2e03db9d944f721e227956adf8889668de538f9fe6b
Opcode Fuzzy Hash: 81b5c04f40282a77e11b73b5c8bb2c8a2e9ac8b2965e1a88b8c004082194b095
Instruction Fuzzy Hash: 43F0C832E05E1527C3923739BD16F6E356DAFC27B1F250519F828931D6EF28880272A0

Function 00FC8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F49693
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496A2
Part of subcall function 00F49639: BeginPath.GDI32(?), ref: 00F496B9
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FC8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00FC8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FC8A70
LineTo.GDI32(?,00000000,00000003), ref: 00FC8A80
EndPath.GDI32(?), ref: 00FC8A90
StrokePath.GDI32(?), ref: 00FC8AA0

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 859806fb41bc43775542a447cae9e32963f06a0985b1308590483ff211a33c39
Instruction ID: f850df26a5e1e46ad96711fc6d2467278d67d361d4d15f59cba1a0654929e3b9
Opcode Fuzzy Hash: 859806fb41bc43775542a447cae9e32963f06a0985b1308590483ff211a33c39
Instruction Fuzzy Hash: AE11097644010DFFDB129F90DD89EAA7F6CEB08390F048016FA599A1A1C7729D55EFA0

Function 00F951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F95218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F95229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F95230
ReleaseDC.USER32(00000000,00000000), ref: 00F95238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F9524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F95261

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 10969ddb90bba011222401d2698ee146da33a389b64b186db9b49753af71e373
Instruction ID: ca30bc7bf841b3472f23890a763e62255cb6f0aff9eff6ab1ce47ef195f88b6d
Opcode Fuzzy Hash: 10969ddb90bba011222401d2698ee146da33a389b64b186db9b49753af71e373
Instruction Fuzzy Hash: BB018475E01708BBEF105BA59D4AE4EBF78EB44751F044065FA08A7280D6709800DBA0

Function 00F31BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F31BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F31BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F31C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F31C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F31C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F31C22

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8557dd3bb649fae0f15c8831364d3896f253883c04ae49aedb72e8a983dba543
Instruction ID: 37f0e19f2c8846bbb16a2589e9272c1a2b61fb8f43e42a892d8f83bb0facc490
Opcode Fuzzy Hash: 8557dd3bb649fae0f15c8831364d3896f253883c04ae49aedb72e8a983dba543
Instruction Fuzzy Hash: A50167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C4BA42C7F5A864CBE5

Function 00F9EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F9EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F9EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00F9EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F9EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F9EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F9EB75

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b277e2c5883c5243653607a608f67d736f93fe945957a66b9aacd779d35e36f8
Instruction ID: faf9e1b729c313b92347992b1ae5ad31732b55c6b5687c1153e93032cd32690c
Opcode Fuzzy Hash: b277e2c5883c5243653607a608f67d736f93fe945957a66b9aacd779d35e36f8
Instruction Fuzzy Hash: 29F03A72A4015CBBE7215B639E0EEEF3A7CEFCAB15F000158F609D2091D7A15A01EAF5

Function 00F91874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F9187F
UnloadUserProfile.USERENV(?,?), ref: 00F9188B
CloseHandle.KERNEL32(?), ref: 00F91894
CloseHandle.KERNEL32(?), ref: 00F9189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F918A5
HeapFree.KERNEL32(00000000), ref: 00F918AC

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3386af84c6987b7fcaf6d9dcdab1511a72c274ea4820873ca94364af8a9bf220
Instruction ID: ef155633d59e276a5af5091e68882571fa7643a5aa355976980335e276226bd7
Opcode Fuzzy Hash: 3386af84c6987b7fcaf6d9dcdab1511a72c274ea4820873ca94364af8a9bf220
Instruction Fuzzy Hash: 87E0ED36404509BBDB015FA2EE0DD05BF39FF497217108220F22982471CB335420EF90

Function 00F9C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F9C6EE
_wcslen.LIBCMT ref: 00F9C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F9C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F9C7CA

Strings

0, xrefs: 00F9C6AF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 54f3d2375ff3f7447dc281c4c9ff879cac4b2a0f70828a9204b9c62f55d8e647
Instruction ID: f92fb6b11d25ac4061ab42134f943a575ac20d3e6ea1e49fd1e1279f7d25fc3e
Opcode Fuzzy Hash: 54f3d2375ff3f7447dc281c4c9ff879cac4b2a0f70828a9204b9c62f55d8e647
Instruction Fuzzy Hash: D551AF71A043009BEB159F68C985B6B77E4AF89320F040A2DF999D31D1DB74D908EBD3

Function 00FBAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00FBAEA3

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

GetProcessId.KERNEL32(00000000), ref: 00FBAF38
CloseHandle.KERNEL32(00000000), ref: 00FBAF67

Strings

@, xrefs: 00FBAE72
<, xrefs: 00FBAE6B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 8300382bb76bd4a280148996f2f5f9423d9da36d7fc95d912a4849207b14fc4d
Instruction ID: b597d7ee9e031a87c508b610e0b9cb2ac27562155db3c3164940831a52da74d6
Opcode Fuzzy Hash: 8300382bb76bd4a280148996f2f5f9423d9da36d7fc95d912a4849207b14fc4d
Instruction Fuzzy Hash: FB716975A00619DFCB14EF66C885A9EBBF0BF08320F048499E856AB352C774ED45EF91

Function 00F9719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F97206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F9723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F9724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F972CF

Strings

DllGetClassObject, xrefs: 00F97242

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c25a12262ec1d93283289550d1a49275569e08ecbbe2edb180d77107b3c7426e
Instruction ID: 4665484bdf1e05574b8ed9f8ddc36e3201d0f12831aaae9a7737fbd19665e359
Opcode Fuzzy Hash: c25a12262ec1d93283289550d1a49275569e08ecbbe2edb180d77107b3c7426e
Instruction Fuzzy Hash: C4418D71A24304EFEF15DF54C885B9A7BA9EF44710F2480A9BD099F24AD7B0D944EFA0

Function 00FC3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC3E35
IsMenu.USER32(?), ref: 00FC3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FC3E92
DrawMenuBar.USER32 ref: 00FC3EA5

Strings

0, xrefs: 00FC3D89

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 05cf3527c98872804c4296126f5d708a012feff35e43a020f6f12784f058ea2f
Instruction ID: 65ad72ca42df5c3d2570dcd54e174e692ee7b4189882b3e354946ebd2cd6a204
Opcode Fuzzy Hash: 05cf3527c98872804c4296126f5d708a012feff35e43a020f6f12784f058ea2f
Instruction Fuzzy Hash: 63414A75A0020AAFDB10DF50D985EAABBB5FF493A4F04812DF90597250D734EE49EFA0

Function 00F91DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F91E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F91E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F91EA9

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Strings

ListBox, xrefs: 00F91E25
ComboBox, xrefs: 00F91DF0

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 0d5daddd1490a381f3cec1807478d2c65e3684306c38be6fa1f1e7e7d0ba8b72
Instruction ID: 681a47ab4e912ac555ece12a0ece61b1a8561f213f8148c9a79e6d1e87b69cf1
Opcode Fuzzy Hash: 0d5daddd1490a381f3cec1807478d2c65e3684306c38be6fa1f1e7e7d0ba8b72
Instruction Fuzzy Hash: 4C213B75A00109BFEF14AB64DD46CFFB7B8EF45360F104129F919A71E1DB785909B620

Function 00F54D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F54D1E,00F628E9,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002), ref: 00F54D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F54DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00F54D1E,00F628E9,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002,00000000), ref: 00F54DC3

Strings

CorExitProcess, xrefs: 00F54D98
mscoree.dll, xrefs: 00F54D86

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e51c13866f658861d9d2873d5f43be678a4299c399d35df78ead9835ba72d9f5
Instruction ID: 12350ae1fd9e3c98157d1d052510587eafdf9d2dd3ca097311f0c99613e7c113
Opcode Fuzzy Hash: e51c13866f658861d9d2873d5f43be678a4299c399d35df78ead9835ba72d9f5
Instruction Fuzzy Hash: 7BF0813090020CABDB109B90DD0AFADBBB5EF04716F040155ED09A3250CF349984EAD1

Function 00F34E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F34EAE
FreeLibrary.KERNEL32(00000000,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F34EA8
kernel32.dll, xrefs: 00F34E94

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 09484a0c0c73b445ebc1331bc67daf69b3493894139f3d7dc65df07184c2418c
Instruction ID: b215839a817e5f5c46ce1eb0e0df179e8000a55ac2bb1b41372e909a1b840b8f
Opcode Fuzzy Hash: 09484a0c0c73b445ebc1331bc67daf69b3493894139f3d7dc65df07184c2418c
Instruction Fuzzy Hash: 98E08635E015225BD22117266C1AF6B7554AFC1B72B0D0115FD08D3120DB60ED4260E1

Function 00F34E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F34E74
FreeLibrary.KERNEL32(00000000,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F34E6E
kernel32.dll, xrefs: 00F34E5B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f45ff7c2d87c046ac400204faae754e08b896d94e639111b7c70538ed378b6ae
Instruction ID: 8728d81927d4be91d1e1972a42dc781d1ec228600e57f7cdcfc1caa6b9e10817
Opcode Fuzzy Hash: f45ff7c2d87c046ac400204faae754e08b896d94e639111b7c70538ed378b6ae
Instruction Fuzzy Hash: C0D0C232D026225786221B26AC0AE8B3A18AF81F3530D0115F908A3114CF20ED42B1D0

Function 00FBA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00FBA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FBA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FBA468
CloseHandle.KERNEL32(?), ref: 00FBA63D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a2f6f8bba3840cb6b0fa7878bd2016296a228ecc3b357cd6cfd79379874716a9
Instruction ID: 44cda2fed4d5aa9d6418713f416045908ba8535090108cd479edfeb33c9e1bde
Opcode Fuzzy Hash: a2f6f8bba3840cb6b0fa7878bd2016296a228ecc3b357cd6cfd79379874716a9
Instruction Fuzzy Hash: 4CA1A271604300AFD720DF25C886F2AB7E5AF44724F14881DFA9A9B392DB74EC419F92

Function 00F9E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F9CF22,?), ref: 00F9DDFD

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F9CF22,?), ref: 00F9DE16

Part of subcall function 00F9E199: GetFileAttributesW.KERNEL32(?,00F9CF95), ref: 00F9E19A

lstrcmpiW.KERNEL32(?,?), ref: 00F9E473
MoveFileW.KERNEL32(?,?), ref: 00F9E4AC
_wcslen.LIBCMT ref: 00F9E5EB
_wcslen.LIBCMT ref: 00F9E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F9E650

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: ce8a98f9d61d7508ecd2e7261a222bde4605937f2eb7413e9f0ecb4a19a7a268
Instruction ID: 309144dd3c8ce6b9aa4ac0b8fab9c391aa56b027abedbcf6f232142fd57ce621
Opcode Fuzzy Hash: ce8a98f9d61d7508ecd2e7261a222bde4605937f2eb7413e9f0ecb4a19a7a268
Instruction Fuzzy Hash: 9D5192B24083459BDB24DBA4DC819DF73ECAF84350F00491EF689D3191EF79A588D766

Function 00FBB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FBBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FBBB63
RegCloseKey.ADVAPI32(?,?), ref: 00FBBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00FBBBB3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 8803b01100614447e3c23928a40a54c009a41ff2509bc314cc81f8a55ff01e59
Instruction ID: d34bfbb8ca028ca833a4bc876bb5b18a722eacdc8eb755b9afc87e43a2bf7cff
Opcode Fuzzy Hash: 8803b01100614447e3c23928a40a54c009a41ff2509bc314cc81f8a55ff01e59
Instruction Fuzzy Hash: D961C031608201AFC314DF15C891E6ABBE9FF84318F14855CF4998B2A2CB75ED45EF92

Function 00F98BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F98BCD
VariantClear.OLEAUT32 ref: 00F98C3E
VariantClear.OLEAUT32 ref: 00F98C9D
VariantClear.OLEAUT32(?), ref: 00F98D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F98D3B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 291cb3f6aecedb64109d19e0e41055d8679fbc140f1cd58d27088411cf332c3c
Instruction ID: 632c99ed75b9ae2abd439d1b1f1db4e73cf0c7803dc2e67ab8c909231fbeac65
Opcode Fuzzy Hash: 291cb3f6aecedb64109d19e0e41055d8679fbc140f1cd58d27088411cf332c3c
Instruction Fuzzy Hash: AE515AB5A00219EFDB14CF68C894EAAB7F8FF89350B158559E909DB350E730E912CF90

Function 00FA8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FA8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FA8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FA8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FA8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FA8C5F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 9b86b98fced3469eab07ca88bdc245d60feb22d6e1be6e42565956ab1500a54e
Instruction ID: 4caab79c85e38ea0b0c85e20ee5f7ac28c0ef68540cbf162fd9db3403921b898
Opcode Fuzzy Hash: 9b86b98fced3469eab07ca88bdc245d60feb22d6e1be6e42565956ab1500a54e
Instruction Fuzzy Hash: 46515C75A002189FCB14DF65C881E69BBF5FF49364F088058E849AB362CB35ED51EFA0

Function 00FB8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FB8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00FB8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FB8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00FB9032
FreeLibrary.KERNEL32(00000000), ref: 00FB9052

Part of subcall function 00F4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FA1043,?,753CE610), ref: 00F4F6E6
Part of subcall function 00F4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F8FA64,00000000,00000000,?,?,00FA1043,?,753CE610,?,00F8FA64), ref: 00F4F70D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3d4fa56d8c05933ea2d8d3fca2d224b6fe95fa51da0125bfa52f429a7cfd8ec3
Instruction ID: 00bb09037e7ba97529a196c3ebb94a5494ebce70c968f45d73665df09d9dc711
Opcode Fuzzy Hash: 3d4fa56d8c05933ea2d8d3fca2d224b6fe95fa51da0125bfa52f429a7cfd8ec3
Instruction Fuzzy Hash: 27515C35A04205DFCB10EF65C4949ADBBB1FF49364F088098E9099B362DB75ED86EF90

Function 00FC6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FC6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00FC6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FC6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FAAB79,00000000,00000000), ref: 00FC6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FC6CC7

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 312eada402ed8e009ee223a034f6da86f9da9a4dc7c01ee9cb50a097e028ece0
Instruction ID: b1af642546ff78b5c768931054fd3d0dde7bff86df1ca3f81b2be8168dad400f
Opcode Fuzzy Hash: 312eada402ed8e009ee223a034f6da86f9da9a4dc7c01ee9cb50a097e028ece0
Instruction Fuzzy Hash: EC41D635A08105AFD724CF28CE56FA57BA5EB49361F15022CF899E73E1C371ED41EA90

Function 00F62051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F620C3
_free.LIBCMT ref: 00F620E3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8fc6d05bf3c004f0ac263b6d92f9ae5c5b69f05f0e4fd748d9b62e99f74c0aa8
Instruction ID: 1252ad06e9ae2c6491d5981706a9e4941cca49a26b06d9f260bf5a2816d51164
Opcode Fuzzy Hash: 8fc6d05bf3c004f0ac263b6d92f9ae5c5b69f05f0e4fd748d9b62e99f74c0aa8
Instruction Fuzzy Hash: A741D232E00604AFCB24DF78CD81A6DB7B5EF89724F154569EA15EB351DB31AD01EB80

Function 00F4912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F49141
ScreenToClient.USER32(00000000,?), ref: 00F4915E
GetAsyncKeyState.USER32(00000001), ref: 00F49183
GetAsyncKeyState.USER32(00000002), ref: 00F4919D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c6dcd07f1e1abe0ab576f625aa98e7fb1a7a0f484a3a94a1f829852331aceb8c
Instruction ID: dd7ffb77db66b8080dd88197b2aca3585f64e64ebf479c2d68b8cb13329303fb
Opcode Fuzzy Hash: c6dcd07f1e1abe0ab576f625aa98e7fb1a7a0f484a3a94a1f829852331aceb8c
Instruction Fuzzy Hash: 21414131A0861AABDF15AF64C848BEEBB74FB45334F244219E829A7290C7746950EB91

Function 00FA3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FA38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FA3922
TranslateMessage.USER32(?), ref: 00FA394B
DispatchMessageW.USER32(?), ref: 00FA3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA3966

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b4976348c6d576d258c91ed9e9b385b00c209ad7212622d5b3d777b492cdc689
Instruction ID: a8222961002ed6795e81dc3d54faa6a617179952d8b0aef25fde84b9affabc81
Opcode Fuzzy Hash: b4976348c6d576d258c91ed9e9b385b00c209ad7212622d5b3d777b492cdc689
Instruction Fuzzy Hash: ED31C6B1D04345AFEB36CB34D849BB737A9EB0B314F04455DF49682190E3B9D684EB11

Function 00FACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00FAC21E,00000000), ref: 00FACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00FACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00FAC21E,00000000), ref: 00FACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FAC21E,00000000), ref: 00FACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FAC21E,00000000), ref: 00FACFF2

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: b14b361ead18fad01c09199e98a8507e6c113c33e4183f4f6ba87a9031c9fa53
Instruction ID: 8134017e5519e02cd549d593034839d111ea2229e5cc164e51dd44a44b78faff
Opcode Fuzzy Hash: b14b361ead18fad01c09199e98a8507e6c113c33e4183f4f6ba87a9031c9fa53
Instruction Fuzzy Hash: 3A314DB1904209AFDB24DFA5D985AAABBF9EB15351B10442EF51AD3140DB30AD41EBB0

Function 00F91901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F91915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00F919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00F919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00F919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F919E2

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4ff9ce3a2849a7a1dfb40212bba2fa2d6c0afd8a787cebe00d6c54a6c396d95c
Instruction ID: 91777e01488a4ab13e1da44ec4d3b05c9850647347eb4d46697cdd28d6c6d234
Opcode Fuzzy Hash: 4ff9ce3a2849a7a1dfb40212bba2fa2d6c0afd8a787cebe00d6c54a6c396d95c
Instruction Fuzzy Hash: 0331AF72A0021AEFDF14CFA8CE99ADE3BB5FB44325F104225F925A72D1C7709954EB90

Function 00FB0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FB0951
GetForegroundWindow.USER32 ref: 00FB0968
GetDC.USER32(00000000), ref: 00FB09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00FB09B0
ReleaseDC.USER32(00000000,00000003), ref: 00FB09E8

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 778064abd396831a90d5bb23594929d17f62b04e904192e692c5fb30a87477b9
Instruction ID: 816d347705af43968114199f8e6272177f19166a4d5e35d52153a97914687180
Opcode Fuzzy Hash: 778064abd396831a90d5bb23594929d17f62b04e904192e692c5fb30a87477b9
Instruction Fuzzy Hash: 35218175A00204AFD714EF65CD85EAEBBE9EF49750F048068F84A97752CB34AC04EF90

Function 00F6CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F6CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F6CDE9

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F6CE0F
_free.LIBCMT ref: 00F6CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F6CE31

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ff0a92cf47cfbbb1118f4563c237212df8d3b7fb0ce512589ad8e7aa4685c9b4
Instruction ID: d07f85d726826827cc7ff66ebb54f9dfb4592d89d96b0c917592762a49e07802
Opcode Fuzzy Hash: ff0a92cf47cfbbb1118f4563c237212df8d3b7fb0ce512589ad8e7aa4685c9b4
Instruction Fuzzy Hash: 4A01D472A022157F232116BA6D89D7B797DDED6FA13150129F989C7200EA6A8D01B1F0

Function 00F49639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F49693
SelectObject.GDI32(?,00000000), ref: 00F496A2
BeginPath.GDI32(?), ref: 00F496B9
SelectObject.GDI32(?,00000000), ref: 00F496E2

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: bd08838dc90f2fa06c25a3eef665e6de7be1b2ae4b266160afe7e0b28ecdf777
Instruction ID: 1f833d71c485e68d8f4dbe77b5684db6c0cf6727c30a0e4627474b3d0ea8b4bd
Opcode Fuzzy Hash: bd08838dc90f2fa06c25a3eef665e6de7be1b2ae4b266160afe7e0b28ecdf777
Instruction Fuzzy Hash: 8721A73191A305EFDB229F25ED09BAA3F74BB50325F110215F854971E4D3B5D851EF90

Function 00F95711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F95726
_memcmp.LIBVCRUNTIME ref: 00F95744
_memcmp.LIBVCRUNTIME ref: 00F95757
_memcmp.LIBVCRUNTIME ref: 00F9576F
_memcmp.LIBVCRUNTIME ref: 00F95787

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a46967d6594a2b53ddfaa819e23b872cc96cb6ad52fc3c68fcc150d61baf5191
Instruction ID: c94f58478b8800250e259a2f2f448be6de9798ea3be1f5ed481c9ad06dc2d624
Opcode Fuzzy Hash: a46967d6594a2b53ddfaa819e23b872cc96cb6ad52fc3c68fcc150d61baf5191
Instruction Fuzzy Hash: 1B01DB6264160EBAFA0955509E92FBA735D9B617A5B004024FE045A141F730FF14B3A3

Function 00F62DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F5F2DE,00F63863,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6), ref: 00F62DFD
_free.LIBCMT ref: 00F62E32
_free.LIBCMT ref: 00F62E59
SetLastError.KERNEL32(00000000,00F31129), ref: 00F62E66
SetLastError.KERNEL32(00000000,00F31129), ref: 00F62E6F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8c2e8feb4d63ce866bd3273c4920e55e6cec88047e890a0ac3ac345915e7ac47
Instruction ID: b5a1cd081173df500862646f7ca9595da4dcd0538bc4ef0a106afd0f69a09613
Opcode Fuzzy Hash: 8c2e8feb4d63ce866bd3273c4920e55e6cec88047e890a0ac3ac345915e7ac47
Instruction Fuzzy Hash: 8E012836A45E0467C75227357D86E2B366DEFE17B1B250038F425A32D2EF3A8C01B160

Function 00F9000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?,?,00F9035E), ref: 00F9002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?), ref: 00F90064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90070

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8df11c1cdb20887e1529adc35e68a1c4fafd0a3c6bc93f4ea60481277f11266b
Instruction ID: 1ba4f4742c68d84245f5e6c315cd007b862d43f3d75a33e801c4c8ba48c819f7
Opcode Fuzzy Hash: 8df11c1cdb20887e1529adc35e68a1c4fafd0a3c6bc93f4ea60481277f11266b
Instruction Fuzzy Hash: 2B018F72A00208BFEF108F68DD05FAA7AEDEB44761F144124F909D3260DB71DD40ABA0

Function 00F9E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00F9E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00F9E9A5
Sleep.KERNEL32(00000000), ref: 00F9E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00F9E9B7
Sleep.KERNEL32 ref: 00F9E9F3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3379186f8ff7d9c7e46b555e0c5617e71f1af2e083b339d5e5f754311263474e
Instruction ID: 2641d4df9c4d97a53ed404f92dc43e34f3308e9198874dc92532920ec800d6bb
Opcode Fuzzy Hash: 3379186f8ff7d9c7e46b555e0c5617e71f1af2e083b339d5e5f754311263474e
Instruction Fuzzy Hash: E0015731C0162DDBDF40EBE6DD5AAEDBB78FB08310F050946E502B2241CB309950ABA1

Function 00F910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F91114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F9112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9114D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c5592ab2a98ba22b2df340d2582a6c2f2775da9b13c23f9375efa234c3561d0b
Instruction ID: e7d7f97926d6eb8be0a351c720680409d9906bbc47a077e5f8cf1f53e15e5490
Opcode Fuzzy Hash: c5592ab2a98ba22b2df340d2582a6c2f2775da9b13c23f9375efa234c3561d0b
Instruction Fuzzy Hash: 3C016D75500209BFDB114F65DD4EE6A3B6EFF85360B150424FA49C3360DB31DC41AAA0

Function 00F90FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F90FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F90FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F90FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F90FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F91002

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 400786bf12b0b6318772ca0ff069f850d3e347a8b572b9418a274bea4645dab5
Instruction ID: f0cf8b190df2e7fd07a609ea1ba6fd70d881e3ae1f76b1278bac349ab3bf2d3f
Opcode Fuzzy Hash: 400786bf12b0b6318772ca0ff069f850d3e347a8b572b9418a274bea4645dab5
Instruction Fuzzy Hash: 2EF06235540305EBDB214FA5DD4EF563B6DFF89761F144424F949C7261CA71DC40DAA0

Function 00F91014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F9102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F91036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F9104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91062

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bb8e2d5f7e0b857f47de851a227f1b86b7c3ab85965eadb9510881d66aa13e4a
Instruction ID: b7070b0cbbfcab6e9c0f0112e945abd31922c6ebb920551d9e97fa2ff4f56800
Opcode Fuzzy Hash: bb8e2d5f7e0b857f47de851a227f1b86b7c3ab85965eadb9510881d66aa13e4a
Instruction Fuzzy Hash: D5F06235540305EBDB215FA5ED4AF563B6DFF89761F140424F949C7261CA72D8409AA0

Function 00FA030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0324
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0331
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA033E
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA034B
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0358
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0365

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c3ad3fcc27041ec3c8cdd1eff83dc02a0b95e8cdeb02210087b47c7ee1f1b6fc
Instruction ID: 0aeb2e48c00258c130073634ea7236a5d4cf56cd13b74875ad27b74a8072f579
Opcode Fuzzy Hash: c3ad3fcc27041ec3c8cdd1eff83dc02a0b95e8cdeb02210087b47c7ee1f1b6fc
Instruction Fuzzy Hash: 3901A2B2800B159FCB309F66E880812F7F9BF613253158A3FD19652931C771A954EF80

Function 00F6D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F6D752

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F6D764
_free.LIBCMT ref: 00F6D776
_free.LIBCMT ref: 00F6D788
_free.LIBCMT ref: 00F6D79A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6b16d924ea5049960f3fec5e180d636768039d3bbca1a704d226523bad88477d
Instruction ID: eb0b73c048461cc04f4a29c0db57788a319b222139c097f566e2c5e39e875839
Opcode Fuzzy Hash: 6b16d924ea5049960f3fec5e180d636768039d3bbca1a704d226523bad88477d
Instruction Fuzzy Hash: EEF0FF32F4461CAB8669EB68FAC5C267BFDBF44760B940805F048D7501CB24FC80F6A5

Function 00F95C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F95C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F95C6F
MessageBeep.USER32(00000000), ref: 00F95C87
KillTimer.USER32(?,0000040A), ref: 00F95CA3
EndDialog.USER32(?,00000001), ref: 00F95CBD

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c8e3826e29ff6584c379f69feebbe46623a4e50bc539cede09a22386945fcbb2
Instruction ID: b95e44192bcd50cf9ea1a4ee57d697b2df386b197944adf3b6e465246d4473a1
Opcode Fuzzy Hash: c8e3826e29ff6584c379f69feebbe46623a4e50bc539cede09a22386945fcbb2
Instruction Fuzzy Hash: 93016770500704ABFF255B20DF4FF9577B8BB00F05F000559E646A15E1D7F45944AB90

Function 00F622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F622BE

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F622D0
_free.LIBCMT ref: 00F622E3
_free.LIBCMT ref: 00F622F4
_free.LIBCMT ref: 00F62305

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cc6843ed631d07c22d3fad7460ac43cf1fbf492cd29d226e112c0598228b45c2
Instruction ID: aa2bbad4af0e0cb53714d3c12d2c0ca7e376937310798e4d4d601d83c32f7215
Opcode Fuzzy Hash: cc6843ed631d07c22d3fad7460ac43cf1fbf492cd29d226e112c0598228b45c2
Instruction Fuzzy Hash: 2EF030B09009248B8767AF58FC019283BB4BB187E1F00051AF450D2269C73E4411FBE5

Function 00F495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F495D4
StrokeAndFillPath.GDI32(?,?,00F871F7,00000000,?,?,?), ref: 00F495F0
SelectObject.GDI32(?,00000000), ref: 00F49603
DeleteObject.GDI32 ref: 00F49616
StrokePath.GDI32(?), ref: 00F49631

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1ec6558f40112519879b1ba33c22776beb45c59ed82277d4679148dc12c2ad04
Instruction ID: eb9a115fe45329663b6298e43f8977f86d12dd524ffa7f819700acd6cff3f37d
Opcode Fuzzy Hash: 1ec6558f40112519879b1ba33c22776beb45c59ed82277d4679148dc12c2ad04
Instruction Fuzzy Hash: 9AF03C31509208EBDB275F65EE0DB653F61BB00332F148214F9A9960F4CB7A8991EF60

Function 00F60F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00F610F9
__freea.LIBCMT ref: 00F61117

Part of subcall function 00F61537: _free.LIBCMT ref: 00F6154F

Strings

am/pm, xrefs: 00F6117A
a/p, xrefs: 00F611DE

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a9bd80f194cdf2b3e74ff5058b8fd7d63cf37508d7549c21de56218fbab196b8
Instruction ID: d204e4756f066e60072195444a80b3e5e6d37ab56c804836dc9940ecab1d33d3
Opcode Fuzzy Hash: a9bd80f194cdf2b3e74ff5058b8fd7d63cf37508d7549c21de56218fbab196b8
Instruction Fuzzy Hash: E0D10132D00206DADB289F68C856BFEB7B5FF06320F2C4159E906AB751D7359D80EB91

Function 00FB7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00F50242: EnterCriticalSection.KERNEL32(0100070C,01001884,?,?,00F4198B,01002518,?,?,?,00F312F9,00000000), ref: 00F5024D
Part of subcall function 00F50242: LeaveCriticalSection.KERNEL32(0100070C,?,00F4198B,01002518,?,?,?,00F312F9,00000000), ref: 00F5028A

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F500A3: __onexit.LIBCMT ref: 00F500A9

__Init_thread_footer.LIBCMT ref: 00FB7BFB

Part of subcall function 00F501F8: EnterCriticalSection.KERNEL32(0100070C,?,?,00F48747,01002514), ref: 00F50202
Part of subcall function 00F501F8: LeaveCriticalSection.KERNEL32(0100070C,?,00F48747,01002514), ref: 00F50235

Strings

G, xrefs: 00FB7C7F
Variable must be of type 'Object'., xrefs: 00FB7C3A
5, xrefs: 00FB7C78

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 31e303b9a8e3e188c8ad27bde810fa227686b6872cf81456a50f15d104e9a9cd
Instruction ID: e73325fed7b5483a56d0b0da1bdcd043bbe22ac84a628c038eafd21bdc741555
Opcode Fuzzy Hash: 31e303b9a8e3e188c8ad27bde810fa227686b6872cf81456a50f15d104e9a9cd
Instruction Fuzzy Hash: 70919A70A04209AFCB14EF56D891DEDBBB1BF88350F148049F846AB292DB75AE41EF51

Function 00F92716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F921D0,?,?,00000034,00000800,?,00000034), ref: 00F9B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F92760

Part of subcall function 00F9B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00F9B3F8

Part of subcall function 00F9B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00F9B355
Part of subcall function 00F9B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F92194,00000034,?,?,00001004,00000000,00000000), ref: 00F9B365
Part of subcall function 00F9B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F92194,00000034,?,?,00001004,00000000,00000000), ref: 00F9B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F9281A

Strings

@, xrefs: 00F92832

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 471358b870f5b91ec497d7d39208cd6a4eac61b849f9089f32b277c66bd99a40
Instruction ID: d6cb8534c5b52ab299347c7e4ae2775eb6a40896fa800300e7069d01af4bdd28
Opcode Fuzzy Hash: 471358b870f5b91ec497d7d39208cd6a4eac61b849f9089f32b277c66bd99a40
Instruction Fuzzy Hash: 1A412A72900218BEEF10DFA4DD46EEEBBB8AF09310F004095EA55B7181DA716E45EBA1

Function 00F6172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\EPIRTURMEROOO0060.exe,00000104), ref: 00F61769
_free.LIBCMT ref: 00F61834
_free.LIBCMT ref: 00F6183E

Strings

C:\Users\user\Desktop\EPIRTURMEROOO0060.exe, xrefs: 00F61760, 00F61767, 00F61796, 00F617CE

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\EPIRTURMEROOO0060.exe
API String ID: 2506810119-1661907559
Opcode ID: fcc38755f7fd9b6d9e25132d88d093264a89839740ed0bfdd77be7e4793b9189
Instruction ID: 2ababf98555e20861330bff6d60c9abdf0ad3c89aefdc6c4f64c2c242e78ecd5
Opcode Fuzzy Hash: fcc38755f7fd9b6d9e25132d88d093264a89839740ed0bfdd77be7e4793b9189
Instruction Fuzzy Hash: 3D3161B1E00218ABDB22DFA99C85D9EBBFCFB85360F184166F844D7201D6748E41EB90

Function 00F9C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F9C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00F9C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01001990,01165C80), ref: 00F9C395

Strings

0, xrefs: 00F9C2DF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 0111b8111ad49048d5168acf27f0eec5cd3a84b4b2dc97f05815a2f8b041e251
Instruction ID: 98856ed0535e1aedee5d71d9d1d3a9417583b43fa1ab72c7d6088b911a5b2fe2
Opcode Fuzzy Hash: 0111b8111ad49048d5168acf27f0eec5cd3a84b4b2dc97f05815a2f8b041e251
Instruction Fuzzy Hash: F041C2716043019FEB24DF29DC85F1ABBE8AF85320F048A1DF9A5972D1D774E904EB92

Function 00FB304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FB3077,?,?), ref: 00FB3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FB307A
_wcslen.LIBCMT ref: 00FB309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00FB3106

Strings

255.255.255.255, xrefs: 00FB3095, 00FB309A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b23d50ddf5c4c8cdfcbfd5a5d8f9064b7b49653351afdb0dfff87beb7df71f92
Instruction ID: 9ece32de23d5a81e73eb6c4c169683459d7e9b15d8c8b0a07fbf64f13db7eb73
Opcode Fuzzy Hash: b23d50ddf5c4c8cdfcbfd5a5d8f9064b7b49653351afdb0dfff87beb7df71f92
Instruction Fuzzy Hash: BF313739A042059FCB10DF2EC881EEA77E0EF14368F248059E8158B392DB71EE41EF60

Function 00FC4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FC4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FC4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FC471A

Strings

msctls_updown32, xrefs: 00FC4684

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 7e8dbee1562d04f99203d0fafdbfacae28cc0133b424c25ff92261d75f59a344
Instruction ID: ae979b70d3dedf99ecba5009ce0ce6dc257f40f0041dcf2e904e49806b5dcff0
Opcode Fuzzy Hash: 7e8dbee1562d04f99203d0fafdbfacae28cc0133b424c25ff92261d75f59a344
Instruction Fuzzy Hash: 2D215CB5600209AFDB11DF64DD92EA737ADEF4A3A4B040059FA049B391CB35FC51EBA0

Function 00F995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F9961D

Strings

#notrayicon, xrefs: 00F995B7
#OnAutoItStartRegister, xrefs: 00F995F3
#requireadmin, xrefs: 00F995D9

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: cee39e8cb9b8c95786c38081db46b38d2cd3bb17627a8aee80e1941c49ba465b
Instruction ID: c2b1b17625fdeac2479356f4cd9e8bcfbc23544161a30db31a5ea0e90bb62fb9
Opcode Fuzzy Hash: cee39e8cb9b8c95786c38081db46b38d2cd3bb17627a8aee80e1941c49ba465b
Instruction Fuzzy Hash: C321387250861166EB31AA2CDC03FB7B7E89F91320F16402EF94997041EBD6AD49F2D6

Function 00FA49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FA4A5C
SetErrorMode.KERNEL32(00000000,?,?,00FCCC08), ref: 00FA4AD0

Strings

%lu, xrefs: 00FA4A6F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 84558129202e02ab0e26badab146f832dcef51c96398ccdf932705a516cd1dd1
Instruction ID: 4844c1a13d1e979ef8e6185e9c9014be76801a3aa8b03f8289a150f1e822ca1d
Opcode Fuzzy Hash: 84558129202e02ab0e26badab146f832dcef51c96398ccdf932705a516cd1dd1
Instruction Fuzzy Hash: 5831D271A00109AFDB10DF54C981EAA7BF8EF49318F1480A9F908DB352DBB5ED45DBA1

Function 00F92F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Part of subcall function 00F92DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F92DC5
Part of subcall function 00F92DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F92DD6
Part of subcall function 00F92DA7: GetCurrentThreadId.KERNEL32 ref: 00F92DDD
Part of subcall function 00F92DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F92DE4

GetFocus.USER32 ref: 00F92F78

Part of subcall function 00F92DEE: GetParent.USER32(00000000), ref: 00F92DF9

GetClassNameW.USER32(?,?,00000100), ref: 00F92FC3
EnumChildWindows.USER32(?,00F9303B), ref: 00F92FEB

Strings

%s%d, xrefs: 00F92FFF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 6a68c89fbe8085b73ebcd8546853e00f036716ad7b9169833f39c134f5de0ce7
Instruction ID: 200ea05bc1e4f80ba94e9b98c556b933312176d9683331a85250cf9e566f82d0
Opcode Fuzzy Hash: 6a68c89fbe8085b73ebcd8546853e00f036716ad7b9169833f39c134f5de0ce7
Instruction Fuzzy Hash: A311E4716002096BDF407F708D8AEED776AAF84314F048075FA0DDB252DE349909BB60

Function 00F8D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F8D3BF
FreeLibrary.KERNEL32 ref: 00F8D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00F8D3B9
X64, xrefs: 00F8D2A8

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: d27686f5e2e605ed7376e409a77e64eabd7294ef8a0285a6022128f787e478d3
Instruction ID: 172dc952ed4a04bd7e07173994fe51fc9cdf407a610ba4be07aa4342d8d01dc6
Opcode Fuzzy Hash: d27686f5e2e605ed7376e409a77e64eabd7294ef8a0285a6022128f787e478d3
Instruction Fuzzy Hash: D6F0AB33C02622EBD33232118C59FE9B310AF00701F598119F80AE30C5DB20CD40B3C2

Function 00F9007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c007c858b434a6ad71b7f3f90c97feccc5e6965d9e7f80df4d1452e8f26b85
Instruction ID: 37154d77f25197aa91f4d7bfe25a4a65b797ddb586c17450675e663f5d632791
Opcode Fuzzy Hash: 91c007c858b434a6ad71b7f3f90c97feccc5e6965d9e7f80df4d1452e8f26b85
Instruction Fuzzy Hash: 2FC11B75A0021AEFEB14CF94C894EAEB7B5FF48714F208598E505EB251DB31DD81EB90

Function 00F63E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F63F0B
__alldvrm.LIBCMT ref: 00F6410C
__alldvrm.LIBCMT ref: 00F6412E

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 3ed389782f5bb65d5dc2de8273a291c3a6ba9efb038f9df5db23cccda3cf183f
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 69A18E72E00356AFDB26DF18CC917AEBBF4EF62360F14416DE5559B282C238AD81E750

Function 00FB342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FB3459
CoUninitialize.OLE32 ref: 00FB3463
VariantInit.OLEAUT32(?), ref: 00FB346E
VariantClear.OLEAUT32(?), ref: 00FB371B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: d4ad0e93f901fe972b2dbf10538d96c8e849ef9c65fe674cb9620a0a7fad0543
Instruction ID: b39d47d2208e0af4756d68bfe410d5ffb296b27c51d78dcfbf7e9ea675f45a70
Opcode Fuzzy Hash: d4ad0e93f901fe972b2dbf10538d96c8e849ef9c65fe674cb9620a0a7fad0543
Instruction Fuzzy Hash: 94A16D756043009FCB14EF29C985A5AB7E5FF88720F088859F9499B362DB34ED01EF91

Function 00F90436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FCFC08,?), ref: 00F905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FCFC08,?), ref: 00F90608
CLSIDFromProgID.OLE32(?,?,00000000,00FCCC40,000000FF,?,00000000,00000800,00000000,?,00FCFC08,?), ref: 00F9062D
_memcmp.LIBVCRUNTIME ref: 00F9064E

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 92ae87863a495b29ef2d9bcff8561358fd805c13720f4551e46a7b9b59f57a4f
Instruction ID: 3be96a316969fd47948b5f153b0480f2a9617160e179b2de2673cb55748e5ac8
Opcode Fuzzy Hash: 92ae87863a495b29ef2d9bcff8561358fd805c13720f4551e46a7b9b59f57a4f
Instruction Fuzzy Hash: 2B810671A00109EFDF04DF94C984EEEB7B9FF89315F244598E506AB250DB71AE06DB60

Function 00F71391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F714C0

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 45dd52bc277abc44171b19370028dbc6b263b63f58575fd09b55dbae38520e62
Instruction ID: 05494fe114e7ecd7b13d5a6bf4f518c400be1d326ba01e6b5c6a21c075082c78
Opcode Fuzzy Hash: 45dd52bc277abc44171b19370028dbc6b263b63f58575fd09b55dbae38520e62
Instruction Fuzzy Hash: A3414B72A001006BDB25EFBC9C46AAE3AA5FF42770F14C267F91DD3191E678484D7263

Function 00FC6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0115CAD8,?), ref: 00FC62E2
ScreenToClient.USER32(?,?), ref: 00FC6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FC6382

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1b5d700d0dfe11628755d150dddcad2f4e95233dacf4b28a84ffc6fe2c5469d2
Instruction ID: bf83720ceec6ca5109f84a9acb3aaa16d93d31e14db46e4f098114a5e3102ec3
Opcode Fuzzy Hash: 1b5d700d0dfe11628755d150dddcad2f4e95233dacf4b28a84ffc6fe2c5469d2
Instruction Fuzzy Hash: 35512974A0424AAFCF24DF54DA82EAE7BB5EB85360F10815DF855D7290D730ED41EB90

Function 00FB1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00FB1AFD
WSAGetLastError.WSOCK32 ref: 00FB1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FB1B8A
WSAGetLastError.WSOCK32 ref: 00FB1B94

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: e88621152209e5ef7fa380af039d79caa9ebe4d1dc63a2c984a63505037064aa
Instruction ID: f063d57c0ef76b605c32fc25a43d85fd37c5de1175585ab9d38cb90267ea0ecc
Opcode Fuzzy Hash: e88621152209e5ef7fa380af039d79caa9ebe4d1dc63a2c984a63505037064aa
Instruction Fuzzy Hash: 7B41D175600200AFE720AF20CC86F6A7BE5AB84728F54C44CFA1A9F7D2D776DD419B90

Function 00F6B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de933fc2a69f588e7fa42309e840968b18bd5b12c63ab7d53002d7bd5fb337b
Instruction ID: 6c3c73fe338719740ba25122972b498e1e4f57cf0753cbb5d6e54ddd09d620c5
Opcode Fuzzy Hash: 5de933fc2a69f588e7fa42309e840968b18bd5b12c63ab7d53002d7bd5fb337b
Instruction Fuzzy Hash: AD415C71A00314BFD724EF38CC41BAA7BE9EB84720F10852EF546DB282D775A941A790

Function 00FA56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FA5783
GetLastError.KERNEL32(?,00000000), ref: 00FA57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FA57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FA57FA

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 988a562bf4042f3a6119665eaa9470cb38901522df2337f4ac197d54f6682959
Instruction ID: c4d1088c09934395c5e1108c997bcbc14161476c46c18b3feec1b7880874e4b1
Opcode Fuzzy Hash: 988a562bf4042f3a6119665eaa9470cb38901522df2337f4ac197d54f6682959
Instruction Fuzzy Hash: FA415079600614DFCF14EF15C545A5DBBE1EF49720F188488E94AAB365CB38FD00EB91

Function 00F6D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F56D71,00000000,00000000,00F582D9,?,00F582D9,?,00000001,00F56D71,8BE85006,00000001,00F582D9,00F582D9), ref: 00F6D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F6D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F6D9AB
__freea.LIBCMT ref: 00F6D9B4

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 610af1e008eadf5144d6936ea13cbe5f498beccbecf8cccf8deb520ec823ef2e
Instruction ID: 343bbbc2808ad964d4fa05fa913f449d35f20d184cc2418da1e1659ab40003a4
Opcode Fuzzy Hash: 610af1e008eadf5144d6936ea13cbe5f498beccbecf8cccf8deb520ec823ef2e
Instruction Fuzzy Hash: DF31AD72E0020AABDB249F65DC45EAF7BA5EB41760B054168FC08D7250EB39DD54EBA0

Function 00FC52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00FC5352
GetWindowLongW.USER32(?,000000F0), ref: 00FC5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FC5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FC53A8

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f330c96ec31f7fac195330eb1ec34079432ea5c990695ea256f4224f2cfc17e2
Instruction ID: 2f15c45d5230e1203f65f9ccce4913eeb304e6964b833b42361a5eee89fab928
Opcode Fuzzy Hash: f330c96ec31f7fac195330eb1ec34079432ea5c990695ea256f4224f2cfc17e2
Instruction Fuzzy Hash: 4831F431F55A4AAFEB349A54CE07FE83763AB04BA0F584109FA54861D1C7B5B9C0BB41

Function 00F9AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00F9ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F9AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F9AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00F9ACC6

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ac7fb27e375aa883a92a70b4d75d9b030f516400b4c1bf5d635df5d49db35795
Instruction ID: 705542e6f9446113ed645ee0f96bda573398a2957e515c6cd753d3285f1a216b
Opcode Fuzzy Hash: ac7fb27e375aa883a92a70b4d75d9b030f516400b4c1bf5d635df5d49db35795
Instruction Fuzzy Hash: FE310530E04718AFFF35CB658C05BFA7BA5AB89321F04471AE4859A1D1C379C985B7E2

Function 00FC7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FC769A
GetWindowRect.USER32(?,?), ref: 00FC7710
PtInRect.USER32(?,?,00FC8B89), ref: 00FC7720
MessageBeep.USER32(00000000), ref: 00FC778C

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 57f80ab76b4b377d76344c180b6a67b8dfdbd0873dc88378e98086c01b204c0e
Instruction ID: 2706c54389c97afd460ffaaf5805b87cd334c78682ba863188766b506fab85a8
Opcode Fuzzy Hash: 57f80ab76b4b377d76344c180b6a67b8dfdbd0873dc88378e98086c01b204c0e
Instruction Fuzzy Hash: 53419F34A0531AAFCB11EF68CA86FA9BBF4BF48310F1440ACE4549B251C335E941EF90

Function 00FC16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FC16EB

Part of subcall function 00F93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F93A57
Part of subcall function 00F93A3D: GetCurrentThreadId.KERNEL32 ref: 00F93A5E
Part of subcall function 00F93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F925B3), ref: 00F93A65

GetCaretPos.USER32(?), ref: 00FC16FF
ClientToScreen.USER32(00000000,?), ref: 00FC174C
GetForegroundWindow.USER32 ref: 00FC1752

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: eaac3cd5f3c66db447d64c0b11e089de4fce33e396c2a38ec1774a330176d5e2
Instruction ID: c81cc2dbdc9121c65e2ef24a6afc1ade7a166ade41c80ec209fe53d5728002a5
Opcode Fuzzy Hash: eaac3cd5f3c66db447d64c0b11e089de4fce33e396c2a38ec1774a330176d5e2
Instruction Fuzzy Hash: B9316FB5D00209AFCB04EFA9C981DAEBBF9EF49314B5080A9E415E7212D735DE45DFA0

Function 00F9D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F9D501
Process32FirstW.KERNEL32(00000000,?), ref: 00F9D50F
Process32NextW.KERNEL32(00000000,?), ref: 00F9D52F
CloseHandle.KERNEL32(00000000), ref: 00F9D5DC

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2ebc3bda44476cb4995eaabe391839b9d0b2850b133ccec874c7adc05233b6f6
Instruction ID: b480a7dcbcd31ad065d48cf73f78da5fd6c4033d5d583559a1c02ec4f9b1769d
Opcode Fuzzy Hash: 2ebc3bda44476cb4995eaabe391839b9d0b2850b133ccec874c7adc05233b6f6
Instruction Fuzzy Hash: C53193711083009FD700EF54CC81AAFBBE8EFD9364F54092DF585871A1EBB19949EB92

Function 00FC8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

GetCursorPos.USER32(?), ref: 00FC9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F87711,?,?,?,?,?), ref: 00FC9016
GetCursorPos.USER32(?), ref: 00FC905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F87711,?,?,?), ref: 00FC9094

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6ec8b9c1d8a60871e04ae01a5d36c1ceff41918a6dbb61b24890c8a92ddd5717
Instruction ID: da46561950884c40e9e33c2e754a0a8d6e17880cfdd9a247b78716adc36e45a0
Opcode Fuzzy Hash: 6ec8b9c1d8a60871e04ae01a5d36c1ceff41918a6dbb61b24890c8a92ddd5717
Instruction Fuzzy Hash: 4321A135A04018FFDB268FA4C95AFFA7BB9EF89360F044059F90547261C3759990FBA0

Function 00F9D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FCCB68), ref: 00F9D2FB
GetLastError.KERNEL32 ref: 00F9D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F9D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FCCB68), ref: 00F9D376

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 97040ad723ebd0b6d1df70264071991255904af57961bbcc0e5cf465db70b37a
Instruction ID: df3759248d71d8651e3de0c0996159e0b962174c1ad243e89a264bb905beadce
Opcode Fuzzy Hash: 97040ad723ebd0b6d1df70264071991255904af57961bbcc0e5cf465db70b37a
Instruction Fuzzy Hash: 8F21A370908201DF9B00DF24C981CAA77E4EF95375F604A1DF499C32A1D731D946EB93

Function 00F91571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F9102A
Part of subcall function 00F91014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F91036
Part of subcall function 00F91014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91045
Part of subcall function 00F91014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F9104C
Part of subcall function 00F91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F915BE
_memcmp.LIBVCRUNTIME ref: 00F915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F91617
HeapFree.KERNEL32(00000000), ref: 00F9161E

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d1903b948c66c0b1005c146cb2111eef9e686bca703b2126e95ed651a1df688e
Instruction ID: bc1e9651343886d12b2cced1c69e201e80e31b4ea2c2869d1f33eb5c388694b6
Opcode Fuzzy Hash: d1903b948c66c0b1005c146cb2111eef9e686bca703b2126e95ed651a1df688e
Instruction Fuzzy Hash: 6D219D31E4010AEFEF10DFA5C945BEEB7B8FF44354F094469E445AB241E730AA05EBA0

Function 00FC2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FC280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FC2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FC2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FC2840

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d3b228249a4b88d41e4896d7682ac21cdca9a57f2610573b3e37a5ab61f1aae2
Instruction ID: 90ae92ab2bbb8444204a605236d93b3d63febed4131398b61940ba9cb78cca3c
Opcode Fuzzy Hash: d3b228249a4b88d41e4896d7682ac21cdca9a57f2610573b3e37a5ab61f1aae2
Instruction Fuzzy Hash: 04212131204112AFD7549B24CD82FAA7B95EF85324F18810CF42A8B6E2CB75FC42DBD0

Function 00F978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F98D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F9790A,?,000000FF,?,00F98754,00000000,?,0000001C,?,?), ref: 00F98D8C
Part of subcall function 00F98D7D: lstrcpyW.KERNEL32(00000000,?,?,00F9790A,?,000000FF,?,00F98754,00000000,?,0000001C,?,?,00000000), ref: 00F98DB2
Part of subcall function 00F98D7D: lstrcmpiW.KERNEL32(00000000,?,00F9790A,?,000000FF,?,00F98754,00000000,?,0000001C,?,?), ref: 00F98DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F98754,00000000,?,0000001C,?,?,00000000), ref: 00F97923
lstrcpyW.KERNEL32(00000000,?,?,00F98754,00000000,?,0000001C,?,?,00000000), ref: 00F97949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F98754,00000000,?,0000001C,?,?,00000000), ref: 00F97984

Strings

cdecl, xrefs: 00F9797B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 21ac3822de8a99590b9e2bb47382c9333d81b7a0a7c6bf17d33bf0f227f70d14
Instruction ID: e13d125cff2f83cdf12a088fd1d69fa4a3122f83991e28a52f1150d143969185
Opcode Fuzzy Hash: 21ac3822de8a99590b9e2bb47382c9333d81b7a0a7c6bf17d33bf0f227f70d14
Instruction Fuzzy Hash: 8911E43A600305ABDF156F35DC45E7A77A5EF85390B10402AE906C7264EB319801E791

Function 00FC7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00FC7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FC7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FC7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FAB7AD,00000000), ref: 00FC7D6B

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 295fcb37e195882e8fa669e50a33072c1c41f015a857531f4bb5b80e677a9ed1
Instruction ID: a53be2344b31aa2d7f78641576fc39fdd5d3c63e610d7c18ee23b33130be92a0
Opcode Fuzzy Hash: 295fcb37e195882e8fa669e50a33072c1c41f015a857531f4bb5b80e677a9ed1
Instruction Fuzzy Hash: 03118C32A0461AAFCB11AF28DD05FA63BA5AF45370F154728F83AD72E0D7319950EF90

Function 00F61D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb6ea86a290ccee9b4b18be5c4b283ace8d800d54dfbcf5921a7fec86086f47
Instruction ID: 9c926f2455beb7f684b1754dfe9e0aa6b6c3b1a63d7bb371e58c5cf6df541965
Opcode Fuzzy Hash: deb6ea86a290ccee9b4b18be5c4b283ace8d800d54dfbcf5921a7fec86086f47
Instruction Fuzzy Hash: 4201D6B2A05A1A3EF62126786CC1F27762CEF817B8F380326F521522D2DB658C007170

Function 00F91A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F91A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F91A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F91A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F91A8A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c95f1ae0b62abc97e428861f6881a217368176324097ae8309ec52497de6acfe
Instruction ID: 5b26874d3c5382e2365daeaecf66708e7217bf2de0668d02d439aedbe5874252
Opcode Fuzzy Hash: c95f1ae0b62abc97e428861f6881a217368176324097ae8309ec52497de6acfe
Instruction Fuzzy Hash: DF11F73AD01219FFEF119BA5CD85FADBB78FB08750F2000A1EA04B7290D6756E50EB94

Function 00F9E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F9E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00F9E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F9E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F9E24D

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 37d9a2322d1752aa4faca06535714c8d71d04dbca4bf3bf6fe426e3b1a74a177
Instruction ID: 1921e3bad3547f460dbda3462876c3ce3b452763af2d3c0434ef616eea5ba6e2
Opcode Fuzzy Hash: 37d9a2322d1752aa4faca06535714c8d71d04dbca4bf3bf6fe426e3b1a74a177
Instruction Fuzzy Hash: 08112672D04258BFDB11DFA8AC0AE9E7FACEB45320F148215F928E3281D6B5CD0497A0

Function 00F5D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F5CFF9,00000000,00000004,00000000), ref: 00F5D218
GetLastError.KERNEL32 ref: 00F5D224
__dosmaperr.LIBCMT ref: 00F5D22B
ResumeThread.KERNEL32(00000000), ref: 00F5D249

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: e543ae07f896ad487517e44655f8596fc7cd91413d29793d6ba16a916d5713fd
Instruction ID: e88086efaff1f943ff6face9ff8ae7ec90e14cbe71837f784065366db93005c4
Opcode Fuzzy Hash: e543ae07f896ad487517e44655f8596fc7cd91413d29793d6ba16a916d5713fd
Instruction Fuzzy Hash: A201F9768066087BD7315BA5DC05FAE7A69DF81332F100259FE25921D0DB75C909F7E0

Function 00FC9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

GetClientRect.USER32(?,?), ref: 00FC9F31
GetCursorPos.USER32(?), ref: 00FC9F3B
ScreenToClient.USER32(?,?), ref: 00FC9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00FC9F7A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 807a31659244b3d523127e8e04aafbda2f249ef1444096f0afa1c2d3614a3ff9
Instruction ID: 8b8e8524542221f470c02f9840c8587ae4f7304e5a95da9b74b65fa5a59deff6
Opcode Fuzzy Hash: 807a31659244b3d523127e8e04aafbda2f249ef1444096f0afa1c2d3614a3ff9
Instruction Fuzzy Hash: D711183290411AEBDB11DF68DA8AEEE77B9FB45311F000459F911E3140D775BA81EBA1

Function 00F3600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F3604C
GetStockObject.GDI32(00000011), ref: 00F36060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F3606A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 02f35ae8e1257679a0184536f9dff1ab0e26630b06375459997c9135c8245870
Instruction ID: 3d0c240a2a2bfcd2c35ad5f9558606803bbad6230347ea99749be680023897f3
Opcode Fuzzy Hash: 02f35ae8e1257679a0184536f9dff1ab0e26630b06375459997c9135c8245870
Instruction Fuzzy Hash: 4C116DB2501508BFEF164FA49D46EEABB69EF093B4F044216FA1892110D736DC60FBA0

Function 00F53B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F53B56

Part of subcall function 00F53AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F53AD2
Part of subcall function 00F53AA3: ___AdjustPointer.LIBCMT ref: 00F53AED

_UnwindNestedFrames.LIBCMT ref: 00F53B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F53B7C
CallCatchBlock.LIBVCRUNTIME ref: 00F53BA4

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 0c88a69af704ad1c8f587265d49967e995174b32f1cfcedfa479e9d3c69af7bc
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: A6012932500148BBDF125E99CC42EEB3B69EF887A9F044014FF4896121C736E965EBA0

Function 00F63073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F313C6,00000000,00000000,?,00F6301A,00F313C6,00000000,00000000,00000000,?,00F6328B,00000006,FlsSetValue), ref: 00F630A5
GetLastError.KERNEL32(?,00F6301A,00F313C6,00000000,00000000,00000000,?,00F6328B,00000006,FlsSetValue,00FD2290,FlsSetValue,00000000,00000364,?,00F62E46), ref: 00F630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F6301A,00F313C6,00000000,00000000,00000000,?,00F6328B,00000006,FlsSetValue,00FD2290,FlsSetValue,00000000), ref: 00F630BF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 14e61367aea5ce794db5bc23aff2e5a84b8ebd65705f29ca6036771b69a4475f
Instruction ID: bf14876d1139bb4fa61cf9e37d8b4c7e771b245d9707dfa6b38a28994ea76be0
Opcode Fuzzy Hash: 14e61367aea5ce794db5bc23aff2e5a84b8ebd65705f29ca6036771b69a4475f
Instruction Fuzzy Hash: 3101F732701226BBCB314B79AC45E677B98EF45BB9B100720F909E3140C721D909E6E0

Function 00F97464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00F9747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F97497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F974CA

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 120ac3b9d499ae46067795d1c0a6b4050c884f0d13dfc1d7a682a2dd8fd85c23
Instruction ID: 218c2d95ff1a4f2a4597e9fcdf24f7476090667effa338d39bdc6cb4327dbbf3
Opcode Fuzzy Hash: 120ac3b9d499ae46067795d1c0a6b4050c884f0d13dfc1d7a682a2dd8fd85c23
Instruction Fuzzy Hash: BE117CB1615314DBFB20DF19DD09F927BB8EB00B00F108569E61AD7192D770E904AB90

Function 00F9B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B126

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: bb53a9da0ab159c19e107a50e9bf73054b1c5af7597a3e5445d04957fa461273
Instruction ID: 9fe8d4fdb16d49c5076d3f6a9e7d471c27c3a49995ee0732e7db330947261856
Opcode Fuzzy Hash: bb53a9da0ab159c19e107a50e9bf73054b1c5af7597a3e5445d04957fa461273
Instruction Fuzzy Hash: C0115B31C0162CE7DF00AFE5EA69AEEBF78FF49711F114095D941B3181CB305690AB91

Function 00FC7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FC7E33
ScreenToClient.USER32(?,?), ref: 00FC7E4B
ScreenToClient.USER32(?,?), ref: 00FC7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FC7E8A

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f4b712aacbdd29a9b24b8243c8c37e898a9bfc144ea35193784846a031a42314
Instruction ID: c0d0f4b62357bcf0236d9d663ba72efadd93a437388e007cdc9d813510399999
Opcode Fuzzy Hash: f4b712aacbdd29a9b24b8243c8c37e898a9bfc144ea35193784846a031a42314
Instruction Fuzzy Hash: 9A1143B9D0020AAFDB41DF98C985AEEBBF5FF08310F505056E915E3210D735AA55DF90

Function 00F92DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F92DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F92DD6
GetCurrentThreadId.KERNEL32 ref: 00F92DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F92DE4

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 44e4dbd15b1b616dd9f7fb305a2cb2d33b23498a9e6252eeb57a4e60a5161bc9
Instruction ID: 144dee92e64faa8a6624549b5f151be75f179b1a7d99048983155b2a260a818c
Opcode Fuzzy Hash: 44e4dbd15b1b616dd9f7fb305a2cb2d33b23498a9e6252eeb57a4e60a5161bc9
Instruction Fuzzy Hash: 2CE065715012287AEB2017639D0EFE73E5CEF42B61F000015F109D20409AA18445F6F0

Function 00FC8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F49693
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496A2
Part of subcall function 00F49639: BeginPath.GDI32(?), ref: 00F496B9
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FC8887
LineTo.GDI32(?,?,?), ref: 00FC8894
EndPath.GDI32(?), ref: 00FC88A4
StrokePath.GDI32(?), ref: 00FC88B2

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 95405e36052e4e5ad9e37b7c1c0df9d0fc9e25b668cc719f878a003f69f3baf9
Instruction ID: 9b63ccc69464b041c584f1f44f85084b2d9998bae0e21f412e6f42e7b647afa8
Opcode Fuzzy Hash: 95405e36052e4e5ad9e37b7c1c0df9d0fc9e25b668cc719f878a003f69f3baf9
Instruction Fuzzy Hash: 0AF05E36045259FADB225F94AD0AFDE3F59AF06310F048004FA55A60E1C7B95511EFE5

Function 00F498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F498CC
SetTextColor.GDI32(?,?), ref: 00F498D6
SetBkMode.GDI32(?,00000001), ref: 00F498E9
GetStockObject.GDI32(00000005), ref: 00F498F1

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 96552f8f42157becf96a02fbaa393c25dfad74ce8a45c905fd37aa6f158082d6
Instruction ID: 5c1c4ceddffb8e5fd02ad80ee2e231ab27fad2f1d231e62b30bd7e67d193f91e
Opcode Fuzzy Hash: 96552f8f42157becf96a02fbaa393c25dfad74ce8a45c905fd37aa6f158082d6
Instruction Fuzzy Hash: B0E06531644284AEDB216B75BD0AFD93F10AB51735F188219F6FD590E1C3718640BB10

Function 00F9162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F91634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F911D9), ref: 00F9163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F911D9), ref: 00F91648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F911D9), ref: 00F9164F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: bca393a582915906600dd5a68e5298d5218136badb4826c3382f8c126f5301ba
Instruction ID: fe12c3bd0f2ca3a3df0fe1b138b698db01c2aa7ecb957ea13cd944e2b6fa2322
Opcode Fuzzy Hash: bca393a582915906600dd5a68e5298d5218136badb4826c3382f8c126f5301ba
Instruction Fuzzy Hash: FBE08671E41215DBEB201FA0AF0EF863B7CBF847A1F184818F249CA080D6358441E790

Function 00F8D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F8D858
GetDC.USER32(00000000), ref: 00F8D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F8D882
ReleaseDC.USER32(?), ref: 00F8D8A3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 674cf15e36a41e750dc82351f9c6450270ee939679fdbaa66f429d474ec3ba35
Instruction ID: 76a214a5b8b12438c8e0a5f1706fcfd5792bfbbde9d2bf25199ea6c5332c53dd
Opcode Fuzzy Hash: 674cf15e36a41e750dc82351f9c6450270ee939679fdbaa66f429d474ec3ba35
Instruction Fuzzy Hash: 1EE09AB5840209DFCB41AFA4DA0DA6DBBB5FB48311F148459E84EE7250C7399942BF90

Function 00F8D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F8D86C
GetDC.USER32(00000000), ref: 00F8D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F8D882
ReleaseDC.USER32(?), ref: 00F8D8A3

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a7a1b9e512ac22d0ca4b0a8023fe0e2fc676f5e90cf111d13c9f0095ab054513
Instruction ID: 1162f6728b65c86691595b0d65a79818ae836713465b2b0507efc878af7135cc
Opcode Fuzzy Hash: a7a1b9e512ac22d0ca4b0a8023fe0e2fc676f5e90cf111d13c9f0095ab054513
Instruction Fuzzy Hash: CCE092B5C00208EFCB51AFA4DA0DA6DBBB5BB48311F148449E94EE7250CB399902BF90

Function 00F3BBE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F3BEB3

Strings

D%, xrefs: 00F3BC2F
D%, xrefs: 00F3BC28

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%$D%
API String ID: 1385522511-485025506
Opcode ID: 3738c92ba9d45e618168756cf39bff34c91476b95b40f9e89446452b06fb443b
Instruction ID: 2e8cdb7c856792cddef04331c4262e98887227b240044b8142f20c7b13a7833d
Opcode Fuzzy Hash: 3738c92ba9d45e618168756cf39bff34c91476b95b40f9e89446452b06fb443b
Instruction Fuzzy Hash: A1911B75E00206DFCB28CF59C0A16A9B7F1FF58325F24416EDA85AB351D731E981EB90

Function 00FA4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FA4ED4

Strings

LPT, xrefs: 00FA4DFB
*, xrefs: 00FA4E10

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: d1161a41e9ba979f50bc7d99ac94216b5c4f69db62ec486190a9fe281499e679
Instruction ID: 11a1675128611ebb7451a58e27779045c30c2c71d7ce061ed7b57ee7681c0533
Opcode Fuzzy Hash: d1161a41e9ba979f50bc7d99ac94216b5c4f69db62ec486190a9fe281499e679
Instruction Fuzzy Hash: 409161B5A00204DFCB14DF58C485EAABBF1BF85314F198099E80A9F3A2C775ED85DB91

Function 00F5E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F5E30D

Strings

pow, xrefs: 00F5E2E5, 00F5E302

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 023a1bf50456337be355d760fd0149bb4c13f172e2e70535d91bca03659d9005
Instruction ID: 0d9bc7823350ded7b9a10e338e7994d098e8451abdb5872f95de85bef107a9db
Opcode Fuzzy Hash: 023a1bf50456337be355d760fd0149bb4c13f172e2e70535d91bca03659d9005
Instruction Fuzzy Hash: F3518E61E0C30196CB197724CD0137A7F94AB60766F304D99E8D5422EDEB358DCDBB86

Function 00F4E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F4E1B1

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e67a0cc5154406ed5a4adab4a49b7dd42ff53276188d4d5b9f7a8c39a10ead4d
Instruction ID: b01389cc9061adf678ca0a7a0d2c8c4b74af5ce210c5fa4434a6d370a628fe42
Opcode Fuzzy Hash: e67a0cc5154406ed5a4adab4a49b7dd42ff53276188d4d5b9f7a8c39a10ead4d
Instruction Fuzzy Hash: 2C51F235E04246DFDB15EF28C8816FE7BA8FF55320F244055ECA19B290D7789E42EB90

Function 00F4F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F4F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F4F2BB

Strings

@, xrefs: 00F4F2AF

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9bc0238f8b4b1e576644f9e1fb9be883e4f1d92a634d6e1db54c38277f40d65d
Instruction ID: 9d882b8d41fcdfa7a3181e5d1932858686253ff690acd0059ad2a47548e15605
Opcode Fuzzy Hash: 9bc0238f8b4b1e576644f9e1fb9be883e4f1d92a634d6e1db54c38277f40d65d
Instruction Fuzzy Hash: B95137B140C7489BD320AF11DC86BAFBBF8FB84310F81885DF2D952195EB748529DB66

Function 00FB5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00FB57E0
_wcslen.LIBCMT ref: 00FB57EC

Strings

CALLARGARRAY, xrefs: 00FB57E6, 00FB57EB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 137e8301410ef08a20abfd5c6fdfe2dfbb8c8c765377634c79ba21cff42a6e40
Instruction ID: 3dc8b9b62c3fb12eed21150cdf7ad36c66e92bbe5f23d8a3675c98f87961abe0
Opcode Fuzzy Hash: 137e8301410ef08a20abfd5c6fdfe2dfbb8c8c765377634c79ba21cff42a6e40
Instruction Fuzzy Hash: A3419F31E002099FCB14DFAAC882AEEBBB5EF59724F144029E505A7251E778DD81EF90

Function 00FAD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FAD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FAD13A

Strings

|, xrefs: 00FAD10B

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: f0b2c2aea5d41ad610cb2ebcc6b8f947a6f40f55f3303617beefbfe8ba816bab
Instruction ID: 3c3e24b0e313a9c1e000d4691af83ae882838879d596ca375fcbaa8b9e5a803f
Opcode Fuzzy Hash: f0b2c2aea5d41ad610cb2ebcc6b8f947a6f40f55f3303617beefbfe8ba816bab
Instruction Fuzzy Hash: 97313E71D00109EBDF15EFA4CC85AEE7FB9FF05310F104019F815A6161D735AA46EB64

Function 00FC4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00FC461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FC4634

Strings

', xrefs: 00FC458E

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 324617a1965e0b82d2be3681b3fc854bdd4fd450c0dda0cc8d465c66b9bf87fe
Instruction ID: 04f453ed61a9012287b9bdcc55f16a289f42a13e948bd65ad1ac080fcd153758
Opcode Fuzzy Hash: 324617a1965e0b82d2be3681b3fc854bdd4fd450c0dda0cc8d465c66b9bf87fe
Instruction Fuzzy Hash: FF313975A0020A9FDB14CF69CA91FDABBB5FF49310F14446AE904AB385D770A941EF90

Function 00FC31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FC327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FC3287

Strings

Combobox, xrefs: 00FC3249

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: dc7d7178ff97b112af1062aa60839d8961a44e29976a54a82e3781722ab77d2e
Instruction ID: 4bb80e7008905cd6f0f185c6a15de268f17b467753a9be9f46b4d57226114778
Opcode Fuzzy Hash: dc7d7178ff97b112af1062aa60839d8961a44e29976a54a82e3781722ab77d2e
Instruction Fuzzy Hash: A811E27170020A7FEF219E54DD82FFB376AEB943B4F108128F91897290D631DD51A760

Function 00FACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FACDA6

Strings

<local>, xrefs: 00FACD66

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1efb0971847ed22c4c3ef3e778e2f9957dd375969a73a2059a4a0a5b2b057621
Instruction ID: d9033af4d6d3a068badd62f66f0eda61cdae57e31349da8564ea043a804d582b
Opcode Fuzzy Hash: 1efb0971847ed22c4c3ef3e778e2f9957dd375969a73a2059a4a0a5b2b057621
Instruction Fuzzy Hash: 8411A3B26156367AD7244B668C45FE7BE6CEF137B4F004226F12983180D7609840E6F0

Function 00F96C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

CharUpperBuffW.USER32(?,?,?), ref: 00F96CB6
_wcslen.LIBCMT ref: 00F96CC2

Strings

STOP, xrefs: 00F96CBC, 00F96CC1

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 7037d3262c2765224f4b3c141a971d56b61d883d949c79d045520ee352b5c99c
Instruction ID: 40d850fc4dd9e01afce3b2102aa4ac832e267dab023be549c44c86cd99108c35
Opcode Fuzzy Hash: 7037d3262c2765224f4b3c141a971d56b61d883d949c79d045520ee352b5c99c
Instruction Fuzzy Hash: 95010432A045278ADF219FBDDC819BF37A4EE60720B000525F862D3190EA75E840E650

Function 00F91CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F91D4C

Strings

ListBox, xrefs: 00F91D16
ComboBox, xrefs: 00F91CEB

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ace332fe397bd5fc68e2fcc80f3b7d09884bf3a1cfce263f8df272968cf13764
Instruction ID: b3a8068ee0d18b4b04a8bb5850bda1e2aefa452bcf7da58f7c97388acd5997b4
Opcode Fuzzy Hash: ace332fe397bd5fc68e2fcc80f3b7d09884bf3a1cfce263f8df272968cf13764
Instruction Fuzzy Hash: FB012831E04219AB9F08EBA0CD11DFE73A8FF423A0F00051AF922573D1EAB45908F660

Function 00F91BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F91C46

Strings

ListBox, xrefs: 00F91C10
ComboBox, xrefs: 00F91BE5

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d22880e4433ba87f5eab090a903db8bd02279c2b7da883cd020772b1280a807e
Instruction ID: 455b3196ffa1e9e4dda661e818fbe137dfd2925e5240b3dc813e3d95be3543c8
Opcode Fuzzy Hash: d22880e4433ba87f5eab090a903db8bd02279c2b7da883cd020772b1280a807e
Instruction Fuzzy Hash: 0701F771A8810966EF04EB90CE52EFF77A8AF51350F100029B90663281EAA59E08F6B1

Function 00F91C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F91CC8

Strings

ListBox, xrefs: 00F91C94
ComboBox, xrefs: 00F91C69

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a546058634786fc42cd2f0f6d160e090df38f67543e6b43c2d1a330d3b465847
Instruction ID: efd387868d3981526ff41e826e1f807a56a92cf20bcde10fc1b08d2af3da6922
Opcode Fuzzy Hash: a546058634786fc42cd2f0f6d160e090df38f67543e6b43c2d1a330d3b465847
Instruction Fuzzy Hash: B601A775B4411966DF04E790CE01AFE77A8AF11350F540025B90573281EAA49F08F671

Function 00F91D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00F91DD3

Strings

ListBox, xrefs: 00F91DA0
ComboBox, xrefs: 00F91D75

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f4b579fabfa515b30d32df19aef31b0cab2f032b20b8ef0c2b72c2a1a47c28ba
Instruction ID: 965e39a0fb02353086f94202bf488538f1ce6cb4876726f328dcf4cc98abb5dd
Opcode Fuzzy Hash: f4b579fabfa515b30d32df19aef31b0cab2f032b20b8ef0c2b72c2a1a47c28ba
Instruction Fuzzy Hash: 1FF0F471A4421966EF04E7A4CD52FFE77A8BF41360F040926B922A32C1DAE4990CA2A0

Function 00FB747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB7493
_wcslen.LIBCMT ref: 00FB74B9

Strings

3, 3, 16, 1, xrefs: 00FB7483

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2371fb37b72f348a23aceaa28538e4b891f1b6702e596a54f3188ea55ef53470
Instruction ID: a88b14117881bc444a12f04ff2ceaedf2d26917dce0a07c57a68b0c9a7af1d1c
Opcode Fuzzy Hash: 2371fb37b72f348a23aceaa28538e4b891f1b6702e596a54f3188ea55ef53470
Instruction Fuzzy Hash: 3EE02B06A04320E09331327BDCC29BF7689CFC5762710182BFE81C2266EA98DDD1B3A1

Function 00F90B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F90B23

Strings

Error allocating memory., xrefs: 00F90B1C
AutoIt, xrefs: 00F90B17

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 698c3ed119e4521c0f9be3dfac7435b92e49c0ab5eec890c008273e7c51ce9e4
Instruction ID: 3bffe48aaabe928ba1d8c17a70365d6a4517bac35ffc52aa5ede24b31d18bf3f
Opcode Fuzzy Hash: 698c3ed119e4521c0f9be3dfac7435b92e49c0ab5eec890c008273e7c51ce9e4
Instruction Fuzzy Hash: DEE0D8312443083AD21437547D03FC97E848F05F21F10042AFB9C959C38EE6649036E9

Function 00F50D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F4F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F50D71,?,?,?,00F3100A), ref: 00F4F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00F3100A), ref: 00F50D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F3100A), ref: 00F50D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F50D7F

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8e258f0e16443c7adc37d65c1d7d48f0d40a7357dd90576b763490de58492a6a
Instruction ID: d8f19f91606a04279657718a7caebcbbbb70cdfd4c7b74361df04726444c09b9
Opcode Fuzzy Hash: 8e258f0e16443c7adc37d65c1d7d48f0d40a7357dd90576b763490de58492a6a
Instruction Fuzzy Hash: 42E06D702003418BD3309FB8DA05B82BBF0AF00741F00892DE986C7656DFB9E44CAB91

Function 00F8D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F8D220

Strings

%.3d, xrefs: 00F8D22B
X64, xrefs: 00F8D2A8

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d40b073e54bc2aa37d24d9c43ed005dfb1834f2e07e27fff0907c3f6b23d0bac
Instruction ID: 31203d498f5cfe12c2427302e164e10b8d4915e3da72cbf3302a72d895cd4282
Opcode Fuzzy Hash: d40b073e54bc2aa37d24d9c43ed005dfb1834f2e07e27fff0907c3f6b23d0bac
Instruction Fuzzy Hash: 80D06262C49119F9CB50BAD4DD4AEF9B77CEF59341F508452FD0AD2080D628D5487761

Function 00FC2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FC236C
PostMessageW.USER32(00000000), ref: 00FC2373

Part of subcall function 00F9E97B: Sleep.KERNEL32 ref: 00F9E9F3

Strings

Shell_TrayWnd, xrefs: 00FC2365

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d36e5f4308706b78bd04952f7c117eb85cb11b37e714b41edef8bf9b1f795c7d
Instruction ID: c2a51021c431737ce0207b6e84e449734411e9f03029dcceb887d7b07198b14b
Opcode Fuzzy Hash: d36e5f4308706b78bd04952f7c117eb85cb11b37e714b41edef8bf9b1f795c7d
Instruction Fuzzy Hash: 43D0C9327813147AE664B7719E0FFC676149B04B14F004916B74AEA1E0C9A4A801AA94

Function 00FC2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FC232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FC233F

Part of subcall function 00F9E97B: Sleep.KERNEL32 ref: 00F9E9F3

Strings

Shell_TrayWnd, xrefs: 00FC2325

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a554b6024434706ca2263bc42d792f5577a182be18f556ab2016d4484aeff892
Instruction ID: f9bbeba68b68980550c66e8ee35171ead03d99d67503762cc617969e5b009a5e
Opcode Fuzzy Hash: a554b6024434706ca2263bc42d792f5577a182be18f556ab2016d4484aeff892
Instruction Fuzzy Hash: BDD0C936794314B6E664B7719E0FFD67A149B00B14F004916B74AEA1E0C9A4A801AA94

Function 00F6BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F6BE93
GetLastError.KERNEL32 ref: 00F6BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F6BEFC

Memory Dump Source

Source File: 00000000.00000002.1720307830.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1720293427.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720355962.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720392451.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1720406394.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_EPIRTURMEROOO0060.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: aa605880860a04613c2cb0492c8aa5807a3ea2aa1d593daab5a73f34587878ed
Instruction ID: c61bfd96316b9ab7ee47d7bccf754ee254a42abc415ce1a205446e4adc5a56ad
Opcode Fuzzy Hash: aa605880860a04613c2cb0492c8aa5807a3ea2aa1d593daab5a73f34587878ed
Instruction Fuzzy Hash: 17410635A04206AFCF218FA5CC44BBA7BA5EF51320F144169F959DB1B1DB318C85FB60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EPIRTURMEROOO0060.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Thebit

C:\Users\user\AppData\Local\Temp\aut22DD.tmp

C:\Users\user\AppData\Local\Temp\aut27C0.tmp

C:\Users\user\AppData\Local\Temp\miaoued

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
EPIRTURMEROOO0060.exe

Function 00F342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00F3D85A Relevance: 12.5, APIs: 8, Instructions: 481
timeCOMMON

Function 00F342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00F72BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00F32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00F7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00F3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00F33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00F68D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 011A1A10 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00F32C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 011A17E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Function 00FA2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre