Edit tour

Windows Analysis Report
987656789009800.exe

Overview

General Information

Sample name:	987656789009800.exe
Analysis ID:	1581362
MD5:	ac4ab3c4b9386b0355d8645f77f91e3e
SHA1:	b87289c4a2290c6efb49ae38373a174f7d34c4e1
SHA256:	363da150d891da7bb5da8056414882429067a0fcb27f58363567567bf18a323e
Tags:	AgentTeslaexeinfostealermalwaretrojanuser-Joker
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

987656789009800.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\987656789009800.exe" MD5: AC4AB3C4B9386B0355D8645F77F91E3E)

tapestrylike.exe (PID: 7376 cmdline: "C:\Users\user\Desktop\987656789009800.exe" MD5: AC4AB3C4B9386B0355D8645F77F91E3E)

RegSvcs.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\987656789009800.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 7584 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

tapestrylike.exe (PID: 7648 cmdline: "C:\Users\user\AppData\Local\interseminating\tapestrylike.exe" MD5: AC4AB3C4B9386B0355D8645F77F91E3E)

RegSvcs.exe (PID: 7728 cmdline: "C:\Users\user\AppData\Local\interseminating\tapestrylike.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1856437351.000000000331E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.4134977788.00000000031D6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.4134977788.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1856437351.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1856437351.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tapestrylike.exe PID: 7376	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tapestrylike.exe PID: 7376	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tapestrylike.exe PID: 7376	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7404	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tapestrylike.exe PID: 7648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tapestrylike.exe PID: 7648	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tapestrylike.exe PID: 7648	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7728	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.tapestrylike.exe.dc0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.tapestrylike.exe.dc0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.tapestrylike.exe.dc0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.tapestrylike.exe.dc0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.tapestrylike.exe.dc0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
4.2.tapestrylike.exe.32c0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.tapestrylike.exe.32c0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.tapestrylike.exe.32c0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.tapestrylike.exe.32c0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.tapestrylike.exe.32c0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.tapestrylike.exe.dc0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.tapestrylike.exe.dc0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.tapestrylike.exe.dc0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32935:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x329a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32a31:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32ac3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32b2d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32b9f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32c35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32cc5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.tapestrylike.exe.dc0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2fb6b:$s2: GetPrivateProfileString 0x2f218:$s3: get_OSFullName 0x30906:$s5: remove_Key 0x30ab3:$s5: remove_Key 0x31995:$s6: FtpWebRequest 0x32917:$s7: logins 0x32e89:$s7: logins 0x35b8e:$s7: logins 0x35c4c:$s7: logins 0x375a1:$s7: logins 0x367e6:$s9: 1.85 (Hash, version 2, native byte-order)
4.2.tapestrylike.exe.32c0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.tapestrylike.exe.32c0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.tapestrylike.exe.32c0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32935:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x329a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32a31:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32ac3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32b2d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32b9f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32c35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32cc5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.tapestrylike.exe.32c0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2fb6b:$s2: GetPrivateProfileString 0x2f218:$s3: get_OSFullName 0x30906:$s5: remove_Key 0x30ab3:$s5: remove_Key 0x31995:$s6: FtpWebRequest 0x32917:$s7: logins 0x32e89:$s7: logins 0x35b8e:$s7: logins 0x35c4c:$s7: logins 0x375a1:$s7: logins 0x367e6:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs" , ProcessId: 7584, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs" , ProcessId: 7584, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe, ProcessId: 7376, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: 987656789009800.exe	Virustotal: Detection: 78%			Perma Link
Source: 987656789009800.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 987656789009800.exe

Joe Sandbox ML: detected

Source: 987656789009800.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: tapestrylike.exe, 00000001.00000003.1716166924.0000000003890000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000001.00000003.1714570080.00000000036F0000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000004.00000003.1850350907.0000000003800000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000004.00000003.1850674051.0000000003660000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tapestrylike.exe, 00000001.00000003.1716166924.0000000003890000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000001.00000003.1714570080.00000000036F0000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000004.00000003.1850350907.0000000003800000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000004.00000003.1850674051.0000000003660000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0073445A
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073C6D1 FindFirstFileW,FindClose,	0_2_0073C6D1
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0073C75C
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0073EF95
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0073F0F2
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0073F3F3
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_007337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007337EF
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00733B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00733B12
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0073BCBC
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003B445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_003B445A
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BC6D1 FindFirstFileW,FindClose,	1_2_003BC6D1
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_003BC75C
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003BEF95
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003BF0F2
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_003BF3F3
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_003B37EF
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_003B3B12
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_003BBCBC
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003B445A GetFileAttributesW,FindFirstFileW,FindClose,	4_2_003B445A
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BC6D1 FindFirstFileW,FindClose,	4_2_003BC6D1
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	4_2_003BC75C
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_003BEF95
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_003BF0F2
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	4_2_003BF3F3
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_003B37EF
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_003B3B12
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	4_2_003BBCBC

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tapestrylike.exe.32c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.241.62.63 162.241.62.63

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_007422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007422EE

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: ftp.antoniomayol.com

Source: RegSvcs.exe, 00000002.00000002.1856437351.000000000331E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4134977788.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://antoniomayol.com
Source: RegSvcs.exe, 00000002.00000002.1856437351.000000000331E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4134977788.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.antoniomayol.com
Source: RegSvcs.exe, 00000002.00000002.1856437351.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4134977788.000000000319C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: tapestrylike.exe, 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1856437351.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, tapestrylike.exe, 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4134977788.000000000319C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.1856437351.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4134977788.000000000319C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tapestrylike.exe, 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp, tapestrylike.exe, 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, R1W.cs	.Net Code: HAg81
Source: 4.2.tapestrylike.exe.32c0000.1.raw.unpack, R1W.cs	.Net Code: HAg81

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_00744164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00744164

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00744164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_00744164
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	1_2_003C4164
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	4_2_003C4164

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_00743F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00743F66

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_0073001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0073001C

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_0075CABC
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_003DCABC
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	4_2_003DCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 4.2.tapestrylike.exe.32c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.tapestrylike.exe.32c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.tapestrylike.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.tapestrylike.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 4.2.tapestrylike.exe.32c0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.tapestrylike.exe.32c0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: This is a third-party compiled AutoIt script.	0_2_006D3B3A
Source: 987656789009800.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 987656789009800.exe, 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6ca6d131-9
Source: 987656789009800.exe, 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_c2df5f28-b
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00353B3A
Source: tapestrylike.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: tapestrylike.exe, 00000001.00000002.1716957004.0000000000404000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_aca14bdd-2
Source: tapestrylike.exe, 00000001.00000002.1716957004.0000000000404000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_148fb798-e
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: This is a third-party compiled AutoIt script.	4_2_00353B3A
Source: tapestrylike.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: tapestrylike.exe, 00000004.00000002.1854321613.0000000000404000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_49e9293d-9
Source: tapestrylike.exe, 00000004.00000002.1854321613.0000000000404000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_9262de6b-4

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006D3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_006D3633
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_0075C1AC
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_0075C498
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075C57D SendMessageW,NtdllDialogWndProc_W,	0_2_0075C57D
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0075C5FE
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075C860 NtdllDialogWndProc_W,	0_2_0075C860
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075C8BE NtdllDialogWndProc_W,	0_2_0075C8BE
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075C88F NtdllDialogWndProc_W,	0_2_0075C88F
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075C93E ClientToScreen,NtdllDialogWndProc_W,	0_2_0075C93E
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075C909 NtdllDialogWndProc_W,	0_2_0075C909
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075CA7C GetWindowLongW,NtdllDialogWndProc_W,	0_2_0075CA7C
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_0075CABC
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006D1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	0_2_006D1287
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006D1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_006D1290
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075D3B8 NtdllDialogWndProc_W,	0_2_0075D3B8
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_0075D43E
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006D167D NtdllDialogWndProc_W,	0_2_006D167D
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006D16DE GetParent,NtdllDialogWndProc_W,	0_2_006D16DE
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006D16B5 NtdllDialogWndProc_W,	0_2_006D16B5
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075D78C NtdllDialogWndProc_W,	0_2_0075D78C
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006D189B NtdllDialogWndProc_W,	0_2_006D189B
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075BC5D NtdllDialogWndProc_W,CallWindowProcW,	0_2_0075BC5D
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075BF30 NtdllDialogWndProc_W,	0_2_0075BF30
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0075BF8C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_0075BF8C
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00353633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	1_2_00353633
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	1_2_003DC1AC
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	1_2_003DC498
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DC57D SendMessageW,NtdllDialogWndProc_W,	1_2_003DC57D
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	1_2_003DC5FE
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DC860 NtdllDialogWndProc_W,	1_2_003DC860
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DC8BE NtdllDialogWndProc_W,	1_2_003DC8BE
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DC88F NtdllDialogWndProc_W,	1_2_003DC88F
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DC93E ClientToScreen,NtdllDialogWndProc_W,	1_2_003DC93E
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DC909 NtdllDialogWndProc_W,	1_2_003DC909
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DCA7C GetWindowLongW,NtdllDialogWndProc_W,	1_2_003DCA7C
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_003DCABC
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00351290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	1_2_00351290
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00351287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	1_2_00351287
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DD3B8 NtdllDialogWndProc_W,	1_2_003DD3B8
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DD43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	1_2_003DD43E
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0035167D NtdllDialogWndProc_W,	1_2_0035167D
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003516B5 NtdllDialogWndProc_W,	1_2_003516B5
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003516DE GetParent,NtdllDialogWndProc_W,	1_2_003516DE
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DD78C NtdllDialogWndProc_W,	1_2_003DD78C
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0035189B NtdllDialogWndProc_W,	1_2_0035189B
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DBC5D NtdllDialogWndProc_W,CallWindowProcW,	1_2_003DBC5D
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DBF30 NtdllDialogWndProc_W,	1_2_003DBF30
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003DBF8C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	1_2_003DBF8C
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00353633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	4_2_00353633
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	4_2_003DC1AC
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	4_2_003DC498
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DC57D SendMessageW,NtdllDialogWndProc_W,	4_2_003DC57D
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	4_2_003DC5FE
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DC860 NtdllDialogWndProc_W,	4_2_003DC860
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DC8BE NtdllDialogWndProc_W,	4_2_003DC8BE
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DC88F NtdllDialogWndProc_W,	4_2_003DC88F
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DC93E ClientToScreen,NtdllDialogWndProc_W,	4_2_003DC93E
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DC909 NtdllDialogWndProc_W,	4_2_003DC909
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DCA7C GetWindowLongW,NtdllDialogWndProc_W,	4_2_003DCA7C
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	4_2_003DCABC
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00351290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	4_2_00351290
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00351287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	4_2_00351287
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DD3B8 NtdllDialogWndProc_W,	4_2_003DD3B8
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DD43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	4_2_003DD43E
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0035167D NtdllDialogWndProc_W,	4_2_0035167D
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003516B5 NtdllDialogWndProc_W,	4_2_003516B5
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003516DE GetParent,NtdllDialogWndProc_W,	4_2_003516DE
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DD78C NtdllDialogWndProc_W,	4_2_003DD78C
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0035189B NtdllDialogWndProc_W,	4_2_0035189B
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DBC5D NtdllDialogWndProc_W,CallWindowProcW,	4_2_003DBC5D
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DBF30 NtdllDialogWndProc_W,	4_2_003DBF30
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003DBF8C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	4_2_003DBF8C

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_0073A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0073A1EF

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_00728310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74755590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00728310

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_007351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	0_2_007351BD
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003B51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	1_2_003B51BD
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003B51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	4_2_003B51BD

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006DE6A0	0_2_006DE6A0
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006FD975	0_2_006FD975
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006DFCE0	0_2_006DFCE0
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006F21C5	0_2_006F21C5
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_007062D2	0_2_007062D2
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_007503DA	0_2_007503DA
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0070242E	0_2_0070242E
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006F25FA	0_2_006F25FA
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0072E616	0_2_0072E616
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006E66E1	0_2_006E66E1
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0070878F	0_2_0070878F
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00750857	0_2_00750857
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00706844	0_2_00706844
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006E8808	0_2_006E8808
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00738889	0_2_00738889
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006FCB21	0_2_006FCB21
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00706DB6	0_2_00706DB6
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006E6F9E	0_2_006E6F9E
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006E3030	0_2_006E3030
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006FF1D9	0_2_006FF1D9
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006F3187	0_2_006F3187
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006D1287	0_2_006D1287
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006F1484	0_2_006F1484
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006E5520	0_2_006E5520
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006F7696	0_2_006F7696
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006E5760	0_2_006E5760
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006F1978	0_2_006F1978
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00709AB5	0_2_00709AB5
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00757DDB	0_2_00757DDB
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006FBDA6	0_2_006FBDA6
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006F1D90	0_2_006F1D90
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006DDF00	0_2_006DDF00
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006E3FE0	0_2_006E3FE0
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_01207C80	0_2_01207C80
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0035E6A0	1_2_0035E6A0
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0037D975	1_2_0037D975
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0035FCE0	1_2_0035FCE0
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003721C5	1_2_003721C5
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003862D2	1_2_003862D2
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003D03DA	1_2_003D03DA
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0038242E	1_2_0038242E
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003725FA	1_2_003725FA
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003AE616	1_2_003AE616
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003666E1	1_2_003666E1
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0038878F	1_2_0038878F
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00368808	1_2_00368808
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003D0857	1_2_003D0857
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00386844	1_2_00386844
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003B8889	1_2_003B8889
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0037CB21	1_2_0037CB21
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00386DB6	1_2_00386DB6
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00366F9E	1_2_00366F9E
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00363030	1_2_00363030
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00373187	1_2_00373187
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0037F1D9	1_2_0037F1D9
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00351287	1_2_00351287
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00371484	1_2_00371484
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00365520	1_2_00365520
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00377696	1_2_00377696
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00365760	1_2_00365760
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00371978	1_2_00371978
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00389AB5	1_2_00389AB5
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0037BDA6	1_2_0037BDA6
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00371D90	1_2_00371D90
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003D7DDB	1_2_003D7DDB
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0035DF00	1_2_0035DF00
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00363FE0	1_2_00363FE0
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00F66B88	1_2_00F66B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03124A88	2_2_03124A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03123E70	2_2_03123E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0312AD98	2_2_0312AD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_031241B8	2_2_031241B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B466C0	2_2_06B466C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B47E50	2_2_06B47E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B42440	2_2_06B42440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B45270	2_2_06B45270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B4C270	2_2_06B4C270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B4B318	2_2_06B4B318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B47770	2_2_06B47770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B4E478	2_2_06B4E478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B40040	2_2_06B40040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B459C0	2_2_06B459C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B40033	2_2_06B40033
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06B40013	2_2_06B40013
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0035E6A0	4_2_0035E6A0
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0037D975	4_2_0037D975
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0035FCE0	4_2_0035FCE0
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003721C5	4_2_003721C5
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003862D2	4_2_003862D2
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003D03DA	4_2_003D03DA
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0038242E	4_2_0038242E
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003725FA	4_2_003725FA
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003AE616	4_2_003AE616
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003666E1	4_2_003666E1
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0038878F	4_2_0038878F
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00368808	4_2_00368808
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003D0857	4_2_003D0857
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00386844	4_2_00386844
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003B8889	4_2_003B8889
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0037CB21	4_2_0037CB21
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00386DB6	4_2_00386DB6
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00366F9E	4_2_00366F9E
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00363030	4_2_00363030
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00373187	4_2_00373187
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0037F1D9	4_2_0037F1D9
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00351287	4_2_00351287
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00371484	4_2_00371484
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00365520	4_2_00365520
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00377696	4_2_00377696
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00365760	4_2_00365760
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00371978	4_2_00371978
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00389AB5	4_2_00389AB5
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0037BDA6	4_2_0037BDA6
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00371D90	4_2_00371D90
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003D7DDB	4_2_003D7DDB
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0035DF00	4_2_0035DF00
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00363FE0	4_2_00363FE0
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00D814C8	4_2_00D814C8

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: String function: 006F0AE3 appears 70 times
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: String function: 006D7DE1 appears 36 times
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: String function: 006F8900 appears 42 times
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: String function: 00381940 appears 58 times
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: String function: 00379D75 appears 46 times
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: String function: 00372EFD appears 40 times
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: String function: 00370AE3 appears 140 times
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: String function: 00351D35 appears 38 times
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: String function: 00355904 appears 50 times
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: String function: 003598C0 appears 44 times
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: String function: 00378900 appears 84 times
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: String function: 003737CB appears 38 times
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: String function: 00357DE1 appears 70 times

Source: 987656789009800.exe	Static PE information: Resource name: RT_STRING type: DOS executable (COM)
Source: tapestrylike.exe.0.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM)

Source: 987656789009800.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 4.2.tapestrylike.exe.32c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.tapestrylike.exe.32c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.tapestrylike.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.tapestrylike.exe.dc0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 4.2.tapestrylike.exe.32c0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.tapestrylike.exe.32c0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_0073A06A GetLastError,FormatMessageW,

0_2_0073A06A

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_007281CB AdjustTokenPrivileges,CloseHandle,	0_2_007281CB
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_007287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_007287E1
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003A81CB AdjustTokenPrivileges,CloseHandle,	1_2_003A81CB
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003A87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_003A87E1
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003A81CB AdjustTokenPrivileges,CloseHandle,	4_2_003A81CB
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003A87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	4_2_003A87E1

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_0073B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0073B333

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_0074EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0074EE0D

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_007483BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_007483BB

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_006D4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006D4E89

Source: C:\Users\user\Desktop\987656789009800.exe

File created: C:\Users\user\AppData\Local\interseminating

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\987656789009800.exe

File created: C:\Users\user\AppData\Local\Temp\aut4F42.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\987656789009800.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 987656789009800.exe	Virustotal: Detection: 78%
Source: 987656789009800.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\987656789009800.exe

File read: C:\Users\user\Desktop\987656789009800.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\987656789009800.exe "C:\Users\user\Desktop\987656789009800.exe"
Source: C:\Users\user\Desktop\987656789009800.exe	Process created: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe "C:\Users\user\Desktop\987656789009800.exe"
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\987656789009800.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe "C:\Users\user\AppData\Local\interseminating\tapestrylike.exe"
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\interseminating\tapestrylike.exe"
Source: C:\Users\user\Desktop\987656789009800.exe	Process created: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe "C:\Users\user\Desktop\987656789009800.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\987656789009800.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe "C:\Users\user\AppData\Local\interseminating\tapestrylike.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\interseminating\tapestrylike.exe"	Jump to behavior

Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: tapestrylike.exe, 00000001.00000003.1716166924.0000000003890000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000001.00000003.1714570080.00000000036F0000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000004.00000003.1850350907.0000000003800000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000004.00000003.1850674051.0000000003660000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tapestrylike.exe, 00000001.00000003.1716166924.0000000003890000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000001.00000003.1714570080.00000000036F0000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000004.00000003.1850350907.0000000003800000.00000004.00001000.00020000.00000000.sdmp, tapestrylike.exe, 00000004.00000003.1850674051.0000000003660000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_007E79E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_007E79E0

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006DC4C7 push A3006DBAh; retn 006Dh	0_2_006DC50D
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073848F push FFFFFF8Bh; iretd	0_2_00738491
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006FE70F push edi; ret	0_2_006FE711
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006FE828 push esi; ret	0_2_006FE82A
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006F8945 push ecx; ret	0_2_006F8958
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006FEA03 push esi; ret	0_2_006FEA05
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006FEAEC push edi; ret	0_2_006FEAEE
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003B848F push FFFFFF8Bh; iretd	1_2_003B8491
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0037E70F push edi; ret	1_2_0037E711
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0037E828 push esi; ret	1_2_0037E82A
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00378945 push ecx; ret	1_2_00378958
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0037EA03 push esi; ret	1_2_0037EA05
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0037EAEC push edi; ret	1_2_0037EAEE
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003B848F push FFFFFF8Bh; iretd	4_2_003B8491
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0037E70F push edi; ret	4_2_0037E711
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0037E828 push esi; ret	4_2_0037E82A
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00378945 push ecx; ret	4_2_00378958
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0037EA03 push esi; ret	4_2_0037EA05
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0037EAEC push edi; ret	4_2_0037EAEE

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\987656789009800.exe

File created: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs

Jump to behavior

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_006D48D7
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00755376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00755376
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_003548D7
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003D5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_003D5376
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	4_2_003548D7
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003D5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	4_2_003D5376

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_006F3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006F3187

Source: C:\Users\user\Desktop\987656789009800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\987656789009800.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: tapestrylike.exe PID: 7376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tapestrylike.exe PID: 7648, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	API/Special instruction interceptor: Address: F667AC
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	API/Special instruction interceptor: Address: D810EC

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: tapestrylike.exe, 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1856437351.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, tapestrylike.exe, 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4134977788.00000000031C1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598878	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598448	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598217	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595695	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595355	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594137	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597357	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595607	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7256	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2597	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1092	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8767	Jump to behavior

Source: C:\Users\user\Desktop\987656789009800.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-102132
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\987656789009800.exe	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	API coverage: 5.0 %
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	API coverage: 4.9 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0073445A
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073C6D1 FindFirstFileW,FindClose,	0_2_0073C6D1
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0073C75C
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0073EF95
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0073F0F2
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0073F3F3
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_007337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007337EF
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00733B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00733B12
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_0073BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0073BCBC
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003B445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_003B445A
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BC6D1 FindFirstFileW,FindClose,	1_2_003BC6D1
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_003BC75C
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003BEF95
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003BF0F2
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_003BF3F3
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_003B37EF
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_003B3B12
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_003BBCBC
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003B445A GetFileAttributesW,FindFirstFileW,FindClose,	4_2_003B445A
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BC6D1 FindFirstFileW,FindClose,	4_2_003BC6D1
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	4_2_003BC75C
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_003BEF95
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_003BF0F2
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	4_2_003BF3F3
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_003B37EF
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_003B3B12
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	4_2_003BBCBC

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_006D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006D49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598878	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598448	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598217	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595695	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595355	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594137	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597357	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595607	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: RegSvcs.exe, 00000006.00000002.4134977788.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000006.00000002.4134977788.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: tapestrylike.exe, 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp, tapestrylike.exe, 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: hgfsZrw6
Source: 987656789009800.exe, 00000000.00000002.1687268084.0000000001374000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VIKWKNVMNETE
Source: tapestrylike.exe, 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.1860414910.000000000655B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: tapestrylike.exe, 00000004.00000002.1856831970.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VIKWKNVMNETEk
Source: RegSvcs.exe, 00000006.00000002.4138369660.0000000006413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"

Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_03127070 CheckRemoteDebuggerPresent,

2_2_03127070

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_00743F09 BlockInput,

0_2_00743F09

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_006D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006D3B3A

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_00705A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00705A7C

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_007E79E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_007E79E0

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_012064C0 mov eax, dword ptr fs:[00000030h]	0_2_012064C0
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_01207B10 mov eax, dword ptr fs:[00000030h]	0_2_01207B10
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_01207B70 mov eax, dword ptr fs:[00000030h]	0_2_01207B70
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00F653C8 mov eax, dword ptr fs:[00000030h]	1_2_00F653C8
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00F66A78 mov eax, dword ptr fs:[00000030h]	1_2_00F66A78
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_00F66A18 mov eax, dword ptr fs:[00000030h]	1_2_00F66A18
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00D813B8 mov eax, dword ptr fs:[00000030h]	4_2_00D813B8
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00D81358 mov eax, dword ptr fs:[00000030h]	4_2_00D81358
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_00D7FD08 mov eax, dword ptr fs:[00000030h]	4_2_00D7FD08

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_007280A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

0_2_007280A9

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006FA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006FA155
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_006FA124 SetUnhandledExceptionFilter,	0_2_006FA124
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0037A124 SetUnhandledExceptionFilter,	1_2_0037A124
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_0037A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0037A155
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0037A124 SetUnhandledExceptionFilter,	4_2_0037A124
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_0037A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0037A155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1105008			Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10B7008			Jump to behavior

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_007287B1 LogonUserW,

0_2_007287B1

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_006D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006D3B3A

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_006D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_006D48D7

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_00734C7F mouse_event,

0_2_00734C7F

Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\987656789009800.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe "C:\Users\user\AppData\Local\interseminating\tapestrylike.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\interseminating\tapestrylike.exe"	Jump to behavior

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_00727CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00727CAF

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_0072874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0072874B

Source: 987656789009800.exe, 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmp, tapestrylike.exe, 00000001.00000002.1716957004.0000000000404000.00000040.00000001.01000000.00000004.sdmp, tapestrylike.exe, 00000004.00000002.1854321613.0000000000404000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: tapestrylike.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_006F862B cpuid

0_2_006F862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_00704E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00704E87

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_00711E06 GetUserNameW,

0_2_00711E06

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_00703F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00703F3A

Source: C:\Users\user\Desktop\987656789009800.exe

Code function: 0_2_006D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006D49A0

Source: C:\Users\user\Desktop\987656789009800.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tapestrylike.exe.32c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tapestrylike.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tapestrylike.exe.32c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1856437351.000000000331E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4134977788.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4134977788.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1856437351.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tapestrylike.exe PID: 7376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tapestrylike.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7728, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: tapestrylike.exe	Binary or memory string: WIN_81
Source: tapestrylike.exe	Binary or memory string: WIN_XP
Source: tapestrylike.exe	Binary or memory string: WIN_XPe
Source: tapestrylike.exe	Binary or memory string: WIN_VISTA
Source: tapestrylike.exe	Binary or memory string: WIN_7
Source: tapestrylike.exe	Binary or memory string: WIN_8
Source: tapestrylike.exe, 00000004.00000002.1854321613.0000000000404000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tapestrylike.exe.32c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tapestrylike.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tapestrylike.exe.32c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1856437351.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tapestrylike.exe PID: 7376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tapestrylike.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7728, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tapestrylike.exe.dc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tapestrylike.exe.32c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.tapestrylike.exe.dc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tapestrylike.exe.32c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1856437351.000000000331E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4134977788.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4134977788.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1856437351.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tapestrylike.exe PID: 7376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tapestrylike.exe PID: 7648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7728, type: MEMORYSTR

Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00746283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00746283
Source: C:\Users\user\Desktop\987656789009800.exe	Code function: 0_2_00746747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00746747
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003C6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_003C6283
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 1_2_003C6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_003C6747
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003C6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	4_2_003C6283
Source: C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	Code function: 4_2_003C6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	4_2_003C6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	221 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	21 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	751 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	231 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	231 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
987656789009800.exe	79%	Virustotal		Browse
987656789009800.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
987656789009800.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\interseminating\tapestrylike.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://antoniomayol.com	0%	Avira URL Cloud	safe
http://ftp.antoniomayol.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
antoniomayol.com	162.241.62.63	true	true	unknown
ip-api.com	208.95.112.1	true	false	high
ftp.antoniomayol.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://antoniomayol.com	RegSvcs.exe, 00000002.00000002.1856437351.000000000331E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4134977788.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ftp.antoniomayol.com	RegSvcs.exe, 00000002.00000002.1856437351.000000000331E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4134977788.00000000031EE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	tapestrylike.exe, 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp, tapestrylike.exe, 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.1856437351.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4134977788.000000000319C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	RegSvcs.exe, 00000002.00000002.1856437351.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4134977788.000000000319C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
162.241.62.63	antoniomayol.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581362
Start date and time:	2024-12-27 14:05:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	987656789009800.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 279
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:06:03	API Interceptor	10267320x Sleep call for process: RegSvcs.exe modified
13:06:00	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ip-api.com/json/
	Client-built.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	ip-api.com/json/?fields=225545
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	ip-api.com/json/8.46.123.189?fields=192511
	main.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189?fields=192511
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	ip-api.com/json/?fields=225545
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
162.241.62.63	Order 122001-220 guanzo.exe	Get hash	malicious	FormBook	Browse	www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	Client-built.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	208.95.112.1
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	208.95.112.1
	main.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	8DiSW8IPEF.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
antoniomayol.com	DSR0987678900000.exe	Get hash	malicious	AgentTesla	Browse	15.197.240.20

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	xd.sh4.elf	Get hash	malicious	Mirai	Browse	142.5.37.64
	armv4l.elf	Get hash	malicious	Mirai	Browse	74.91.145.200
	https://u48635528.ct.sendgrid.net/ls/click?upn=u001.9c3qucD-2BQzNTT0bmLRTJr37m0fhz0zdKJtvEO5GYL-2FheRuyVOh-2FQG4V3oBgBPYNynDxn_I1ksFJapfNmw0nKrksu71KTxdlg2CVrjzBUVofCtIEhaWkhL1Pph-2Ffg-2BCFbPvkCL9SX-2Fn-2BNBrku3RcjHS1atB8ladrmemt-2BtQU5680xhgoUl-2FmS0Bdj-2FOfednny-2F-2Bj2bwjjubeRvrpN0J7TGLD3CnNRzymiQOzypjCqxHhzmXtY2EWHJMJBxjl-2FHlyEIekWjEdTpTsRC8R5LaI-2BXF4kV8UeUtXxyFJLbYiR3fqcWt2evvBBECu9MeQj8TLZrmfuTf-2BJQraijp8-2BcIdxf8rnVxjHoJK1lo9-2Bkao444JbRSinVA-2FoUxeuAtdlrITU1Z6gHAn7DLZstY4XJkhkT16-2F2TN4CFt2LQ-2BEh9GWg4EPlocPi8ljTs-2B9D9RVbWdc3s2Vk2VPHSj20oCO3-2FalihBzGJuaYie5tnYaz6wBF3EqNzMXmVqRnMZwSYuGRwSMVhkchytYzt3hUH-2F51IUfn7nuhHUcUbdS8nBYneAMuB2eSDRn8IZzUkExLUascCVn8T9ImEyo0qhVsBPdJjfT9L3qli9clY1N-2BhQXDZgQnsN1Bs9PujeLzem37C62BvWnqPnqvXh5vbcvseiZwTP35DEJysw-3D-3D#mlyon@wc.com	Get hash	malicious	HTMLPhisher	Browse	192.185.77.74
	eCompleted_419z.pdf	Get hash	malicious	HTMLPhisher	Browse	192.185.57.26
	nklarm.elf	Get hash	malicious	Unknown	Browse	162.144.117.245
	eCompleted_419z.pdf	Get hash	malicious	Unknown	Browse	192.185.57.26
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	162.215.210.151
	7394231845.html	Get hash	malicious	Unknown	Browse	69.49.245.172
	nshmips.elf	Get hash	malicious	Mirai	Browse	173.254.77.37
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	108.167.180.57
TUT-ASUS	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	http://au.kirmalk.com/watch.php?vid=7750fd3c8	Get hash	malicious	Unknown	Browse	162.252.214.4
	Client-built.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	208.95.112.1
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	208.95.112.1
	main.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse	208.95.112.1
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\987656789009800.exe
File Type:	data
Category:	dropped
Size (bytes):	148996
Entropy (8bit):	7.8934191503063795
Encrypted:	false
SSDEEP:	3072:HfMyK+TBVl4aMYmVFS+wdzO/hPkLJvsxxpjetgSwFE:HfMyK+Womv96O/hc94xrSwG
MD5:	3CB55CD3CE8920127A52F4DEE6EDDAB6
SHA1:	DD503E6726E0EE4446492FC6553CC9A6597CE60D
SHA-256:	666C67CCDC5C4A2460006A0DD926D4A9AF4EE1828A4C356B7548EC9CDC01385F
SHA-512:	7434F60E13EF593664928F7E13271C75D4E3E02DBC5AC65604FE3F75DE8C63386A0D99701F3B708BB6AB9F33EDF2376F2176098E9903BD43E30FFB482186EE68
Malicious:	false
Reputation:	low
Preview:	EA06.......Ti...H.Ph.=...0.Rj...aD..)..E:.N.U...W...:..E"...S...%..S..l.9..ef..'...Iv.....\....Y.3....8....5vW3....M..#0(......3_..l......I..).:w..0.P@.1..S.4k.......4... P..:P.Fj..Z.... ..L..~m2.V.......R...b.....Z.H..l;.l.!L.....i.....%.Y..J...k.....I...g ....?...p...h.#.Rj...6.....0..k..........K..S-..)....v.......E....0.O....$.x.H.Q..O.R.A.]......W.T..........h0?...?5.R.L..QW..>....=...p...kD.uc...g...h...W.C.W...F....S....8..{8....)..k.....G...\|..3....b.?=....x....>.E1.....`..w;..:e..j..M.bk7..3I<.So.....g.K.V@(........<i=";....%Z_...u8...mf..w9Y`.b..M.1.x.....+.....`..l....(.1...!k.$'`..P.......m....o.2.O<.:...v.%w...A....W1~.....e.7...~.<.rk...........k....=.....\|>=D..SZ.:.[.^...N.1`.Q.UZd.J.Yk..v..i....{.[+........K8.z..N..........Px.>w@.x..k..O_........v..o....W;.Jl0.j.n.I$...,Ri....X..i...VaD......T.Ih.SD.!0.T.....f......R.F..Y...F...T.J.~...5WmJ..t...aV...54..I.M..u...2..$ ..:.:.Pi.^.>a...+4M.....O...uB.4.E..j.C.E....:5..p.L..M;YG.

C:\Users\user\AppData\Local\Temp\aut5899.tmp

Download File

Process:	C:\Users\user\AppData\Local\interseminating\tapestrylike.exe
File Type:	data
Category:	dropped
Size (bytes):	148996
Entropy (8bit):	7.8934191503063795
Encrypted:	false
SSDEEP:	3072:HfMyK+TBVl4aMYmVFS+wdzO/hPkLJvsxxpjetgSwFE:HfMyK+Womv96O/hc94xrSwG
MD5:	3CB55CD3CE8920127A52F4DEE6EDDAB6
SHA1:	DD503E6726E0EE4446492FC6553CC9A6597CE60D
SHA-256:	666C67CCDC5C4A2460006A0DD926D4A9AF4EE1828A4C356B7548EC9CDC01385F
SHA-512:	7434F60E13EF593664928F7E13271C75D4E3E02DBC5AC65604FE3F75DE8C63386A0D99701F3B708BB6AB9F33EDF2376F2176098E9903BD43E30FFB482186EE68
Malicious:	false
Reputation:	low
Preview:	EA06.......Ti...H.Ph.=...0.Rj...aD..)..E:.N.U...W...:..E"...S...%..S..l.9..ef..'...Iv.....\....Y.3....8....5vW3....M..#0(......3_..l......I..).:w..0.P@.1..S.4k.......4... P..:P.Fj..Z.... ..L..~m2.V.......R...b.....Z.H..l;.l.!L.....i.....%.Y..J...k.....I...g ....?...p...h.#.Rj...6.....0..k..........K..S-..)....v.......E....0.O....$.x.H.Q..O.R.A.]......W.T..........h0?...?5.R.L..QW..>....=...p...kD.uc...g...h...W.C.W...F....S....8..{8....)..k.....G...\|..3....b.?=....x....>.E1.....`..w;..:e..j..M.bk7..3I<.So.....g.K.V@(........<i=";....%Z_...u8...mf..w9Y`.b..M.1.x.....+.....`..l....(.1...!k.$'`..P.......m....o.2.O<.:...v.%w...A....W1~.....e.7...~.<.rk...........k....=.....\|>=D..SZ.:.[.^...N.1`.Q.UZd.J.Yk..v..i....{.[+........K8.z..N..........Px.>w@.x..k..O_........v..o....W;.Jl0.j.n.I$...,Ri....X..i...VaD......T.Ih.SD.!0.T.....f......R.F..Y...F...T.J.~...5WmJ..t...aV...54..I.M..u...2..$ ..:.:.Pi.^.>a...+4M.....O...uB.4.E..j.C.E....:5..p.L..M;YG.

C:\Users\user\AppData\Local\Temp\aut8C5B.tmp

Download File

Process:	C:\Users\user\AppData\Local\interseminating\tapestrylike.exe
File Type:	data
Category:	dropped
Size (bytes):	148996
Entropy (8bit):	7.8934191503063795
Encrypted:	false
SSDEEP:	3072:HfMyK+TBVl4aMYmVFS+wdzO/hPkLJvsxxpjetgSwFE:HfMyK+Womv96O/hc94xrSwG
MD5:	3CB55CD3CE8920127A52F4DEE6EDDAB6
SHA1:	DD503E6726E0EE4446492FC6553CC9A6597CE60D
SHA-256:	666C67CCDC5C4A2460006A0DD926D4A9AF4EE1828A4C356B7548EC9CDC01385F
SHA-512:	7434F60E13EF593664928F7E13271C75D4E3E02DBC5AC65604FE3F75DE8C63386A0D99701F3B708BB6AB9F33EDF2376F2176098E9903BD43E30FFB482186EE68
Malicious:	false
Reputation:	low
Preview:	EA06.......Ti...H.Ph.=...0.Rj...aD..)..E:.N.U...W...:..E"...S...%..S..l.9..ef..'...Iv.....\....Y.3....8....5vW3....M..#0(......3_..l......I..).:w..0.P@.1..S.4k.......4... P..:P.Fj..Z.... ..L..~m2.V.......R...b.....Z.H..l;.l.!L.....i.....%.Y..J...k.....I...g ....?...p...h.#.Rj...6.....0..k..........K..S-..)....v.......E....0.O....$.x.H.Q..O.R.A.]......W.T..........h0?...?5.R.L..QW..>....=...p...kD.uc...g...h...W.C.W...F....S....8..{8....)..k.....G...\|..3....b.?=....x....>.E1.....`..w;..:e..j..M.bk7..3I<.So.....g.K.V@(........<i=";....%Z_...u8...mf..w9Y`.b..M.1.x.....+.....`..l....(.1...!k.$'`..P.......m....o.2.O<.:...v.%w...A....W1~.....e.7...~.<.rk...........k....=.....\|>=D..SZ.:.[.^...N.1`.Q.UZd.J.Yk..v..i....{.[+........K8.z..N..........Px.>w@.x..k..O_........v..o....W;.Jl0.j.n.I$...,Ri....X..i...VaD......T.Ih.SD.!0.T.....f......R.F..Y...F...T.J.~...5WmJ..t...aV...54..I.M..u...2..$ ..:.:.Pi.^.>a...+4M.....O...uB.4.E..j.C.E....:5..p.L..M;YG.

C:\Users\user\AppData\Local\Temp\cerecloths

Download File

Process:	C:\Users\user\Desktop\987656789009800.exe
File Type:	data
Category:	dropped
Size (bytes):	245248
Entropy (8bit):	6.643223560145831
Encrypted:	false
SSDEEP:	6144:ziw3U2tpe9Bddwv7mT423hTAZoTP8HoaM1POHW2btwLRT6:Gd2ferrCq8ckHM1Gfwo
MD5:	F02F9D19D8366763EBCF12AB913FBC1E
SHA1:	44AF25633289033E91700A43C3338DF2A8DB483E
SHA-256:	3F99FED20ACF9DD1E49184C4F180507366B43587E1EE51C1434E40C06449D4CD
SHA-512:	714C5CF8264FFED8919511B239AC2EAFB898329B8CF34BB9DD98F7D7926AB3B481317254CE4350776BA407767653ADF0F8C41CDE42A533E025712D8C09E78652
Malicious:	false
Reputation:	low
Preview:	...F3DWHHAFC..N0.IVXRF0D.HLAFCNPN0VIVXRF0DWHLAFCNPN0VIVXRF0D.HLAH\.^N._.w.S..e. %2f3<?)B7$v;3(^+#h.$f1;>nY8i...f]+3-bLKIjPN0VIVX..0D.IOA5..6N0VIVXRF.DUIG@MCN.M0VAVXRF0D..OAFcNPN.UIVX.F0dWHLCFCJPN0VIVXVF0DWHLAFcJPN2VIVXRF2D..LAVCN@N0VIFXRV0DWHLAVCNPN0VIVXRF<.TH.AFCN.M0.LVXRF0DWHLAFCNPN0VIVXVF<DWHLAFCNPN0VIVXRF0DWHLAFCNPN0VIVXRF0DWHLAFCNPN0VIVXRf0D_HLAFCNPN0VI^xRFxDWHLAFCNPN0x=3 &F0D3.OAFcNPN.UIVZRF0DWHLAFCNPN0vIV8\|4C64HLA.FNPN.UIV^RF0.THLAFCNPN0VIVX.F0.y:)-) NPB0VIVXVF0FWHL.ECNPN0VIVXRF0D.HL.FCNPN0VIVXRF0DWH..ECNPN0.IVXPF5D..NA.vOPM0VIWXR@0DWHLAFCNPN0VIVXRF0DWHLAFCNPN0VIVXRF0DWHLAFCNPN0K.....xz.5rK$D.v.W.J..A.=..C.S.5D....[...p=J..C._~.._...1.@I8G...n)])\.c3xG-.[.....w=...@^.-...8q.>H..`...`.....N2....D..57?hQ4'$)o."(1<Y.K.YRF0D........'H..{[]X.V/....zB6f...,F0D3HLA4CNP/0VI.XRF_DWH"AFC0PN0(IVX.F0D.HLAqCNPk0VI;XRF.DWH2AFC.-A?...1!..DWHLAs..`.].....q...~=.8.,h..-....5..G$.1.....X.3..'.<No..DOVJ5TNR[^{>....`DGJUL7RJZe\...i.g.w..'...<.8WHLAFC.PN.VIV..F.DWH.A.C..N0V.X.F.D...A

C:\Users\user\AppData\Local\interseminating\tapestrylike.exe

Download File

Process:	C:\Users\user\Desktop\987656789009800.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	612352
Entropy (8bit):	7.934032770629702
Encrypted:	false
SSDEEP:	12288:TquErHF6xC9D6DmR1J98w4oknqOOCyQfKSpoCxFI66E9:qrl6kD68JmlotQflposIjs
MD5:	AC4AB3C4B9386B0355D8645F77F91E3E
SHA1:	B87289C4A2290C6EFB49AE38373A174F7D34C4E1
SHA-256:	363DA150D891DA7BB5DA8056414882429067A0FCB27F58363567567BF18A323E
SHA-512:	7D7590CA7B41FB0EB0B31649AA2C6BA69830B55A28DF49C5A089B08824C0F91FBF1F2173C2ED9F95E713612CFBFBC9DBE684BD84CDC5FB70816F07184ECF10A2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...0HYg.........."......`...........y... ........@.......................................@...@.......@......................q..$............................u.......................................{..H...........................................UPX0....................................UPX1.....`... ...^..................@....rsrc................b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs

Download File

Process:	C:\Users\user\AppData\Local\interseminating\tapestrylike.exe
File Type:	data
Category:	dropped
Size (bytes):	296
Entropy (8bit):	3.3983764395376452
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1MlVxCiRzYdHl7nriIM8lfQVn:DsO+vNloRKQ1Ml7CiRklRmA2n
MD5:	DF24956BDE082FBAE7E9C4756BC87FCD
SHA1:	C692BEE9C906CFCE8E5066A60E2B68C4CF5D4831
SHA-256:	EF5292B4389843D17A3D42E8E47122E335CE07BE4A112FD5B91CA4811F43BEB8
SHA-512:	6D71D0623059D9D1562D7D87DFAC7924BEB6E3FD8101CA169B7E75CF58316A9F0B5E09482A75765E7D04ED86E7F4F5A3E29B1F76AD8E87422C6E93DFF3C830DF
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.i.n.t.e.r.s.e.m.i.n.a.t.i.n.g.\.t.a.p.e.s.t.r.y.l.i.k.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.934032770629702
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	987656789009800.exe
File size:	612'352 bytes
MD5:	ac4ab3c4b9386b0355d8645f77f91e3e
SHA1:	b87289c4a2290c6efb49ae38373a174f7d34c4e1
SHA256:	363da150d891da7bb5da8056414882429067a0fcb27f58363567567bf18a323e
SHA512:	7d7590ca7b41fb0eb0b31649aa2c6ba69830b55a28df49c5a089b08824c0f91fbf1f2173c2ed9f95e713612cfbfbc9dbe684bd84cdc5fb70816f07184ecf10a2
SSDEEP:	12288:TquErHF6xC9D6DmR1J98w4oknqOOCyQfKSpoCxFI66E9:qrl6kD68JmlotQflposIjs
TLSH:	4BD423C54A95DD22C5A86771C0359C940A69B872DFECB6AFC358E25FFC31303A847A2D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x5179e0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67594830 [Wed Dec 11 08:07:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004C2000h
lea edi, dword ptr [esi-000C1000h]
push edi
jmp 00007F0898E4308Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F0898E43089h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0898E4306Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F0898E43089h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F0898E4308Dh
jne 00007F0898E430AAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0898E430A1h
dec eax
add ebx, ebx
jne 00007F0898E43089h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F0898E43056h
add ebx, ebx
jne 00007F0898E43089h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F0898E430D4h
xor ecx, ecx
sub eax, 03h
jc 00007F0898E43093h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F0898E430F7h
sar eax, 1
mov ebp, eax
jmp 00007F0898E4308Dh
add ebx, ebx
jne 00007F0898E43089h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0898E4304Eh
inc ecx
add ebx, ebx
jne 00007F0898E43089h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F0898E43040h
add ebx, ebx
jne 00007F0898E43089h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F0898E43071h
jne 00007F0898E4308Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F0898E43066h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F0898E43090h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x157184	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x118000	0x3f184	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1575a8	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x117bc4	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xc1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xc2000	0x56000	0x55e00	0fdf44e2fd739468219b05423d9b1cee	False	0.9870473981077147	data	7.935073306924056	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x118000	0x40000	0x3f600	f5ad53601b4d6d9c7555557ceb1dda16	False	0.9202377650394478	data	7.880380302640591	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1185ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x1186d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x118804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x118930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x118c1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x118d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x119bf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x11a4a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x11aa0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x11cfb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x11e064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	1.1375
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	1.007703081232493
RT_STRING	0xcda84	0x68a	data	English	Great Britain	1.0065710872162486
RT_STRING	0xce110	0x490	data	English	Great Britain	1.009417808219178
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xceb9c	0x65c	OpenPGP Public Key	English	Great Britain	1.0067567567567568
RT_STRING	0xcf1f8	0x466	DOS executable (COM)	English	Great Britain	1.0097690941385435
RT_STRING	0xcf660	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x11e4d0	0x38719	data			1.0003503566284446
RT_GROUP_ICON	0x156bf0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x156c6c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x156c84	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x156c9c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x156cb4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x156d94	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 14:06:02.395172119 CET	49730	80	192.168.2.4	208.95.112.1
Dec 27, 2024 14:06:02.761965036 CET	80	49730	208.95.112.1	192.168.2.4
Dec 27, 2024 14:06:02.762080908 CET	49730	80	192.168.2.4	208.95.112.1
Dec 27, 2024 14:06:02.763145924 CET	49730	80	192.168.2.4	208.95.112.1
Dec 27, 2024 14:06:02.883059025 CET	80	49730	208.95.112.1	192.168.2.4
Dec 27, 2024 14:06:03.972614050 CET	80	49730	208.95.112.1	192.168.2.4
Dec 27, 2024 14:06:04.020613909 CET	49730	80	192.168.2.4	208.95.112.1
Dec 27, 2024 14:06:05.593540907 CET	49731	21	192.168.2.4	162.241.62.63
Dec 27, 2024 14:06:05.713289976 CET	21	49731	162.241.62.63	192.168.2.4
Dec 27, 2024 14:06:05.713387966 CET	49731	21	192.168.2.4	162.241.62.63
Dec 27, 2024 14:06:05.718878984 CET	49731	21	192.168.2.4	162.241.62.63
Dec 27, 2024 14:06:05.838754892 CET	21	49731	162.241.62.63	192.168.2.4
Dec 27, 2024 14:06:05.840349913 CET	49731	21	192.168.2.4	162.241.62.63
Dec 27, 2024 14:06:16.095426083 CET	49733	80	192.168.2.4	208.95.112.1
Dec 27, 2024 14:06:16.215233088 CET	80	49733	208.95.112.1	192.168.2.4
Dec 27, 2024 14:06:16.215334892 CET	49733	80	192.168.2.4	208.95.112.1
Dec 27, 2024 14:06:16.215692043 CET	49733	80	192.168.2.4	208.95.112.1
Dec 27, 2024 14:06:16.335525036 CET	80	49733	208.95.112.1	192.168.2.4
Dec 27, 2024 14:06:16.533485889 CET	49730	80	192.168.2.4	208.95.112.1
Dec 27, 2024 14:06:17.429239988 CET	80	49733	208.95.112.1	192.168.2.4
Dec 27, 2024 14:06:17.474639893 CET	49733	80	192.168.2.4	208.95.112.1
Dec 27, 2024 14:06:17.989419937 CET	49737	21	192.168.2.4	162.241.62.63
Dec 27, 2024 14:06:18.109143972 CET	21	49737	162.241.62.63	192.168.2.4
Dec 27, 2024 14:06:18.109250069 CET	49737	21	192.168.2.4	162.241.62.63
Dec 27, 2024 14:06:18.111748934 CET	49737	21	192.168.2.4	162.241.62.63
Dec 27, 2024 14:06:18.231245041 CET	21	49737	162.241.62.63	192.168.2.4
Dec 27, 2024 14:06:18.231443882 CET	49737	21	192.168.2.4	162.241.62.63
Dec 27, 2024 14:07:08.009932995 CET	49733	80	192.168.2.4	208.95.112.1
Dec 27, 2024 14:07:08.130881071 CET	80	49733	208.95.112.1	192.168.2.4
Dec 27, 2024 14:07:08.130945921 CET	49733	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 14:06:02.240961075 CET	53670	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:06:02.388885021 CET	53	53670	1.1.1.1	192.168.2.4
Dec 27, 2024 14:06:04.633572102 CET	59579	53	192.168.2.4	1.1.1.1
Dec 27, 2024 14:06:05.591936111 CET	53	59579	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 14:06:02.240961075 CET	192.168.2.4	1.1.1.1	0xd3ff	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:06:04.633572102 CET	192.168.2.4	1.1.1.1	0x9aad	Standard query (0)	ftp.antoniomayol.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 14:06:02.388885021 CET	1.1.1.1	192.168.2.4	0xd3ff	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 27, 2024 14:06:05.591936111 CET	1.1.1.1	192.168.2.4	0x9aad	No error (0)	ftp.antoniomayol.com	antoniomayol.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 27, 2024 14:06:05.591936111 CET	1.1.1.1	192.168.2.4	0x9aad	No error (0)	antoniomayol.com		162.241.62.63	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	208.95.112.1	80	7404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:06:02.763145924 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 27, 2024 14:06:03.972614050 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:06:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	208.95.112.1	80	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 14:06:16.215692043 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 27, 2024 14:06:17.429239988 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 13:06:16 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 46 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	08:05:55
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\987656789009800.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\987656789009800.exe"
Imagebase:	0x6d0000
File size:	612'352 bytes
MD5 hash:	AC4AB3C4B9386B0355D8645F77F91E3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:05:57
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\interseminating\tapestrylike.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\987656789009800.exe"
Imagebase:	0x350000
File size:	612'352 bytes
MD5 hash:	AC4AB3C4B9386B0355D8645F77F91E3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000001.00000002.1717320804.0000000000DC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:06:00
Start date:	27/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\987656789009800.exe"
Imagebase:	0xf20000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1854263936.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1856437351.000000000331E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1856437351.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1856437351.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:06:09
Start date:	27/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs"
Imagebase:	0x7ff6f9a60000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:06:10
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\interseminating\tapestrylike.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\interseminating\tapestrylike.exe"
Imagebase:	0x350000
File size:	612'352 bytes
MD5 hash:	AC4AB3C4B9386B0355D8645F77F91E3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000004.00000002.1857662810.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:06:13
Start date:	27/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\interseminating\tapestrylike.exe"
Imagebase:	0xe90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4134977788.00000000031D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4134977788.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	63

Executed Functions

Function 006D3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006D3B68
IsDebuggerPresent.KERNEL32 ref: 006D3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,007952F8,007952E0,?,?), ref: 006D3BEB

Part of subcall function 006D7BCC: _memmove.LIBCMT ref: 006D7C06

Part of subcall function 006E092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,006D3C14,007952F8,?,?,?), ref: 006E096E

SetCurrentDirectoryW.KERNEL32(?), ref: 006D3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00787770,00000010), ref: 0070D281
SetCurrentDirectoryW.KERNEL32(?,007952F8,?,?,?), ref: 0070D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00784260,007952F8,?,?,?), ref: 0070D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0070D346

Part of subcall function 006D3A46: GetSysColorBrush.USER32(0000000F), ref: 006D3A50
Part of subcall function 006D3A46: LoadCursorW.USER32(00000000,00007F00), ref: 006D3A5F
Part of subcall function 006D3A46: LoadIconW.USER32(00000063), ref: 006D3A76
Part of subcall function 006D3A46: LoadIconW.USER32(000000A4), ref: 006D3A88
Part of subcall function 006D3A46: LoadIconW.USER32(000000A2), ref: 006D3A9A
Part of subcall function 006D3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006D3AC0
Part of subcall function 006D3A46: RegisterClassExW.USER32(?), ref: 006D3B16

Part of subcall function 006D39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006D3A03
Part of subcall function 006D39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006D3A24
Part of subcall function 006D39D5: ShowWindow.USER32(00000000,?,?), ref: 006D3A38
Part of subcall function 006D39D5: ShowWindow.USER32(00000000,?,?), ref: 006D3A41

Part of subcall function 006D434A: _memset.LIBCMT ref: 006D4370
Part of subcall function 006D434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006D4415

Strings

This is a third-party compiled AutoIt script., xrefs: 0070D279
%v, xrefs: 006D3C44
runas, xrefs: 0070D33A

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%v
API String ID: 529118366-287773948
Opcode ID: a464ecc726b8102346e572bf18ffa0cf0dcfa221a5a9d4be8ed3eff65a6e4f0e
Instruction ID: 717cca868936f48b2cd823faba591e41a06562015616e24b1b036fecafb50319
Opcode Fuzzy Hash: a464ecc726b8102346e572bf18ffa0cf0dcfa221a5a9d4be8ed3eff65a6e4f0e
Instruction Fuzzy Hash: A951E9B0D08258AEDF12EBB4EC05DFD7776BF44750F00816BF411A63A1DA785A46CB2A

Function 006D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 006D36D2
KillTimer.USER32(?,00000001), ref: 006D36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006D371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 006D372A
CreatePopupMenu.USER32 ref: 006D373E
PostQuitMessage.USER32(00000000), ref: 006D374D

Strings

TaskbarCreated, xrefs: 006D3725
%v, xrefs: 0070D081, 0070D0CF

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated$%v
API String ID: 157504867-4049267007
Opcode ID: 2d247f78506277ad5a3360cc160df3a7aefdb980dbd9b575fa8dbde2e90a8380
Instruction ID: 06f295e5946c2b7301b8857f12362d2b7c86206fa74c77fab7be53e3776d68a4
Opcode Fuzzy Hash: 2d247f78506277ad5a3360cc160df3a7aefdb980dbd9b575fa8dbde2e90a8380
Instruction Fuzzy Hash: EC412AB1900A65FBDF216F64EC19BB93B97EB04300F504127F501963E1DAB89E42976E

Function 006D49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006D49CD

Part of subcall function 006D7BCC: _memmove.LIBCMT ref: 006D7C06

GetCurrentProcess.KERNEL32(?,0075FAEC,00000000,00000000,?), ref: 006D4A9A
IsWow64Process.KERNEL32(00000000), ref: 006D4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 006D4AE7
FreeLibrary.KERNEL32(00000000), ref: 006D4AF2
GetSystemInfo.KERNEL32(00000000), ref: 006D4B23
GetSystemInfo.KERNEL32(00000000), ref: 006D4B2F

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 72ef7ddcde78c0a8719e6f6e8f652cae9176f4787f92e560165af91a1a74b8b8
Instruction ID: c1c42269af48d0b1591858903ad2d8b5a7138392021a5c24e7ad88f2c97713fa
Opcode Fuzzy Hash: 72ef7ddcde78c0a8719e6f6e8f652cae9176f4787f92e560165af91a1a74b8b8
Instruction Fuzzy Hash: 7291A5319897C0DFC731DBA885501AABFF6AF2A300B484AAED0C693B41D635AD08C75D

Function 006D4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 006D4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006D4D8E,?,?,00000000,00000000), ref: 006D4EB0
LoadResource.KERNEL32(?,00000000,?,?,006D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,006D4E2F), ref: 0070D937
SizeofResource.KERNEL32(?,00000000,?,?,006D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,006D4E2F), ref: 0070D94C
LockResource.KERNEL32(006D4D8E,?,?,006D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,006D4E2F,00000000), ref: 0070D95F

Strings

SCRIPT, xrefs: 006D4EA6

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 83bc91aba170e0278777cc44c39a8487070ed3d45abd7ff2edb6ac5dda28a170
Instruction ID: 1b8a328e9e34e95b5a9cc44f4bca2304023e1ff16c465a91d8b08d329fea1ea9
Opcode Fuzzy Hash: 83bc91aba170e0278777cc44c39a8487070ed3d45abd7ff2edb6ac5dda28a170
Instruction Fuzzy Hash: 8B1170B5640700BFD7218B65EC48FA77BBAFBC5B12F20826DF405C6290DBB1EC008661

Function 006DFCE0 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

%v, xrefs: 006DFCF3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: BuffCharUpper
String ID: %v
API String ID: 3964851224-3047460978
Opcode ID: 3bdacb8e26c70ceb7321312f48f05239c196a4c2347fffdbea2576bffa24c61a
Instruction ID: 60e23af2f6ef85cb76210e39e248cd421058b1cafc2d7882d3ecdc8c736b1406
Opcode Fuzzy Hash: 3bdacb8e26c70ceb7321312f48f05239c196a4c2347fffdbea2576bffa24c61a
Instruction Fuzzy Hash: 12928070908381DFE720DF19C480B6AB7E2BF85304F14896DE58A9B392D775EC85CB96

Function 007E79E0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 007E7B1A
GetProcAddress.KERNEL32(?,007E0FF9), ref: 007E7B38
ExitProcess.KERNEL32(?,007E0FF9), ref: 007E7B49
VirtualProtect.KERNELBASE(006D0000,00001000,00000004,?,00000000), ref: 007E7B97
VirtualProtect.KERNELBASE(006D0000,00001000), ref: 007E7BAC

Memory Dump Source

Source File: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 30def527c2c3ab254c9aab8edfa7fcb3eb447124d6d25878d861c4905301b85e
Instruction ID: 8e1df3ae728db3bd5e19e4926339070624dea89add6ec79e793ef5f794e79249
Opcode Fuzzy Hash: 30def527c2c3ab254c9aab8edfa7fcb3eb447124d6d25878d861c4905301b85e
Instruction Fuzzy Hash: F7512AB2A4A3D25BD7289E7DCCC06787791EB093257184778C5E1CB3C6F7A85A06C7A0

Function 0073445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0070E398), ref: 0073446A
FindFirstFileW.KERNELBASE(?,?), ref: 0073447B
FindClose.KERNEL32(00000000), ref: 0073448B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 22b3db488269b991b6ce86f63a71cb6f19adf001473fafbb19fcd84039510f20
Instruction ID: 90ccdd332be0be7915a261d35dab6881a39ac1db475b9696c3f60bba7aaa381f
Opcode Fuzzy Hash: 22b3db488269b991b6ce86f63a71cb6f19adf001473fafbb19fcd84039510f20
Instruction Fuzzy Hash: E4E0D8724106406762146B38EC0D8ED775CAE05336F104725F935C20E0E7BC6900969A

Function 006DE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00713E62

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 74a968cbfed1248090f40cf387fa75361e118f4b487a4a8a75555584d6d99a90
Instruction ID: d4c4021006f010aa9a66e688eae4419ec79babb30937373cbba3f0ca6e45230d
Opcode Fuzzy Hash: 74a968cbfed1248090f40cf387fa75361e118f4b487a4a8a75555584d6d99a90
Instruction Fuzzy Hash: 13A27B75E00205CFCB24DF58C480AAAB7B2FF59314F24816AE916AF351D776ED82CB90

Function 006E09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E0A5B
timeGetTime.WINMM ref: 006E0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E0E53
Sleep.KERNEL32(0000000A), ref: 006E0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 006E0EFA
DestroyWindow.USER32 ref: 006E0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006E0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00714E83
TranslateMessage.USER32(?), ref: 00715C60
DispatchMessageW.USER32(?), ref: 00715C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00715C82

Strings

@COM_EVENTOBJ, xrefs: 007154F0
@GUI_WINHANDLE, xrefs: 00714F8F
@GUI_CTRLID, xrefs: 00714F3A
@GUI_CTRLHANDLE, xrefs: 00714FE4
@TRAY_ID, xrefs: 0071578F

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: a6107e5ac02a32f9206d9d7199f2fc4bbbf4f5a91f295d9e56beb816d4fd0f43
Instruction ID: 38089447fe19357f6d97c1fae4602554afb13efa858b2923563782c3c3d40818
Opcode Fuzzy Hash: a6107e5ac02a32f9206d9d7199f2fc4bbbf4f5a91f295d9e56beb816d4fd0f43
Instruction Fuzzy Hash: 20B2E770608781DFD728DF28C884BEAB7E2BF84304F14491EE58997391C7B9E885CB46

Function 00739155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00738F5F: __time64.LIBCMT ref: 00738F69

Part of subcall function 006D4EE5: _fseek.LIBCMT ref: 006D4EFD

__wsplitpath.LIBCMT ref: 00739234

Part of subcall function 006F40FB: __wsplitpath_helper.LIBCMT ref: 006F413B

_wcscpy.LIBCMT ref: 00739247
_wcscat.LIBCMT ref: 0073925A
__wsplitpath.LIBCMT ref: 0073927F
_wcscat.LIBCMT ref: 00739295
_wcscat.LIBCMT ref: 007392A8

Part of subcall function 00738FA5: _memmove.LIBCMT ref: 00738FDE
Part of subcall function 00738FA5: _memmove.LIBCMT ref: 00738FED

_wcscmp.LIBCMT ref: 007391EF

Part of subcall function 00739734: _wcscmp.LIBCMT ref: 00739824
Part of subcall function 00739734: _wcscmp.LIBCMT ref: 00739837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00739452
_wcsncpy.LIBCMT ref: 007394C5
DeleteFileW.KERNEL32(?,?), ref: 007394FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00739511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00739522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00739534

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: c08dff2e7ebfd067c5be1bebae6f817eafcd4140060f51bed8a71c8796f602ed
Instruction ID: 9727c8247e9593fbac4230102cef50d690664d10868544837c3b1916d8b081c7
Opcode Fuzzy Hash: c08dff2e7ebfd067c5be1bebae6f817eafcd4140060f51bed8a71c8796f602ed
Instruction Fuzzy Hash: 2CC12DB1D0021DABDF21DF95CC85EDEB7B9EF85310F0040AAF609E6252DB749A448F65

Function 006D708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006D4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007952F8,?,006D37AE,?), ref: 006D4724

Part of subcall function 006F050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006D7165), ref: 006F052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006D71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0070E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0070E909
RegCloseKey.ADVAPI32(?), ref: 0070E947
_wcscat.LIBCMT ref: 0070E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 006D719E
\, xrefs: 0070E9C3
Include, xrefs: 0070E8BF, 0070E900
\Include\, xrefs: 006D7165

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 2835d72bb780265e1847c0da50113a10a5dc251003c15815fd71a0f157894fbd
Instruction ID: 2cfd6797de7a57f2a8a7530a8a92ee0d02319c648653b5fa07bf0638c6a718e3
Opcode Fuzzy Hash: 2835d72bb780265e1847c0da50113a10a5dc251003c15815fd71a0f157894fbd
Instruction Fuzzy Hash: AE71C2715083019EC340EF25EC519ABBBE9FF85350F408A2FF445C72A0EB789949CB9A

Function 006D3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006D3A50
LoadCursorW.USER32(00000000,00007F00), ref: 006D3A5F
LoadIconW.USER32(00000063), ref: 006D3A76
LoadIconW.USER32(000000A4), ref: 006D3A88
LoadIconW.USER32(000000A2), ref: 006D3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006D3AC0
RegisterClassExW.USER32(?), ref: 006D3B16

Part of subcall function 006D3041: GetSysColorBrush.USER32(0000000F), ref: 006D3074
Part of subcall function 006D3041: RegisterClassExW.USER32(00000030), ref: 006D309E
Part of subcall function 006D3041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 006D30AF
Part of subcall function 006D3041: LoadIconW.USER32(000000A9), ref: 006D30F2

Strings

#, xrefs: 006D3AFB
0, xrefs: 006D3AF4
AutoIt v3, xrefs: 006D3B05

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: e33b80aea2eaa33c1c270a66c6806d66299f89441eefcfbfc5d665cba81c2034
Instruction ID: 8e87464fff375eb5fa559b1e7b138b21d71abd162d383fefc49cb853f743b910
Opcode Fuzzy Hash: e33b80aea2eaa33c1c270a66c6806d66299f89441eefcfbfc5d665cba81c2034
Instruction Fuzzy Hash: E8214BB0D00318AFEB12DFA4EC09B9D7BB1FB08711F00816BE504A63A1D3B956518F88

Function 006D3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 006D387D
/AutoIt3ExecuteLine, xrefs: 006D38A7
/AutoIt3OutputDebug, xrefs: 006D3892
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 006D37AE
CMDLINE, xrefs: 006D3822
CMDLINERAW, xrefs: 006D37FB
/AutoIt3ExecuteScript, xrefs: 006D38BC

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 9083aa446936ed4af0cb1d777f421003ab759b5a56321662b322de52a3ce6759
Instruction ID: c9f7567179d2aed53165d8fe6ea68834cfc2d9383bc963768103847f2c55b8ff
Opcode Fuzzy Hash: 9083aa446936ed4af0cb1d777f421003ab759b5a56321662b322de52a3ce6759
Instruction Fuzzy Hash: E6A16CB1D0022D9ACF45EBA4DC95AEEB77ABF54300F00052FF416A7291EF745A09CBA5

Function 006D301C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006D3074
RegisterClassExW.USER32(00000030), ref: 006D309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 006D30AF
LoadIconW.USER32(000000A9), ref: 006D30F2

Strings

AutoIt v3 GUI, xrefs: 006D3090
TaskbarCreated, xrefs: 006D30A4
0, xrefs: 006D3056
+, xrefs: 006D305D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 48131cf262baaa986bf6401a692d7a9a61b5f027379767f30098d06170233da5
Instruction ID: 23c73f204f1cbdc191e6bd07f7ad6617b3591119727c9d1209b6ce6cc67f6829
Opcode Fuzzy Hash: 48131cf262baaa986bf6401a692d7a9a61b5f027379767f30098d06170233da5
Instruction Fuzzy Hash: E03139B1801318AFDB11CFA4DC89ADDBBF4FB09311F14852AF540E62A0D3B90646CF95

Function 006D3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006D3074
RegisterClassExW.USER32(00000030), ref: 006D309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 006D30AF
LoadIconW.USER32(000000A9), ref: 006D30F2

Strings

AutoIt v3 GUI, xrefs: 006D3090
TaskbarCreated, xrefs: 006D30A4
0, xrefs: 006D3056
+, xrefs: 006D305D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 4f7c7224f25bce070ac3a8eb433746a4976c81bedc2cfc6dfc5881ee1bf6db6b
Instruction ID: 0b7b40d1c30a25158429207b55cecdcc20e281029ca9768c21d9aa054fc353fd
Opcode Fuzzy Hash: 4f7c7224f25bce070ac3a8eb433746a4976c81bedc2cfc6dfc5881ee1bf6db6b
Instruction Fuzzy Hash: 0821F4B1D01718AFDB01DFA4EC88BDEBBF4FB08701F00812AF910A62A0D7B945458F99

Function 01204EF0 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01204F35

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 4eb538e975aec04e5dd11e014290937a28c028a78cff5a7ea43fec25ab8a5d61
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: FF51E775A60249FBEF20DFA4CC49FDE7779AF48700F108658F70AEA1C1DAB496458B60

Function 006D7285 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0070EA39
7523D0D0.COMDLG32(?), ref: 0070EA83

Part of subcall function 006D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D4743,?,?,006D37AE,?), ref: 006D4770

Part of subcall function 006F0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F07B0

Strings

AutoIt script files (*.au3, *.a3x), xrefs: 0070EA67
X, xrefs: 0070EA51
Run Script:, xrefs: 0070EA58
au3, xrefs: 0070EA7C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: NamePath$7523FullLong_memset
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
API String ID: 3285060876-1954568251
Opcode ID: bdf96e0102b02631c53ef31b2279dde09e6a8ec07639a6041610b2597df11789
Instruction ID: 32aeaa8c0b79bbd1fca9036fe5e187d7877ad787d6ee5d50c4dac98165b747a7
Opcode Fuzzy Hash: bdf96e0102b02631c53ef31b2279dde09e6a8ec07639a6041610b2597df11789
Instruction Fuzzy Hash: 5C21C670E102489BCB519F94CC45BEE7BF9AF48310F00805AE508A7381DBB859498FA6

Function 006D39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006D3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006D3A24
ShowWindow.USER32(00000000,?,?), ref: 006D3A38
ShowWindow.USER32(00000000,?,?), ref: 006D3A41

Strings

AutoIt v3, xrefs: 006D39FB, 006D3A00, 006D3A01
edit, xrefs: 006D3A1E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ae892db3183a81ec1d031820f713192e584707ae47e44075d4b5edf4ca62bb49
Instruction ID: f7d4c183f6a1c3e5d872d335f990189ed554cdc086277834418babc5841a9a41
Opcode Fuzzy Hash: ae892db3183a81ec1d031820f713192e584707ae47e44075d4b5edf4ca62bb49
Instruction Fuzzy Hash: 87F0D0B15416A07EEA3257176C49E672F7DE7C6F61B00812EF904A21B0C6A91852DBB8

Function 006D686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006D4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006D4E0F

_free.LIBCMT ref: 0070E263
_free.LIBCMT ref: 0070E2AA

Part of subcall function 006D6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 006D6BAD

Strings

/vm, xrefs: 0070E084, 0070E0BD
Bad directive syntax error, xrefs: 0070E292
>>>AUTOIT SCRIPT<<<, xrefs: 0070E039

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: /vm$>>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1711496434
Opcode ID: 022786d2611aa4b6bd6f0946c4c71d4c0431a27837823bd14d39ece3c5f8d0ee
Instruction ID: 4387e25527752ffdf70c54f861dafdd50df9fc66cacc08937d435b97e78c3615
Opcode Fuzzy Hash: 022786d2611aa4b6bd6f0946c4c71d4c0431a27837823bd14d39ece3c5f8d0ee
Instruction Fuzzy Hash: D5914C71D00219EFCF14EFA4C8919EDB7B9FF18310B14492EF816AB2A1DB78A905CB54

Function 006D407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0070D3D7

Part of subcall function 006D7BCC: _memmove.LIBCMT ref: 006D7C06

_memset.LIBCMT ref: 006D40FC
_wcscpy.LIBCMT ref: 006D4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006D4160

Strings

Line: , xrefs: 0070D400

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 58d4e1cf33ecd60e34e8e33a5659e9550ebe4ac936e88fcf525694688b598598
Instruction ID: 1592a8546e691fd853e269005bf9945b8f2c507cf9bea7f0b179cf0b9c55943c
Opcode Fuzzy Hash: 58d4e1cf33ecd60e34e8e33a5659e9550ebe4ac936e88fcf525694688b598598
Instruction Fuzzy Hash: 1B31CEB1808704AFD7A1EB60DC45BEA77D9AF44300F10451FF685922A1EB749A49CB8B

Function 006F541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F547B
_memcpy_s.LIBCMT ref: 006F54ED
__read_nolock.LIBCMT ref: 006F554B
__filbuf.LIBCMT ref: 006F556E
_memset.LIBCMT ref: 006F55B2

Part of subcall function 006F8B28: __getptd_noexit.LIBCMT ref: 006F8B28

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: bf492eafdbf573df5641cc9b95bc2438a69c6fe8434f471163f6e2707a066a17
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: E651B170A00B0DDBDB249FA9D8846BE77E7AF41321F248769FB26963D0D7709D918B40

Function 006DF76F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 006F0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006F0193
Part of subcall function 006F0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 006F019B
Part of subcall function 006F0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006F01A6
Part of subcall function 006F0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006F01B1
Part of subcall function 006F0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 006F01B9
Part of subcall function 006F0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 006F01C1

Part of subcall function 006E60F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 006E6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006DF9CD
OleInitialize.OLE32(00000000), ref: 006DFA4A
CloseHandle.KERNEL32(00000000), ref: 007145C8

Strings

%v, xrefs: 006DF796, 006DF7A8, 006DF96E, 006DFA51

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: %v
API String ID: 3094916012-3047460978
Opcode ID: 529647a27134908f38dc218634dcfa34744c877115480b9183ecc51b8940a0ad
Instruction ID: 599581900fda97601c51d1fcb4fb3c2dfb0c008c53907663ab19620d6128773b
Opcode Fuzzy Hash: 529647a27134908f38dc218634dcfa34744c877115480b9183ecc51b8940a0ad
Instruction Fuzzy Hash: 6E81CCB0901AA08F87C6DF79A8456597BE6EB4830A790C13FD409CB372E77C45868F5A

Function 01206A00 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154fileCOMMON

Download Yara Rule

APIs

Part of subcall function 012068F0: Sleep.KERNELBASE(000001F4), ref: 01206901

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01206B32

Strings

VXRF0DWHLAFCNPN0VI, xrefs: 01206BB2, 01206BB5

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID: CreateFileSleep
String ID: VXRF0DWHLAFCNPN0VI
API String ID: 2694422964-1648518084
Opcode ID: 768bc3fb63708b2a594e3a5ad6c313582bda34a98a8bab14a024672116cf1508
Instruction ID: 6438f868c33b584a2c7cc088f3aa598e3cd767294ee6669c278ec83be8a41ada
Opcode Fuzzy Hash: 768bc3fb63708b2a594e3a5ad6c313582bda34a98a8bab14a024672116cf1508
Instruction Fuzzy Hash: 3C51A370D14248DBEF12DBA4C854BEEBB75AF19300F004698E649BB2C1D6BA1B44CBA5

Function 006D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006D35A1,SwapMouseButtons,00000004,?), ref: 006D35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006D35A1,SwapMouseButtons,00000004,?,?,?,?,006D2754), ref: 006D35F5
RegCloseKey.KERNELBASE(00000000,?,?,006D35A1,SwapMouseButtons,00000004,?,?,?,?,006D2754), ref: 006D3617

Strings

Control Panel\Mouse, xrefs: 006D35D2

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e62ebd31a33a84caa8639459e996239736e6c1820c59a8da9d04da54dac31119
Instruction ID: fac3a66b0b00dc34260c3a6c69bda99f5c2a62483a461f1cc14a158195fc7765
Opcode Fuzzy Hash: e62ebd31a33a84caa8639459e996239736e6c1820c59a8da9d04da54dac31119
Instruction Fuzzy Hash: E9113375A10268BADB208F64DC80EEABBA9EF04740F00846AE809D7310E2719E409BA5

Function 0073955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 006D4EE5: _fseek.LIBCMT ref: 006D4EFD

Part of subcall function 00739734: _wcscmp.LIBCMT ref: 00739824
Part of subcall function 00739734: _wcscmp.LIBCMT ref: 00739837

_free.LIBCMT ref: 007396A2
_free.LIBCMT ref: 007396A9
_free.LIBCMT ref: 00739714

Part of subcall function 006F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,006F9A24), ref: 006F2D69
Part of subcall function 006F2D55: GetLastError.KERNEL32(00000000,?,006F9A24), ref: 006F2D7B

_free.LIBCMT ref: 0073971C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction ID: 37f914508df917beb0baaec10ed0a00f875b6c577b55714536b4b96081585aa2
Opcode Fuzzy Hash: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction Fuzzy Hash: B8514EB1D04219ABDF649F65CC85AAEBB7AEF48300F10049EF209A3351DB755E80CF59

Function 006F470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006F47A0
__flush.LIBCMT ref: 006F47C0
__write.LIBCMT ref: 006F47F3
__flsbuf.LIBCMT ref: 006F4821

Part of subcall function 006F8B28: __getptd_noexit.LIBCMT ref: 006F8B28

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 04390c5ecae4e113f851c6e59614690700c69d204b39e01c947d6cc1b0c7f6fa
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: EF41C474A0074E9BDB189E69C8809BB7BA7AF423A0B24817DEA2587B44DF70DD418B44

Function 006D44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D44CF

Part of subcall function 006D407C: _memset.LIBCMT ref: 006D40FC
Part of subcall function 006D407C: _wcscpy.LIBCMT ref: 006D4150
Part of subcall function 006D407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006D4160

KillTimer.USER32(?,00000001,?,?), ref: 006D4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006D4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0070D4B9

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 52a0f7232abb8a8c739703c93053d0b247f0367b7a26dcda42de4c34dc366bbb
Instruction ID: ac9511bfee131e0678ead41f7440679d018bcec8a5f0e89ecab55eaff26a8429
Opcode Fuzzy Hash: 52a0f7232abb8a8c739703c93053d0b247f0367b7a26dcda42de4c34dc366bbb
Instruction Fuzzy Hash: 992104B0904794AFE732CB649855BE7BBECAF05304F04009EF78E96281C7782E84CB45

Function 006D4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006D4CBA

Strings

EA06, xrefs: 0070D8CC
AU3!P/v, xrefs: 006D4CB4

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/v$EA06
API String ID: 4104443479-2268320372
Opcode ID: 8a074b86f2171380aace1e87b3ef7c4f0841867ccb0bdfa7a89a3409a02adddf
Instruction ID: f8c57ed8c0ac84538de5df9f50aa15f16dd3a93ca45b5d47b4d917c704280c46
Opcode Fuzzy Hash: 8a074b86f2171380aace1e87b3ef7c4f0841867ccb0bdfa7a89a3409a02adddf
Instruction Fuzzy Hash: 86414A21E0425C6BDF219B6488927BE7FA3DF45300F68457BEC86DB382DE349D4587A1

Function 00738D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00738DAC
__fread_nolock.LIBCMT ref: 00738DC1

Strings

EA06, xrefs: 00738DF3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 5099ca6793d245c9bd3eb35425359dc4921752a361030e5473a2c84ad8033970
Instruction ID: fb082e678281c7c4ea29ba7f9a13162ee513d500481bc1d777fe86fb689f855e
Opcode Fuzzy Hash: 5099ca6793d245c9bd3eb35425359dc4921752a361030e5473a2c84ad8033970
Instruction Fuzzy Hash: 3601F9719042187EEB58CBA8CC16EFE7BF8DB15301F00419EF653D2181E878E60487A0

Function 006F0DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006F571C: __FF_MSGBANNER.LIBCMT ref: 006F5733
Part of subcall function 006F571C: __NMSG_WRITE.LIBCMT ref: 006F573A
Part of subcall function 006F571C: RtlAllocateHeap.NTDLL(011C0000,00000000,00000001), ref: 006F575F

std::exception::exception.LIBCMT ref: 006F0DEC
__CxxThrowException@8.LIBCMT ref: 006F0E01

Part of subcall function 006F859B: RaiseException.KERNEL32(?,?,00000000,00789E78,?,00000001,?,?,?,006F0E06,00000000,00789E78,006D9E8C,00000001), ref: 006F85F0

Strings

bad allocation, xrefs: 006F0DE1

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: 24456c71836c7a9f410c4a94667336c9816159c53ce383658f677a8e3ad189d9
Instruction ID: dc438ef28540470fe58e89dc09528e35e6f47e41cac0461ba745fb7d6b656171
Opcode Fuzzy Hash: 24456c71836c7a9f410c4a94667336c9816159c53ce383658f677a8e3ad189d9
Instruction Fuzzy Hash: EFF0A47290021E66DB50BA94EC019FE7BAE9F01351F104469FF0596282DF709E4186D5

Function 012055D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01205615
ExitProcess.KERNEL32(00000000), ref: 01205634

Strings

D, xrefs: 012055E1

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 9f0fea074abf0f39dd8420fc00d89007b68beb3d91da31db31286a021e466f34
Instruction ID: 403345b20c6f6f137d055286e63cf081a3d9493bbeb7e5527c565b5de303fde4
Opcode Fuzzy Hash: 9f0fea074abf0f39dd8420fc00d89007b68beb3d91da31db31286a021e466f34
Instruction Fuzzy Hash: 31F0ECB195024DABDB60EFE0CC49FFE777CBF04701F448609BB1A9A181DA7496088B61

Function 007398E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 007398F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0073990F

Strings

aut, xrefs: 00739909

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 27d1448a4255222eebba42f79123bbb8f47ff34bceb17cb51b868499cbcf2039
Instruction ID: 3f810a0c62ff5f8f96d0b61cbe8fe94b1edc701196563ca903230f4da6b9aabd
Opcode Fuzzy Hash: 27d1448a4255222eebba42f79123bbb8f47ff34bceb17cb51b868499cbcf2039
Instruction Fuzzy Hash: 50D05EB998030DABDB50BBA0DC0EFDA773CE704701F4042B1FA54960A1EAB495988B96

Function 0074CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7b22cbd6e7e24a68da303c8334031426b3f70781980f4e58938991ec417ead
Instruction ID: d4a86e7c8d1d9b495df582a7396013d62327c6f5b0835a752c90f49fbfa8d0d0
Opcode Fuzzy Hash: 7c7b22cbd6e7e24a68da303c8334031426b3f70781980f4e58938991ec417ead
Instruction Fuzzy Hash: 12F12671A083419FCB54DF28C484A6ABBE6FF88314F14892EF8999B351D734E945CF92

Function 006D434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 006D4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 006D4432

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 8ac23aff7ce826ed925933752d3955664b615bd398136491d1e0ff6eec438304
Instruction ID: 1cccc7d9bdbcf753a60703f709debf584ce3d5170d77056dadde02d42c1e6052
Opcode Fuzzy Hash: 8ac23aff7ce826ed925933752d3955664b615bd398136491d1e0ff6eec438304
Instruction Fuzzy Hash: 4C31ACB09047118FC721DF24D88469BBBE8FB48308F00492FE68A82391EB74AD44CB96

Function 006F571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 006F5733

Part of subcall function 006FA16B: __NMSG_WRITE.LIBCMT ref: 006FA192
Part of subcall function 006FA16B: __NMSG_WRITE.LIBCMT ref: 006FA19C

__NMSG_WRITE.LIBCMT ref: 006F573A

Part of subcall function 006FA1C8: GetModuleFileNameW.KERNEL32(00000000,007933BA,00000104,00000000,00000001,00000000), ref: 006FA25A
Part of subcall function 006FA1C8: ___crtMessageBoxW.LIBCMT ref: 006FA308

Part of subcall function 006F309F: ___crtCorExitProcess.LIBCMT ref: 006F30A5
Part of subcall function 006F309F: ExitProcess.KERNEL32 ref: 006F30AE

Part of subcall function 006F8B28: __getptd_noexit.LIBCMT ref: 006F8B28

RtlAllocateHeap.NTDLL(011C0000,00000000,00000001), ref: 006F575F

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: ba125a1998cd2fda1604aac70edf40bbee54fed0dd4bfadd4270815063d1f15a
Instruction ID: 60bcf85e492922cbf0ccf148c86fba807ca71bc2e1fba986d624c2550c99e4c3
Opcode Fuzzy Hash: ba125a1998cd2fda1604aac70edf40bbee54fed0dd4bfadd4270815063d1f15a
Instruction Fuzzy Hash: EC01F535300B1DDEDA517778EC42BBE735A9B42362F11002AF7069B381DE749C014669

Function 007398A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00739548,?,?,?,?,?,00000004), ref: 007398BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00739548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007398D1
CloseHandle.KERNEL32(00000000,?,00739548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007398D8

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 06bbfd29e62e1a883de36c94ae781237c9a15d183a9f69dc1be79b6fcb95ca22
Instruction ID: 1d9505604b161612adaac84385b2706a0a780a59b603316829ee4a33971d76f3
Opcode Fuzzy Hash: 06bbfd29e62e1a883de36c94ae781237c9a15d183a9f69dc1be79b6fcb95ca22
Instruction Fuzzy Hash: AAE08632141718B7E7212B54EC09FCA7F19AB06761F108120FB14A90E087F51511979C

Function 00738D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00738D1B

Part of subcall function 006F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,006F9A24), ref: 006F2D69
Part of subcall function 006F2D55: GetLastError.KERNEL32(00000000,?,006F9A24), ref: 006F2D7B

_free.LIBCMT ref: 00738D2C
_free.LIBCMT ref: 00738D3E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: f8d5d6739e421e21115ef1aa1e31cd277c887d87f0c1f5fa11e422e295d18b96
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: E3E012A171171A46DBA4A57CA941AA313DD8F5C352B14091DF50DD7187CE78F8428528

Function 006DA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0070FC01

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 09b228f73f5cb2d6ce8f88a29146d19b12e6a051ba539ee3fba842726d64191c
Instruction ID: c6836f44fdad5471c40692854a1819a03982f0cde696f246a3653e8ff5105eef
Opcode Fuzzy Hash: 09b228f73f5cb2d6ce8f88a29146d19b12e6a051ba539ee3fba842726d64191c
Instruction Fuzzy Hash: 9E227C70908341DFDB24DF64C494A6AB7E2FF84304F15895EE88A8B362D735ED85CB86

Function 006D7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006D7AAB
_memmove.LIBCMT ref: 006D7B16

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: 803f7bad8d92eb0df4424dc92a33bfc36d3f76cb7fa040c28e7fe1981c216e65
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: 4431D6B5A04606AFC704DF68C8D1D69F3AAFF48320718862EE519CB391FB30E910CB90

Function 006D47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

745EC8D0.UXTHEME ref: 006D4834

Part of subcall function 006F336C: __lock.LIBCMT ref: 006F3372
Part of subcall function 006F336C: RtlDecodePointer.NTDLL(00000001), ref: 006F337E
Part of subcall function 006F336C: RtlEncodePointer.NTDLL(?), ref: 006F3389

Part of subcall function 006D48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 006D4915
Part of subcall function 006D48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006D492A

Part of subcall function 006D3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006D3B68
Part of subcall function 006D3B3A: IsDebuggerPresent.KERNEL32 ref: 006D3B7A
Part of subcall function 006D3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,007952F8,007952E0,?,?), ref: 006D3BEB
Part of subcall function 006D3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 006D3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006D4874

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: 691fb72d12c5ef580a6e4630ab82062c61f13deb48d2e243854af7fd414960b2
Instruction ID: 5e36a00ae44b27350cc9635c9deb9d3299dead79b8e1d5c62959b6ecd84ab3eb
Opcode Fuzzy Hash: 691fb72d12c5ef580a6e4630ab82062c61f13deb48d2e243854af7fd414960b2
Instruction Fuzzy Hash: 351190719043959BC700EF69D80590ABFE9FF89750F108A1FF04097371DBB49A46CB9A

Function 006F55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F562C
__lock_file.LIBCMT ref: 006F564D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: eee1d181cabacabf6f5c03d1cd932ed6914647c13b568d3eb1341462aecb7f69
Instruction ID: f9b3933d03b9db97b4b52e6b5e41cf2653c80978746708b5a06e2f85cfe04678
Opcode Fuzzy Hash: eee1d181cabacabf6f5c03d1cd932ed6914647c13b568d3eb1341462aecb7f69
Instruction Fuzzy Hash: D701B171800A0CABCF52AF688C024BE7B63BF91321F404159BB249B2A1DB318A11DF95

Function 006F53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006F8B28: __getptd_noexit.LIBCMT ref: 006F8B28

__lock_file.LIBCMT ref: 006F53EB

Part of subcall function 006F6C11: __lock.LIBCMT ref: 006F6C34

__fclose_nolock.LIBCMT ref: 006F53F6

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b8cae15dd69a6ed8092363375e878b8562e30f5fa3c9dfd57107ffadccc384e1
Instruction ID: 59c0933c75b5dbfcf5618aa4c75d77d77643c447f491c88403699efea6b1fee2
Opcode Fuzzy Hash: b8cae15dd69a6ed8092363375e878b8562e30f5fa3c9dfd57107ffadccc384e1
Instruction Fuzzy Hash: F2F0F632800A0C9EDB516B7888027BD66E36F41370F20814CA721AB1C1EBFC4D015B59

Function 01205640 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

Part of subcall function 01204EB0: GetFileAttributesW.KERNELBASE(?), ref: 01204EBB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 012057ED

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: bc4ec7672505be3604f3c6ffeb2393b2996a3624e6296125460e83a7fa25ec9d
Instruction ID: 315784d37f516e3a5d056d05023b761be103381c894a67211d8e041453d4c3c0
Opcode Fuzzy Hash: bc4ec7672505be3604f3c6ffeb2393b2996a3624e6296125460e83a7fa25ec9d
Instruction Fuzzy Hash: 1D719231A2060996EF14DFA0DC44BEF733AEF98700F00556DE609E72D0EB769A45CB69

Function 006D750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006D75EA

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d93461ddb9033374b9fc62f0e2b075a85cfa7a40800dcf4ccaba7e949e56f972
Instruction ID: cee6af25a70fd388e50dd8efdf1e5a7241be50115a5b006fcc080ef647332b99
Opcode Fuzzy Hash: d93461ddb9033374b9fc62f0e2b075a85cfa7a40800dcf4ccaba7e949e56f972
Instruction Fuzzy Hash: 7431A379A08A02DFD714DF19D440971F7A2FF49310714C56EE98A8B791FB30E841CB96

Function 006F0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 006F0CB7

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: ac60f3a05464a81c447e99ab506f69ac52b76a16075f0eb73fa9583d5f59dce1
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: E631B3B4A001099BE718DF58C484AB9F7A6FB59300B6487A5E90ACB356D731EDC2DBC0

Function 0070FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0070FCB7

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5f52ebc89531432658c767e44d179db717592807dd1eaf62ae3f586c8e36505d
Instruction ID: 9349899ed43c9c672ab8e4ae5421ee732d2bba0e490df74cb2b8c51695fb3122
Opcode Fuzzy Hash: 5f52ebc89531432658c767e44d179db717592807dd1eaf62ae3f586c8e36505d
Instruction Fuzzy Hash: 8E414774A08341CFDB24CF24C454B5ABBE2BF45318F0989ADE8998B762C375E845CF92

Function 006D7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006D7BB3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3eea6265e2ec0d73e6b7603ca14d048745c0cd2de08cd91f3738e2605cb9ba31
Instruction ID: 49b87f582a47fede9110301721235b7c2bfe245e2186738a524757ea9d2600f2
Opcode Fuzzy Hash: 3eea6265e2ec0d73e6b7603ca14d048745c0cd2de08cd91f3738e2605cb9ba31
Instruction Fuzzy Hash: 7A212772A04A09EBEB144F21E84166A7BF5FB14350F34892EE545C5291EB3581D0D759

Function 006F06FE Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5473093efae92daf336a7986386bd2e3c14a9cbc8b57c8632dd33c5ea420ed3
Instruction ID: 203c37c32045076d097158347725d835e0b0af65f8b924326ddf1bc1e762a44c
Opcode Fuzzy Hash: a5473093efae92daf336a7986386bd2e3c14a9cbc8b57c8632dd33c5ea420ed3
Instruction Fuzzy Hash: 0711DD3504A7085FFB31AB24E9129FABBA7BB82310B1880DEED4442D13C36158028EC5

Function 006D4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 006D4BEF

Part of subcall function 006F525B: __wfsopen.LIBCMT ref: 006F5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006D4E0F

Part of subcall function 006D4B6A: FreeLibrary.KERNEL32(00000000), ref: 006D4BA4

Part of subcall function 006D4C70: _memmove.LIBCMT ref: 006D4CBA

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 2cd952fbe3af39b32323c924f386d9b62c87f1dcaec9a624af1f3fb2226a5a59
Instruction ID: 0b7fb3af1bd7a5dd9f16101333f59c2aa33a07489d6990a4191b3097aaaab903
Opcode Fuzzy Hash: 2cd952fbe3af39b32323c924f386d9b62c87f1dcaec9a624af1f3fb2226a5a59
Instruction Fuzzy Hash: D511C431A00305FBCF10AFB0C816FAD77A6AF44750F10842EF545A72C1DEB59E019755

Function 0070FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0070FD91

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e85d30200924070c22ee4ea57d824b4d69cd0ec58ef3589c8dffbfc376f27fd6
Instruction ID: f309b247c0156844ed8d939a94d7cdab02010744e6681d1cfa187489c1079b34
Opcode Fuzzy Hash: e85d30200924070c22ee4ea57d824b4d69cd0ec58ef3589c8dffbfc376f27fd6
Instruction Fuzzy Hash: 452144B4908341DFDB14DF64C444A6ABBE2BF88314F05896CF98A87762C731E805CB92

Function 006F4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 006F48A6

Part of subcall function 006F8B28: __getptd_noexit.LIBCMT ref: 006F8B28

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: a0309ddde1d913cfefeafa393bb7bacea4636a855147efa0b9002500997766ad
Instruction ID: 6b23463b64aa2ead634dc11cfe897abb2b7618be774cc6d76d0ef3bd66ee26b0
Opcode Fuzzy Hash: a0309ddde1d913cfefeafa393bb7bacea4636a855147efa0b9002500997766ad
Instruction Fuzzy Hash: C4F0DC3190020CABDF91AFA48C063FF36A2AF00360F048448B6209B281CFB8C951DB45

Function 006D4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006D4E7E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 669ea0da0b573c91aa890c17ecc8dbe8948e624cf9fbafaea0066cb6e91674bb
Instruction ID: c3784128b0fa4d5863c15911f483e00a066d0b45205d4c3273989fbca0b194fa
Opcode Fuzzy Hash: 669ea0da0b573c91aa890c17ecc8dbe8948e624cf9fbafaea0066cb6e91674bb
Instruction Fuzzy Hash: A9F01571905B11EFCB349F64E494862BBE2BF143293208A3EE2D682721CB729C40DB80

Function 006F0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F07B0

Part of subcall function 006D7BCC: _memmove.LIBCMT ref: 006D7C06

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 2716f98c64ab753531a05c8a4c1f512ad7d7540ac12511e6bcd8df85c281c765
Instruction ID: 3e697603c1bb179a5a6f1e0175ddf2c69ba77c0e83be4c1d71427ab7fc75c2f3
Opcode Fuzzy Hash: 2716f98c64ab753531a05c8a4c1f512ad7d7540ac12511e6bcd8df85c281c765
Instruction Fuzzy Hash: 45E0867690422857C720A6689C05FEA77DDDB887A1F0441B6FD0CD7244D9A4AC808695

Function 00738E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00738EC1

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: dde08c06e213b84f89ef91f2c72a6d2cbf12f055de00b06f699d30dcb58cce04
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 4EE092B1104B045FD7798A24D800BA373E1AB05305F04091DF2AA83242EB6278458759

Function 01204EB0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 01204EBB

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 5ee241af1e050c2a44a27fe26aaa3ec44096b817901c58f15b9c7bb834958cfd
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: F3E08C30A2924CEFDB22EAA89805AA973A8D704320F108764EB0AC72C2D6309E61D614

Function 01204E80 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 01204E8B

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 3f1d8f8a73ae669ce38ad233a9b5356e15a949affdac59c3743fb0f5f17e9e14
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 5BD0A73092920DEBCB21DFB8AC049DA73A8E704320F008755FE15C32C1D535AD509750

Function 006F525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 006F5266

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 997368d41d5c007248270d0662a09ee03774a79a0916d0c556c6ab70e54658ad
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 85B0927644020C77CE012A82FC02A593F1A9B41764F408020FB0C18162A673AA649A89

Function 012068EC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01206901

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 676afdda586ddf4934563c083c12fd129d0baf207a7c06d46327901e7cb14331
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: E5E0BF7498010DEFDB00EFA4D5496DE7BB4EF04301F1006A1FD05D7691DB319E648A62

Function 012068F0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01206901

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 6f061ed8d4b98caef1130fecccd7ef28836e64ad7ddd56174d0d92d674027a0f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: FEE0E67498010DDFDB00EFB4D5496DE7FB4EF04301F100261FD01D2281D6319E608A62

Non-executed Functions

Function 0075CABC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 632windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0075CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0075CB95
GetWindowLongW.USER32(?,000000F0), ref: 0075CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0075CC00
SendMessageW.USER32 ref: 0075CC29
_wcsncpy.LIBCMT ref: 0075CC95
GetKeyState.USER32(00000011), ref: 0075CCB6
GetKeyState.USER32(00000009), ref: 0075CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0075CCD9
GetKeyState.USER32(00000010), ref: 0075CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0075CD0C
SendMessageW.USER32 ref: 0075CD33
SendMessageW.USER32(?,00001030,?,0075B348), ref: 0075CE37
SetCapture.USER32(?), ref: 0075CE69
ClientToScreen.USER32(?,?), ref: 0075CECE
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0075CEF5
ReleaseCapture.USER32 ref: 0075CF00
GetCursorPos.USER32(?), ref: 0075CF3A
ScreenToClient.USER32(?,?), ref: 0075CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0075CFA3
SendMessageW.USER32 ref: 0075CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0075D00E
SendMessageW.USER32 ref: 0075D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0075D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0075D06D
GetCursorPos.USER32(?), ref: 0075D08D
ScreenToClient.USER32(?,?), ref: 0075D09A
GetParent.USER32(?), ref: 0075D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0075D123
SendMessageW.USER32 ref: 0075D154
ClientToScreen.USER32(?,?), ref: 0075D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0075D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0075D20C
SendMessageW.USER32 ref: 0075D22F
ClientToScreen.USER32(?,?), ref: 0075D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0075D2B5

Part of subcall function 006D25DB: GetWindowLongW.USER32(?,000000EB), ref: 006D25EC

GetWindowLongW.USER32(?,000000F0), ref: 0075D351

Strings

F, xrefs: 0075D235
@GUI_DRAGID, xrefs: 0075CE9C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 302779176-4164748364
Opcode ID: c9aa5f610d740ff746c2a874f37dcd252775935819af89ed7b7766eef6c0bbc9
Instruction ID: 31cc5a30f8c3c128121b2be2afa137621e39c022bec0ddbd4f847d86355297e4
Opcode Fuzzy Hash: c9aa5f610d740ff746c2a874f37dcd252775935819af89ed7b7766eef6c0bbc9
Instruction Fuzzy Hash: F442AB74604381AFDB22CF24C884FAABBE5FF48312F14452DF955872A0C7BAD849DB56

Function 006E6F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006E71C3
_memset.LIBCMT ref: 006E7539
_memmove.LIBCMT ref: 006E76AC

Strings

DEFINE, xrefs: 00722103
Q\E, xrefs: 006E7FCB
[:<:]], xrefs: 006E7479
\b(?<=\w), xrefs: 00723773
_n, xrefs: 007223CB
[:>:]], xrefs: 006E7492
\b(?=\w), xrefs: 00723769
3cn, xrefs: 007223A0

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memmove$_memset
String ID: 3cn$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_n
API String ID: 1357608183-3756761606
Opcode ID: 22b5a9fa3de8a263fa6a73171eba72d42c9d15668160f48639d2ff3cbab10972
Instruction ID: ceb1a87afc89ab7b1d92bdb31fd771273ad80ab79e1d3d9e909007ea3ae02f5f
Opcode Fuzzy Hash: 22b5a9fa3de8a263fa6a73171eba72d42c9d15668160f48639d2ff3cbab10972
Instruction Fuzzy Hash: AF93A471A00369DFDB24CF58D8817ADB7B1FF58310F25816AE945AB381E7789E82CB50

Function 006D48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 006D48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0070D665
IsIconic.USER32(?), ref: 0070D66E
ShowWindow.USER32(?,00000009), ref: 0070D67B
SetForegroundWindow.USER32(?), ref: 0070D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0070D69B
GetCurrentThreadId.KERNEL32 ref: 0070D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0070D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0070D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0070D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0070D6CF
SetForegroundWindow.USER32(?), ref: 0070D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070D6E7
keybd_event.USER32(00000012,00000000), ref: 0070D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070D6FC
keybd_event.USER32(00000012,00000000), ref: 0070D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070D70A
keybd_event.USER32(00000012,00000000), ref: 0070D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070D719
keybd_event.USER32(00000012,00000000), ref: 0070D71E
SetForegroundWindow.USER32(?), ref: 0070D721
AttachThreadInput.USER32(?,?,00000000), ref: 0070D748

Strings

Shell_TrayWnd, xrefs: 0070D660

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2f22961e90a94b88c0640ef3d7514806e41989442c1f3d603ae0ff69dc5c8941
Instruction ID: a6471780c8d227fb7b18b0045f88908ba74c3677287123a066449a69bd1d7c81
Opcode Fuzzy Hash: 2f22961e90a94b88c0640ef3d7514806e41989442c1f3d603ae0ff69dc5c8941
Instruction Fuzzy Hash: CC317371A40318BBEB306BA19C49FBF7EACEB44B51F108025FA04EB1D1D6F45D11ABA5

Function 00728310 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 007287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0072882B
Part of subcall function 007287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00728858
Part of subcall function 007287E1: GetLastError.KERNEL32 ref: 00728865

_memset.LIBCMT ref: 00728353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007283A5
CloseHandle.KERNEL32(?), ref: 007283B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007283CD
GetProcessWindowStation.USER32 ref: 007283E6
SetProcessWindowStation.USER32(00000000), ref: 007283F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0072840A

Part of subcall function 007281CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00728309), ref: 007281E0
Part of subcall function 007281CB: CloseHandle.KERNEL32(?,?,00728309), ref: 007281F2

Strings

, xrefs: 00728362
winsta0, xrefs: 007283C8
default, xrefs: 00728405
winsta0\default, xrefs: 0072848B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0$winsta0\default
API String ID: 2063423040-1685893292
Opcode ID: ccdb701927e51512ba254334575bf546f0ae983c958974c88ed6259dd4b5f27e
Instruction ID: cbb24271a213b198cc7bdeb6b071052e679675839bf923163f3b6249afb54fdb
Opcode Fuzzy Hash: ccdb701927e51512ba254334575bf546f0ae983c958974c88ed6259dd4b5f27e
Instruction Fuzzy Hash: 9081BF71802219EFDF51DFA1EC49AEE7B79FF04304F248169F910A2161DB7A8E14DB25

Function 0073C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0073C78D
FindClose.KERNEL32(00000000), ref: 0073C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0073C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0073C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0073C844
__swprintf.LIBCMT ref: 0073C890
__swprintf.LIBCMT ref: 0073C8D3

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

__swprintf.LIBCMT ref: 0073C927

Part of subcall function 006F3698: __woutput_l.LIBCMT ref: 006F36F1

__swprintf.LIBCMT ref: 0073C975

Part of subcall function 006F3698: __flsbuf.LIBCMT ref: 006F3713
Part of subcall function 006F3698: __flsbuf.LIBCMT ref: 006F372B

__swprintf.LIBCMT ref: 0073C9C4
__swprintf.LIBCMT ref: 0073CA13
__swprintf.LIBCMT ref: 0073CA62

Strings

%4d, xrefs: 0073C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 0073C88A
%02d, xrefs: 0073C91B, 0073C925, 0073C973, 0073C9C2, 0073CA11, 0073CA60

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 3c172cdc607400c6969e5c15680626e81f32b8cb1728af5c63a008f0712ec061
Instruction ID: f5f0e5545d166c8c7184aee6336fcc07792c19fa4a2a334bf6df34e00cd92b62
Opcode Fuzzy Hash: 3c172cdc607400c6969e5c15680626e81f32b8cb1728af5c63a008f0712ec061
Instruction Fuzzy Hash: 6CA12CB1808344ABD785EFA4C885DAFB7EDBF94700F40491EF595C7291EA34DA08CB66

Function 0073EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0073EFB6
_wcscmp.LIBCMT ref: 0073EFCB
_wcscmp.LIBCMT ref: 0073EFE2
GetFileAttributesW.KERNEL32(?), ref: 0073EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0073F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0073F026
FindClose.KERNEL32(00000000), ref: 0073F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0073F04D
_wcscmp.LIBCMT ref: 0073F074
_wcscmp.LIBCMT ref: 0073F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0073F09D
SetCurrentDirectoryW.KERNEL32(00788920), ref: 0073F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0073F0C5
FindClose.KERNEL32(00000000), ref: 0073F0D2
FindClose.KERNEL32(00000000), ref: 0073F0E4

Strings

*.*, xrefs: 0073F048

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 74109c38c16a8c21e1feeec2f538df9be7a39c5231431e5cf61dd433f40afdee
Instruction ID: 86ef32874001a5c7efc670f56d2ec2b0dc31b43b7e31b6e1469e9b83ceb8ff84
Opcode Fuzzy Hash: 74109c38c16a8c21e1feeec2f538df9be7a39c5231431e5cf61dd433f40afdee
Instruction Fuzzy Hash: 6A31E7729002196AEB14ABB8DC48BEE77ACAF44361F104176F914D30A2DB78DA44CB55

Function 00750857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00750953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0075F910,00000000,?,00000000,?,?), ref: 007509C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00750A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00750A92
RegCloseKey.ADVAPI32(?), ref: 00750DB2
RegCloseKey.ADVAPI32(00000000), ref: 00750DBF

Strings

REG_SZ, xrefs: 00750AD0
REG_EXPAND_SZ, xrefs: 00750A2F
REG_DWORD, xrefs: 00750C83
REG_QWORD, xrefs: 00750D00
REG_BINARY, xrefs: 00750D4D
REG_MULTI_SZ, xrefs: 00750B7A

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 963c1757ff373b803cb6c44164eb356dab7895439966fb90b0f0ef1f4c6b6e61
Instruction ID: 37a1319cd797be325634496a881fa59921e95a56fbed5e3f19a71f74f0810f31
Opcode Fuzzy Hash: 963c1757ff373b803cb6c44164eb356dab7895439966fb90b0f0ef1f4c6b6e61
Instruction Fuzzy Hash: AB029B75A006019FCB54EF24C851E6AB7E6FF89710F04885DF88A9B3A2DB74EC05CB95

Function 0075C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

DragQueryPoint.SHELL32(?,?), ref: 0075C627

Part of subcall function 0075AB37: ClientToScreen.USER32(?,?), ref: 0075AB60
Part of subcall function 0075AB37: GetWindowRect.USER32(?,?), ref: 0075ABD6
Part of subcall function 0075AB37: PtInRect.USER32(?,?,0075C014), ref: 0075ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0075C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0075C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0075C6BE
_wcscat.LIBCMT ref: 0075C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0075C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0075C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0075C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0075C757
DragFinish.SHELL32(?), ref: 0075C75E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0075C851

Strings

@GUI_DRAGFILE, xrefs: 0075C800
@GUI_DRAGID, xrefs: 0075C7C9
@GUI_DROPID, xrefs: 0075C77E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: 9f934bd743ffb67c33d42fbc90150f0b215393e3af867224b3395d8e6cfe0a87
Instruction ID: e7b8aecd5a521b5486418cb201503c1c2ed8ca278acf8f7060223b150c8b0a7d
Opcode Fuzzy Hash: 9f934bd743ffb67c33d42fbc90150f0b215393e3af867224b3395d8e6cfe0a87
Instruction Fuzzy Hash: 5C618C71508340AFC701EF64CC85EAFBBF9EF88710F00492EF591962A1DB74AA49CB56

Function 0073F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0073F113
_wcscmp.LIBCMT ref: 0073F128
_wcscmp.LIBCMT ref: 0073F13F

Part of subcall function 00734385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007343A0

FindNextFileW.KERNEL32(00000000,?), ref: 0073F16E
FindClose.KERNEL32(00000000), ref: 0073F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0073F195
_wcscmp.LIBCMT ref: 0073F1BC
_wcscmp.LIBCMT ref: 0073F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0073F1E5
SetCurrentDirectoryW.KERNEL32(00788920), ref: 0073F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0073F20D
FindClose.KERNEL32(00000000), ref: 0073F21A
FindClose.KERNEL32(00000000), ref: 0073F22C

Strings

*.*, xrefs: 0073F190

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 2a8b8442819c910f6cd6b8dc1e4ded46c02b87f3dae6c796818dffdbe616b0c7
Instruction ID: 62ca21be0555ac8289e72397fb631b8d00cfc7c7e82e9d064804ca89aee65ec9
Opcode Fuzzy Hash: 2a8b8442819c910f6cd6b8dc1e4ded46c02b87f3dae6c796818dffdbe616b0c7
Instruction Fuzzy Hash: 7831187690021DBAEB10AF74EC49EEF77ACAF453A0F104175E900E31A1DB78DE45CA58

Function 0073A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0073A20F
__swprintf.LIBCMT ref: 0073A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0073A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0073A293
_memset.LIBCMT ref: 0073A2B2
_wcsncpy.LIBCMT ref: 0073A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0073A323
CloseHandle.KERNEL32(00000000), ref: 0073A32E
RemoveDirectoryW.KERNEL32(?), ref: 0073A337
CloseHandle.KERNEL32(00000000), ref: 0073A341

Strings

:, xrefs: 0073A252
\, xrefs: 0073A247
\??\%s, xrefs: 0073A22B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 7ed002dd5727cf20c21f55273dfba33a6821a3d1ce4edb15b0258bea33f4390c
Instruction ID: 2f0ca87f216eb7cc92d24e794826c35f6ce823df368c51990cef3d407341c1c5
Opcode Fuzzy Hash: 7ed002dd5727cf20c21f55273dfba33a6821a3d1ce4edb15b0258bea33f4390c
Instruction Fuzzy Hash: 9331B5B1500219BBDB209FA0DC49FEB37BCEF89701F1041B6F608D6161E77496448B25

Function 0075C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0075C1FC
GetFocus.USER32 ref: 0075C20C
GetDlgCtrlID.USER32(00000000), ref: 0075C217
_memset.LIBCMT ref: 0075C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0075C36D
GetMenuItemCount.USER32(?), ref: 0075C38D
GetMenuItemID.USER32(?,00000000), ref: 0075C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0075C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0075C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0075C454
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0075C489

Strings

0, xrefs: 0075C33A

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 7ae7cd595296c28956c01f0baea4e188cd7c54c8a1ce0430c169037595b039d5
Instruction ID: 4fe44d5f3fb9c7d02ad5fb170265464ccf84e893add6f45d0fdff6f20aa5dd74
Opcode Fuzzy Hash: 7ae7cd595296c28956c01f0baea4e188cd7c54c8a1ce0430c169037595b039d5
Instruction Fuzzy Hash: 7B81AD706083559FE712CF14C894EABBBE8FB88315F00492EFD9597291D7B8D909CB62

Function 006E66E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 007211FC
_n, xrefs: 00721465, 0072150C, 007215B4
UCP), xrefs: 0072110D
UTF), xrefs: 007210FA
NO_AUTO_POSSESS), xrefs: 0072112E
3cn, xrefs: 006E68FF
BSR_ANYCRLF), xrefs: 0072131E
CR), xrefs: 00721287
ANYCRLF), xrefs: 007212FB
UTF16), xrefs: 007210CF
LIMIT_MATCH=, xrefs: 00721170
LF), xrefs: 007212A4
ANY), xrefs: 007212DE
NO_START_OPT), xrefs: 0072114F
BSR_UNICODE), xrefs: 00721338
CRLF), xrefs: 007212C1

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID: 3cn$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_n
API String ID: 0-2685276619
Opcode ID: f8b8df0422456f07bc8ab1cc81ff4cf6c191011462f546b3ea86fcebf30223a9
Instruction ID: f32502fc61edef0e284e43fc9e13311a7ddc54156380b296e9ea3dc869c540f4
Opcode Fuzzy Hash: f8b8df0422456f07bc8ab1cc81ff4cf6c191011462f546b3ea86fcebf30223a9
Instruction Fuzzy Hash: 25728171E00369DBDB24CF59D8407EEB7B6FF54750F64816AE809EB281E7349A81CB90

Function 0073001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00730097
SetKeyboardState.USER32(?), ref: 00730102
GetAsyncKeyState.USER32(000000A0), ref: 00730122
GetKeyState.USER32(000000A0), ref: 00730139
GetAsyncKeyState.USER32(000000A1), ref: 00730168
GetKeyState.USER32(000000A1), ref: 00730179
GetAsyncKeyState.USER32(00000011), ref: 007301A5
GetKeyState.USER32(00000011), ref: 007301B3
GetAsyncKeyState.USER32(00000012), ref: 007301DC
GetKeyState.USER32(00000012), ref: 007301EA
GetAsyncKeyState.USER32(0000005B), ref: 00730213
GetKeyState.USER32(0000005B), ref: 00730221

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6f0842543dd5618ad76065b7c7136d18dcd6d96658d4b067b01f3cfa39970530
Instruction ID: 2cb3a5cee38bfcdf5f7d79e347643d667830f4303213315f5c383060a1a33e76
Opcode Fuzzy Hash: 6f0842543dd5618ad76065b7c7136d18dcd6d96658d4b067b01f3cfa39970530
Instruction Fuzzy Hash: 2A51D92090478869FB35DBB488647EABFB49F01380F48459ED9C2575C3DAAC9B8CC7E1

Function 007503DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00750E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074FDAD,?,?), ref: 00750E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007504AC

Part of subcall function 006D9837: __itow.LIBCMT ref: 006D9862
Part of subcall function 006D9837: __swprintf.LIBCMT ref: 006D98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0075054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007505E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00750822
RegCloseKey.ADVAPI32(00000000), ref: 0075082F

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 600eb297f20249b4e38771253af9f38b4333df342abe832778385a41ae4b4f0b
Instruction ID: d0edb9cfbf1ab51dc3f778c0e9e0ad76e5764eb75614459638bc9e35b938975d
Opcode Fuzzy Hash: 600eb297f20249b4e38771253af9f38b4333df342abe832778385a41ae4b4f0b
Instruction Fuzzy Hash: AEE18D31604200AFCB54DF28C895E6ABBE5FF89710F04896DF84ADB2A1DB75ED05CB91

Function 007483BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9837: __itow.LIBCMT ref: 006D9862
Part of subcall function 006D9837: __swprintf.LIBCMT ref: 006D98AC

CoInitialize.OLE32 ref: 00748403
CoUninitialize.COMBASE ref: 0074840E
CoCreateInstance.COMBASE(?,00000000,00000017,00762BEC,?), ref: 0074846E
IIDFromString.COMBASE(?,?), ref: 007484E1
VariantInit.OLEAUT32(?), ref: 0074857B
VariantClear.OLEAUT32(?), ref: 007485DC

Strings

NULL Pointer assignment, xrefs: 007484B3
Invalid parameter, xrefs: 007484FA
Failed to create object, xrefs: 00748479, 0074852F

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 90527be8580ea5d2fb0b86dafaf38b66cfc57ec37223c7a4913b4857603e88da
Instruction ID: 4e13fc4d8c640c46f6e9a6946268e9b0fd3966a556a1bc8b5b0305701f50742f
Opcode Fuzzy Hash: 90527be8580ea5d2fb0b86dafaf38b66cfc57ec37223c7a4913b4857603e88da
Instruction Fuzzy Hash: B9619C706083169FC790EF24C848B6EB7E8AF49754F14481DF9859B291CB78ED44CBA3

Function 00744164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0074418B
EmptyClipboard.USER32 ref: 00744191
GlobalAlloc.KERNEL32(00000002,?), ref: 007441A6
CloseClipboard.USER32 ref: 00744245

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: de7baca6b115d3d8e9744820b1638f5f0d50808242036f12134aa6e9f6d800d4
Instruction ID: 77f5a24c1f0f2b5906fd9854e1818b18ca53f218a2c696ae8cb9cd9b4eeccbe4
Opcode Fuzzy Hash: de7baca6b115d3d8e9744820b1638f5f0d50808242036f12134aa6e9f6d800d4
Instruction Fuzzy Hash: F821C4756002149FDB10AF24EC09BAE7BA9FF04711F10C02AF946DB2B1DBB8AC01DB58

Function 007337EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D4743,?,?,006D37AE,?), ref: 006D4770

Part of subcall function 00734A31: GetFileAttributesW.KERNEL32(?,0073370B), ref: 00734A32

FindFirstFileW.KERNEL32(?,?), ref: 007338A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0073394B
MoveFileW.KERNEL32(?,?), ref: 0073395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0073397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0073399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 007339B9

Strings

\*.*, xrefs: 0073384E, 00733857, 0073386C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 634e6c2a9c545bd09d20e5e8feb440427bcfbba2cbabb00fb7399d80b46bbcf1
Instruction ID: 017450a96179c05783c1c43754ff2d83ca5eaff0cbe000d27691370dde2fa764
Opcode Fuzzy Hash: 634e6c2a9c545bd09d20e5e8feb440427bcfbba2cbabb00fb7399d80b46bbcf1
Instruction Fuzzy Hash: 1451AF31C0514CEADF15EBA0C992DEDB77AAF10301F6040AAE4067B292EF356F09CB65

Function 0073F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0073F440
Sleep.KERNEL32(0000000A), ref: 0073F470
_wcscmp.LIBCMT ref: 0073F484
_wcscmp.LIBCMT ref: 0073F49F
FindNextFileW.KERNEL32(?,?), ref: 0073F53D
FindClose.KERNEL32(00000000), ref: 0073F553

Strings

*.*, xrefs: 0073F425

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 411532221206c7036e9c0a838b45dffacc6101720f0c93d460326ddd3976eabc
Instruction ID: 381eb735eb426ceda4a72c16f926392abfbca20905f712f896ac0ef4d4e3633f
Opcode Fuzzy Hash: 411532221206c7036e9c0a838b45dffacc6101720f0c93d460326ddd3976eabc
Instruction Fuzzy Hash: ED418C71C0021A9FDF50EF64CC49AEEBBB4FF04350F14406AE815A3292EB359E54CB54

Function 0075D43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

GetSystemMetrics.USER32(0000000F), ref: 0075D47C
GetSystemMetrics.USER32(0000000F), ref: 0075D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0075D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0075D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0075D716
ShowWindow.USER32(00000003,00000000), ref: 0075D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0075D75A
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0075D77D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: 4229cd8f51c508a24492596b1f9a193ded5a006b870b7f4958d259ea539e71de
Instruction ID: 1614f6b9e6b5933869de8a00442a57ee9144c82937067a687b6ac991bf81b0a6
Opcode Fuzzy Hash: 4229cd8f51c508a24492596b1f9a193ded5a006b870b7f4958d259ea539e71de
Instruction Fuzzy Hash: 25B16B71500225EBDF24CF68C9857E97BB1FF08712F048069ED489F295D7B8AD54CB50

Function 006E3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_n, xrefs: 006E3322
3cn, xrefs: 006E3225

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cn$_n
API String ID: 674341424-1566527804
Opcode ID: 41faf5e7e2b9e9abf7d1e2160ce0a4bc3eaa9aef7e5075b41a5cd00d63d1f147
Instruction ID: 9d609271543f5b825916eafb6e6158e9b2ac616f4f5c269b03f04f11d6b8cd06
Opcode Fuzzy Hash: 41faf5e7e2b9e9abf7d1e2160ce0a4bc3eaa9aef7e5075b41a5cd00d63d1f147
Instruction Fuzzy Hash: A322AC716083509FC764DF29C885BAEB7E6BF84700F00492DF99A97381DB35EA45CB92

Function 0072E616 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0072E628

Strings

|, xrefs: 0072E658
Release, xrefs: 0072E946
(, xrefs: 0072E66E
AddRef, xrefs: 0072E8FE
InterfaceDispatch, xrefs: 0072E7DE
QueryInterface, xrefs: 0072E871

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: lstrlen
String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
API String ID: 1659193697-2318614619
Opcode ID: bf1eed649bb47d8e3a262a264cbbe994e45c1ea0b93c3bfcd0816435445f47b3
Instruction ID: eb581520a8183995a7fb8c2dabb655ebf5e4965187238c6e4558862cc989f9c4
Opcode Fuzzy Hash: bf1eed649bb47d8e3a262a264cbbe994e45c1ea0b93c3bfcd0816435445f47b3
Instruction Fuzzy Hash: 90323475A007159FDB28CF19D480AAAB7F1FF48320B15C46EE89ADB3A1E774E941CB40

Function 006E5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006E58A5
_memmove.LIBCMT ref: 006E58F5
_memmove.LIBCMT ref: 006E595B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a388155130b271214eef47e421c1d211c3c659811d96e9ef5cc35a3f291a23b2
Instruction ID: 91acd9564b916a1fda69d9f180e96215cb5a1b0ae9e97ff146ad999a1ed15442
Opcode Fuzzy Hash: a388155130b271214eef47e421c1d211c3c659811d96e9ef5cc35a3f291a23b2
Instruction Fuzzy Hash: 34129C70A00659DFDF04DFA5D981AEEB7F6FF48304F10452AE406E7252EB39A911CBA4

Function 00733B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D4743,?,?,006D37AE,?), ref: 006D4770

Part of subcall function 00734A31: GetFileAttributesW.KERNEL32(?,0073370B), ref: 00734A32

FindFirstFileW.KERNEL32(?,?), ref: 00733B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00733BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00733BEA
FindClose.KERNEL32(00000000), ref: 00733C01
FindClose.KERNEL32(00000000), ref: 00733C0A

Strings

\*.*, xrefs: 00733B5B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: b13bda9c4d4fa2fb5fbc23e96fc89b2976949ee8af6eb4dba540275aba97967f
Instruction ID: b38f1ab9f5d325cd4d606c1d7268206631d68235ea1de6759a3766c8aad9a4ea
Opcode Fuzzy Hash: b13bda9c4d4fa2fb5fbc23e96fc89b2976949ee8af6eb4dba540275aba97967f
Instruction Fuzzy Hash: E631A0714083849FD310EF24D891CEFB7A9BE91300F404E2EF4D596292EB25DA08C7AB

Function 007351BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0072882B
Part of subcall function 007287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00728858
Part of subcall function 007287E1: GetLastError.KERNEL32 ref: 00728865

ExitWindowsEx.USER32(?,00000000), ref: 007351F9

Strings

, xrefs: 007351E7
@, xrefs: 007351EC
SeShutdownPrivilege, xrefs: 007351C9

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: e4f2429f8c44cd46d024b98148773203eed6d93a166ac70ab7b84caab18ee090
Instruction ID: 8d8f2374f59585b4e2c31db92ed3ce33ff897fb756e26fc87676366f28e56a82
Opcode Fuzzy Hash: e4f2429f8c44cd46d024b98148773203eed6d93a166ac70ab7b84caab18ee090
Instruction Fuzzy Hash: 310126B17916196BF7686278AC8AFBB7268FB04341F240425F917E20D3DAAE5C008695

Function 00746283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 007462DC
WSAGetLastError.WS2_32(00000000), ref: 007462EB
bind.WS2_32(00000000,?,00000010), ref: 00746307
listen.WS2_32(00000000,00000005), ref: 00746316
WSAGetLastError.WS2_32(00000000), ref: 00746330
closesocket.WS2_32(00000000), ref: 00746344

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 2461672aa3c91957fc43601a99431b75c99fdca1451b88a15e7f5e91e686c5cd
Instruction ID: e3d17746b8f345179543059e1e9806a8565e9061e99b24517ad8f3cacd0eac1e
Opcode Fuzzy Hash: 2461672aa3c91957fc43601a99431b75c99fdca1451b88a15e7f5e91e686c5cd
Instruction Fuzzy Hash: AF21A0316002049FCB10EF64CC49A6EB7FAEF49721F15855AE816A73D1C778AD01CB65

Function 006E5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 006F0DB6: std::exception::exception.LIBCMT ref: 006F0DEC
Part of subcall function 006F0DB6: __CxxThrowException@8.LIBCMT ref: 006F0E01

_memmove.LIBCMT ref: 00720258
_memmove.LIBCMT ref: 0072036D
_memmove.LIBCMT ref: 00720414

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 7cc1c2d402f63e8095de611fe85db89f4fda2e536985652e42162d2f469b029b
Instruction ID: 593adc981c47bcc53632df3a8a1940393d8e9c58a1934518a9ca9c5c236b0e13
Opcode Fuzzy Hash: 7cc1c2d402f63e8095de611fe85db89f4fda2e536985652e42162d2f469b029b
Instruction Fuzzy Hash: 7A02AFB0A00219DBDF04DF65D981ABE7BB6FF44300F14806AE80ADB356EB35D951CBA5

Function 006D1287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 006D19FA
GetSysColor.USER32(0000000F), ref: 006D1A4E
SetBkColor.GDI32(?,00000000), ref: 006D1A61

Part of subcall function 006D1290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 006D12D8

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: ba18166beab12f6d648cf772106cc2f94557b4667cb73e801bb6e4813b3fcc10
Instruction ID: c6516c09327f96f6027e4ef06d87d786d29a8f759718f75eba7eb2d169b1c054
Opcode Fuzzy Hash: ba18166beab12f6d648cf772106cc2f94557b4667cb73e801bb6e4813b3fcc10
Instruction Fuzzy Hash: 6FA18BB0912554FEE625AB294C58EFF259FDB43342B18421BF402DD3D6CBAC9E0283B5

Function 00746747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00747D8B: inet_addr.WS2_32(00000000), ref: 00747DB6

socket.WS2_32(00000002,00000002,00000011), ref: 0074679E
WSAGetLastError.WS2_32(00000000), ref: 007467C7
bind.WS2_32(00000000,?,00000010), ref: 00746800
WSAGetLastError.WS2_32(00000000), ref: 0074680D
closesocket.WS2_32(00000000), ref: 00746821

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: c43aa920e3b95522af11e1634741ab012711ac556a824591ddcdb33dddb12d46
Instruction ID: 22bad9a21c8d2def97f1e0f0226855c4f4e8411cc62c78c617475cec30852e51
Opcode Fuzzy Hash: c43aa920e3b95522af11e1634741ab012711ac556a824591ddcdb33dddb12d46
Instruction Fuzzy Hash: 9141D275E00210AFDB50BF24CC86F6E77AA9F49B14F04855DF915AB3C2CB749D0087A5

Function 00755376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007553C5
IsWindowEnabled.USER32 ref: 007553D3
GetForegroundWindow.USER32(?,?,00000001), ref: 007553E0
IsIconic.USER32 ref: 007553EE
IsZoomed.USER32 ref: 007553FC

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 64c04c2ac9a16c7aa4b6bcacdef549659747fa24a4ea879ebbe812a436301620
Instruction ID: 587127d16626042f7eff35afc689d62f987657e784b889f4bc72537614225741
Opcode Fuzzy Hash: 64c04c2ac9a16c7aa4b6bcacdef549659747fa24a4ea879ebbe812a436301620
Instruction Fuzzy Hash: 75110431700A10AFDB216F26DC54AAE7B9DEF447A2B40842DFC09D3241DBF8DC0186A8

Function 007280A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007280C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007280CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007280D9
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 007280E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007280F6

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 205c47589395f84b22d4c9e54abfd369eccbb1f1555447ecdf1235f129336611
Instruction ID: 5ff4e5963c2f546e746ebd08dc8d0503301ee43fe71453ff8898011fe2f15568
Opcode Fuzzy Hash: 205c47589395f84b22d4c9e54abfd369eccbb1f1555447ecdf1235f129336611
Instruction Fuzzy Hash: E9F0C230206318AFEB100FA4EC8CEAB3BACEF49756B144029F909C3190CBA99C11DA61

Function 0074EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0074EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0074EE4B

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

Process32NextW.KERNEL32(00000000,?), ref: 0074EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0074EF1A

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 232629a8117c93fe0e5d22b337b23903e8bd6d760283173a8b94f4f46d4b508c
Instruction ID: e4723d97ff3f09ac67550456a57b3cc1276f55f9132df7ea9295bd6f568619ab
Opcode Fuzzy Hash: 232629a8117c93fe0e5d22b337b23903e8bd6d760283173a8b94f4f46d4b508c
Instruction Fuzzy Hash: 21518D71904710AFD350EF24D885EABB7E9FF98710F10482EF595972A1EB70A908CB96

Function 0075C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

GetCursorPos.USER32(?), ref: 0075C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0070B9AB,?,?,?,?,?), ref: 0075C4E7
GetCursorPos.USER32(?), ref: 0075C534
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0070B9AB,?,?,?), ref: 0075C56E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 518bd652411e0e4d31c24eaa1bec89f7ba65bdb7eedc9a654d515ad937c57e12
Instruction ID: d3f9372ade2f69d458808739225ef140fc096cab08626b7e40276cb527fe1f67
Opcode Fuzzy Hash: 518bd652411e0e4d31c24eaa1bec89f7ba65bdb7eedc9a654d515ad937c57e12
Instruction Fuzzy Hash: A2310435600258EFCF12CF98C858EEA7BB5EB09311F104069FD058B261D779AD64DFA8

Function 006D1290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 006D12D8
GetClientRect.USER32(?,?), ref: 0070B5FB
GetCursorPos.USER32(?), ref: 0070B605
ScreenToClient.USER32(?,?), ref: 0070B610

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: b854533705144e031d23eae444ed5acda4cfcb36ae7e7c406aa5206187c6411c
Instruction ID: aaa9403f730c1b2bda6f588804121eaf89cab234ba04c8f7d411312808a9cdcf
Opcode Fuzzy Hash: b854533705144e031d23eae444ed5acda4cfcb36ae7e7c406aa5206187c6411c
Instruction Fuzzy Hash: 14113D35900119FFCB00DFA4D8859EE77BAFB06301F504466F901E7240D775BB918BA9

Function 007422EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0074180A,00000000), ref: 007423E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00742418

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: faf05fbdfb0b573489e701c7b5650199c7044e18697ffa89620120ff35f1b59c
Instruction ID: bd5584cce00c21c2124ac873d59b0ffa5fe9757fb4a7a4bde7271f574c36d70b
Opcode Fuzzy Hash: faf05fbdfb0b573489e701c7b5650199c7044e18697ffa89620120ff35f1b59c
Instruction Fuzzy Hash: 6141F571904309FFEB10DE99DC85EBBB7BDEB40314F90406EF601A7142DBB89E529664

Function 0073B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0073B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0073B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0073B3EA

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1c59301b78fa6aedfe5792d733805482585f54d2225746535e053d85fb6fa2ae
Instruction ID: dee24b2d463795ebfdbdec11b5e5b2215f6fb09c5de1796e5316df790037e5f1
Opcode Fuzzy Hash: 1c59301b78fa6aedfe5792d733805482585f54d2225746535e053d85fb6fa2ae
Instruction Fuzzy Hash: 6D216D35A00618EFCB00EFA5D885AEDBBB9FF49310F1480AAE905EB351CB35A915CB54

Function 007287E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006F0DB6: std::exception::exception.LIBCMT ref: 006F0DEC
Part of subcall function 006F0DB6: __CxxThrowException@8.LIBCMT ref: 006F0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0072882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00728858
GetLastError.KERNEL32 ref: 00728865

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 82ca14cbed6e4ba4f53acf284f90ace38ce1cbfd1b4292861900fba9a680b4de
Instruction ID: 4b3ee0a8a14665f42d06a8042f981e03353c138de7d8c7e44a72183cb9b866cd
Opcode Fuzzy Hash: 82ca14cbed6e4ba4f53acf284f90ace38ce1cbfd1b4292861900fba9a680b4de
Instruction Fuzzy Hash: AE11BFB2814308AFE718EFA4EC85D6BB7F9EB04311B24852EF45583242EB75BC008B64

Function 0072874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00728774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0072878B
FreeSid.ADVAPI32(?), ref: 0072879B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 7f21eaf1ff9958706ebe1a480b2305bc0f2bb044c05db7c31b16b74f69c6a0b9
Instruction ID: 43c8f874ecae40ff288e378a93766ab852fa672e0cb2d791c186489ea69a5303
Opcode Fuzzy Hash: 7f21eaf1ff9958706ebe1a480b2305bc0f2bb044c05db7c31b16b74f69c6a0b9
Instruction Fuzzy Hash: 34F04F75A1130CBFDF00DFF4DC89AEEB7BCEF08211F108469E905E2181D6755A048B54

Function 00734C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00734CB3

Strings

DOWN, xrefs: 00734C98

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 39b5bf8ad008f64766e906c199d985ccc74dd57446066717aa8afc37235cbf1b
Instruction ID: f639e50daacffb17fd4380fb38ccf5b6029051e289a25dcce3130b1721f8bc30
Opcode Fuzzy Hash: 39b5bf8ad008f64766e906c199d985ccc74dd57446066717aa8afc37235cbf1b
Instruction Fuzzy Hash: DCE08C721DD7223CB9482959BC13EF7038C8B12331B20120AF810E54C2FD882C8269FC

Function 006D16DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

Part of subcall function 006D25DB: GetWindowLongW.USER32(?,000000EB), ref: 006D25EC

GetParent.USER32(?), ref: 0070B7BA
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,006D19B3,?,?,?,00000006,?), ref: 0070B834

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 532f4f244c35464c951ad4b8f2219992407201cbedebfa88019a6f91ffbe225e
Instruction ID: 46f270dd6cee108abdd4cd0308545cf92a88f69d0b08ceb95f6baf36c124f931
Opcode Fuzzy Hash: 532f4f244c35464c951ad4b8f2219992407201cbedebfa88019a6f91ffbe225e
Instruction Fuzzy Hash: D621CE34A00114BFCB218F28C888DA93BE7AB5A320F588266F5255F3F2C7759E12DB50

Function 0073C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0073C6FB
FindClose.KERNEL32(00000000), ref: 0073C72B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 33ff9c641cdaaeedbd9167d3ccdd54faabe5dd7e372276011fded4c08a411135
Instruction ID: 41e7a668b3b531f49c945dc3bcd6d5adf8a52c25e4f566799e80350bd240131c
Opcode Fuzzy Hash: 33ff9c641cdaaeedbd9167d3ccdd54faabe5dd7e372276011fded4c08a411135
Instruction Fuzzy Hash: F81182716002049FDB10DF29D845A6AF7E9FF45321F00891EF9A5D7391DB74A801CB95

Function 0075C57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0070B93A,?,?,?), ref: 0075C5F1

Part of subcall function 006D25DB: GetWindowLongW.USER32(?,000000EB), ref: 006D25EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0075C5D7

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: cb3e1bf79f7fc67fb9808f9924b6205b9e69582eea17f9b4dc69430e3b868b71
Instruction ID: 6fae62dd65ad16271477d89b1973b76cd4e636115da20ea768b463ccaf7bd19f
Opcode Fuzzy Hash: cb3e1bf79f7fc67fb9808f9924b6205b9e69582eea17f9b4dc69430e3b868b71
Instruction Fuzzy Hash: 7801F530200314EFCB225F54DC54FAA3BB6FB85361F244129FD111B2E0CBB5A826DB50

Function 0075C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0075C961
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0070BA16,?,?,?,?,?), ref: 0075C98A

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 66b4ec13c0d0ce22a77a59e197d75852b33e227503bab6feba7de4b2862c822a
Instruction ID: a4f2018bf3ee71f68adb4d0b9d7d1c2fbebafd79f30546e5bf589b9ea76add8a
Opcode Fuzzy Hash: 66b4ec13c0d0ce22a77a59e197d75852b33e227503bab6feba7de4b2862c822a
Instruction Fuzzy Hash: 7AF06D32400218FFEB058F45DC09AEE7BB8FB04312F00415AF90152160D3B56A20DBA4

Function 0073A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00749468,?,0075FB84,?), ref: 0073A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00749468,?,0075FB84,?), ref: 0073A0A9

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4ae2730e01e5b5d0fb483ec5dc4df2d71c5ba8b9fb5c31410985673efa69b6e1
Instruction ID: d91a7fbf31e0c83320d355a1b200b01cc29e75c22e61d93a3fc19090b71a28c8
Opcode Fuzzy Hash: 4ae2730e01e5b5d0fb483ec5dc4df2d71c5ba8b9fb5c31410985673efa69b6e1
Instruction Fuzzy Hash: EBF0823550532DBBEB21AFA4CC49FEA776DBF08361F008266F949D7181D6749940CBA1

Function 0075CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0075CA84
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0070B995,?,?,?,?), ref: 0075CAB2

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 9a4143f4de473a0471d5dadf3cc50e44f797b3a9fbf177c2eb67e21f76dccb97
Instruction ID: 664fefc3fd5fb1de2802b58768932cb8ab53ece7a8a4c93f9f9b299ec518ee12
Opcode Fuzzy Hash: 9a4143f4de473a0471d5dadf3cc50e44f797b3a9fbf177c2eb67e21f76dccb97
Instruction Fuzzy Hash: CFE04F70100318BFEB159F19DC1AFFA3B54EB04752F50C115F956D91E1C6B498509764

Function 007281CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00728309), ref: 007281E0
CloseHandle.KERNEL32(?,?,00728309), ref: 007281F2

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 4e726929507e784fc0ffa6592838cbec6361e17e6176d88848ad700317aac28d
Instruction ID: 0fa11b1f36d6a891be6f1b8637111e452838b6ef6a9b9309d45019777f39a8e1
Opcode Fuzzy Hash: 4e726929507e784fc0ffa6592838cbec6361e17e6176d88848ad700317aac28d
Instruction Fuzzy Hash: 84E08C32001611AFFB612B20FC08DB37BEAEF00311B14C82DF9A6804B1CB62ACA0DB14

Function 006FA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00764178,006F8D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 006FA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 006FA163

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ab5b57990e0ff42989defd9161060ada092461d7535a8e9f4ee45063304972db
Instruction ID: cbeca91d90c7bb436d75edb79d741ba2d2006d53c438655129d04ae8825a3bf9
Opcode Fuzzy Hash: ab5b57990e0ff42989defd9161060ada092461d7535a8e9f4ee45063304972db
Instruction Fuzzy Hash: 3FB09231054308ABEA002F91ED09BC93F68EB44AA3F408020F60D84070CBA654508A99

Function 006FF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9607ab3461df31b78389d913391e9fd8ec148fdf74827556932c562ae35cefa7
Instruction ID: a284322c0af655db45d5a885f01c20933d7a2d1a77223ffd06e997d2c3de7782
Opcode Fuzzy Hash: 9607ab3461df31b78389d913391e9fd8ec148fdf74827556932c562ae35cefa7
Instruction Fuzzy Hash: 2F323662D29F454DD7279634C832336A24AAFB73C8F15D737F82AB5EA5EB68C4834104

Function 0070242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc6c85b0898dc42763eecc88b4034775aa1a6fd8c8da2235d30cbbafc99f54e
Instruction ID: c793e384f7bfdc9953c0c2c3d78d13a7bb4bc66762a7a10a5b8fd895e68c3b89
Opcode Fuzzy Hash: dfc6c85b0898dc42763eecc88b4034775aa1a6fd8c8da2235d30cbbafc99f54e
Instruction Fuzzy Hash: 32B11121D2AF404DD32396398835336BA8CAFBB2C5F51D71BFC2770E62EB6685834545

Function 00738889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0073889B

Part of subcall function 006F520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00738F6E,00000000,?,?,?,?,0073911F,00000000,?), ref: 006F5213
Part of subcall function 006F520A: __aulldiv.LIBCMT ref: 006F5233

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 9bd1a598274b7345ec40e6898f87e85915bf2db98508e0cef3e6086aa290e35c
Instruction ID: c7e4e03465598e2e84ac710dfbac7dd562b6e07dda01facf3b060f35b5dbe83a
Opcode Fuzzy Hash: 9bd1a598274b7345ec40e6898f87e85915bf2db98508e0cef3e6086aa290e35c
Instruction Fuzzy Hash: A821DF32635610CBD729CF29D841A92B3E1EBA4310F698F2DE1F5CB2D0CA38A905CB54

Function 0075D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0075D838

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 412acba1600a9d509866eea6590303501dc4aba82a7d49f5130659f9ccbc4b71
Instruction ID: 156a8d3a0ee2ba535ee5a5fb5fd40d61ea38bd1235a954a2e8ca0bc4681fe4f2
Opcode Fuzzy Hash: 412acba1600a9d509866eea6590303501dc4aba82a7d49f5130659f9ccbc4b71
Instruction Fuzzy Hash: A3112734204265FBEB355A2CCC0AFFA3704D745722F208725FD215B6E2CAECAD0893A4

Function 0075D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D25DB: GetWindowLongW.USER32(?,000000EB), ref: 006D25EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0070B952,?,?,?,?,00000000,?), ref: 0075D432

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: b51375302dfa509c3cb9e46fceb93d3becf933b7fdc0b8539e2fab2510e543cc
Instruction ID: acdf5e44d1b04ce8e9795cb2e952d062162e239cc8e2a4ad5954470ad6ab84c4
Opcode Fuzzy Hash: b51375302dfa509c3cb9e46fceb93d3becf933b7fdc0b8539e2fab2510e543cc
Instruction Fuzzy Hash: 72012831600154AFDF348F25D849EF93B52EF46323F444125FD061B291C3B9BC5697A0

Function 006D189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,006D1B04,?,?,?,?,?), ref: 006D18E2

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 4a66ef6b23d2d89cab076ddeb9ab65caecb10b9fdda6e7280b58f114ba64c11e
Instruction ID: 5aa80a1ef0188499c9fe97cba83b6ed3a5130b0fbd8c7bdcf649937e75892fc4
Opcode Fuzzy Hash: 4a66ef6b23d2d89cab076ddeb9ab65caecb10b9fdda6e7280b58f114ba64c11e
Instruction Fuzzy Hash: 1EF0BE30A00225EFDB09DF44D85096637A3EB10310F50812AF8524B3A1C775D960EB50

Function 0075C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0075C8FE

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 2d57ac5a3ef8347cfedc250522560e172bc8457b79d8871f1862df0e2ab4357b
Instruction ID: 94069e0c474b26abc38c947d71444897aa434d2e2f88af822fbfaa13c7b4fe68
Opcode Fuzzy Hash: 2d57ac5a3ef8347cfedc250522560e172bc8457b79d8871f1862df0e2ab4357b
Instruction Fuzzy Hash: DAF03931200298AFDF22DE58DC05FD63B95AB09320F548019BA21672E2CAB86920D7A4

Function 007287B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00728389), ref: 007287D1

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 59304c250d44974475b5b3530cd037c1dc898038194889670fe6076f9ebc5d71
Instruction ID: 5f60c5b46e00959e05142414c0c45782f224715772bc51e1982b7774fd3ea5ec
Opcode Fuzzy Hash: 59304c250d44974475b5b3530cd037c1dc898038194889670fe6076f9ebc5d71
Instruction Fuzzy Hash: F1D05E3226060EABEF018EA4DC01EEE3B69EB04B01F408111FE15C50A1C7B5D835AB60

Function 0075C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0070B9BC,?,?,?,?,?,?), ref: 0075C934

Part of subcall function 0075B635: _memset.LIBCMT ref: 0075B644
Part of subcall function 0075B635: _memset.LIBCMT ref: 0075B653
Part of subcall function 0075B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00796F20,00796F64), ref: 0075B682
Part of subcall function 0075B635: CloseHandle.KERNEL32 ref: 0075B694

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 02ff6dcffa393ab67c0c70a422b352ced25036c969f09ec1e4a6e9df4e66e5d7
Instruction ID: b0e6a91e8654c145ec50cbdf4e483903266dee3ab0b17b6c1a50f8d1c1b89c1a
Opcode Fuzzy Hash: 02ff6dcffa393ab67c0c70a422b352ced25036c969f09ec1e4a6e9df4e66e5d7
Instruction Fuzzy Hash: 89E01231110208EFCB02AF44DC14E9537A1FB08302F018011FE05072B2C7B5A824EF50

Function 006D167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,006D1AEE,?,?,?), ref: 006D16AB

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: d5cb8ff01fc31feaa495f7baa51c9844527adede61fa653edf3b7f74545e4a74
Instruction ID: 8694e93b0586eefbc1620018b55cc2ecb41c7e39a4c68aa593281288fc5109a5
Opcode Fuzzy Hash: d5cb8ff01fc31feaa495f7baa51c9844527adede61fa653edf3b7f74545e4a74
Instruction Fuzzy Hash: 55E0EC35500218FBCF56AF90DC21E643B26FB58310F508429FA450A2A1CA76A522DB54

Function 0075C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0075C885

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 593d5a2dd2de73392836d908b658804111e9d083172cde3f0548426143aa2f3c
Instruction ID: be606fd3c4b65b7948de18d907f7f7fb1adcf26a28872fd5635ff9a5b0270480
Opcode Fuzzy Hash: 593d5a2dd2de73392836d908b658804111e9d083172cde3f0548426143aa2f3c
Instruction Fuzzy Hash: F0E0E235204208EFDB02DF88D884E863BA5AB1D300F008054FA0547262C771A830EB61

Function 0075C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0075C8B4

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 64725551eb05cd6eefa67b0bb2b518149daafaf2c0d89a974b806f7fd2eafe2a
Instruction ID: 11d84b0831fb73b9be16597742094f0dda714ec49851053e0c31ca62285b5289
Opcode Fuzzy Hash: 64725551eb05cd6eefa67b0bb2b518149daafaf2c0d89a974b806f7fd2eafe2a
Instruction Fuzzy Hash: 4DE0E235200208EFDB02DF88D844DC63BA5AB1D300F008054FA0547262C771A830EBA1

Function 006D16B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

Part of subcall function 006D201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006D20D3
Part of subcall function 006D201B: KillTimer.USER32(-00000001,?,?,?,?,006D16CB,00000000,?,?,006D1AE2,?,?), ref: 006D216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,006D1AE2,?,?), ref: 006D16D4

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 6b2f534b25bade9f2b306f4872022b741c531500501a08dd68fb96cca7ed65e2
Instruction ID: 8d0765068fb52ad3866b8dfc2f8f9734705c44b426753cad6b4cfa6316e710c9
Opcode Fuzzy Hash: 6b2f534b25bade9f2b306f4872022b741c531500501a08dd68fb96cca7ed65e2
Instruction Fuzzy Hash: 4CD01230540318B7DE122F91DC27F493A1A9B24750F50C025FA04692D3CAB5A960A55C

Function 006FA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 006FA12A

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 059c1ea6d46cfb8a92f06533e2a2545dbf77a09abf5c8f6e17d094b5206f7e1d
Instruction ID: 19578f34d7fff65eb4ecb7015eb0f767de98a409101956b5771b5cc85d9f2b1b
Opcode Fuzzy Hash: 059c1ea6d46cfb8a92f06533e2a2545dbf77a09abf5c8f6e17d094b5206f7e1d
Instruction Fuzzy Hash: 77A0113000020CAB8A002F82EC08888BFACEA002A2B008020F80C800328BB2A8208A88

Function 006E8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d10a234d40b8966d59e43009603348f004c91283f4e5b98d97b85d9cfa7fbc
Instruction ID: bfc820b94dde31811fb884101b2f4dc6fce9496ff182fc0f9aef57cbd08dde13
Opcode Fuzzy Hash: 71d10a234d40b8966d59e43009603348f004c91283f4e5b98d97b85d9cfa7fbc
Instruction Fuzzy Hash: 16223A309057A6CFDF388B2ED4947BC77A2FB01344F28807AD94A9B692DB789D91C741

Function 006F21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 52f8635b04f52f4a66fb0e48944b99e863eb7d10c9af4032f53df33f7cd15130
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 33C187322091974ADF2D463AC4740BEFBA25EA37B131A175DD9B3CF2D4EE10C965DA20

Function 006F25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 775f834118f1213ac0e55cc59636a2b62426f93bfa9e6cf4cae80561b47d8a6e
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: FEC186322091974ADF2D463AC4341BEBAA25FA37F131A176DD5B3DF2D4EE10C925DA20

Function 006F1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 003215ca6ef3f8675bd22e6b1fff24a8eb2626ed6399b5aec3c199872d1efb93
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 5AC184322091978ADF2D463AC4741BEBBA25EA37F131A175DD5B3CF2C4EE20C925D620

Function 01207C80 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: b078b4916dcb124aaec844f3a7f263c2acc9701e52af19c2bbc729884ee2c541
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: E041D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 01207B10 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: f4e733027b2e08ea175fd124b8e840410dc2de1a75f28970066510bbe34fee37
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 0201A478A10509EFCB45DF98C5909AEF7F5FF48310F208699E959A7342E730AE41DB80

Function 01207B70 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 440c02113d36cc7e0d89d707513e4edeae1a31e59ba9c85c56dd2a422e8e60af
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 5301A478A10509EFCB45DF98C5909AEF7F5FF48310F208699D959A7342E730AE41DB80

Function 012064C0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1687079297.0000000001204000.00000040.00000020.00020000.00000000.sdmp, Offset: 01204000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1204000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00747806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0074785B
DeleteObject.GDI32(00000000), ref: 0074786D
DestroyWindow.USER32 ref: 0074787B
GetDesktopWindow.USER32 ref: 00747895
GetWindowRect.USER32(00000000), ref: 0074789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007479DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007479ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747A35
GetClientRect.USER32(00000000,?), ref: 00747A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00747A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747ABB
GlobalLock.KERNEL32(00000000), ref: 00747AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747AD3
GlobalUnlock.KERNEL32(00000000), ref: 00747ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747AE3
GlobalFree.KERNEL32(00000000), ref: 00747AEE
CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00747B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00762CAC,00000000), ref: 00747B16
GlobalFree.KERNEL32(00000000), ref: 00747B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00747B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00747B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00747D7A

Strings

static, xrefs: 00747A75, 00747BCC
DISPLAY, xrefs: 00747BDD
, xrefs: 00747D00
AutoIt v3, xrefs: 00747A2D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: dda86863ddabb85998c881ab17dece916ac1f5fea38e7d019f7feb989de83f7e
Instruction ID: f15abd5568e43d78052c9fd8331988a02c3719593680a21a31b71e6a6b7f8856
Opcode Fuzzy Hash: dda86863ddabb85998c881ab17dece916ac1f5fea38e7d019f7feb989de83f7e
Instruction Fuzzy Hash: 65029C71900219EFDB14DFA4DC89EAE7BB9FF48311F108159F905AB2A1CB78AD01CB64

Function 0075356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0075F910), ref: 00753627
IsWindowVisible.USER32(?), ref: 0075364B

Strings

GETLINECOUNT, xrefs: 007538C6
ISVISIBLE, xrefs: 00753637
TABLEFT, xrefs: 00753687
TABRIGHT, xrefs: 0075369D
EDITPASTE, xrefs: 0075395F
ISENABLED, xrefs: 0075366B
FINDSTRING, xrefs: 00753776
GETCURRENTCOL, xrefs: 00753928
SELECTSTRING, xrefs: 00753806
GETCURRENTSELECTION, xrefs: 007537E3
UNCHECK, xrefs: 00753883
DELSTRING, xrefs: 00753749
GETSELECTED, xrefs: 007538A3
GETCURRENTLINE, xrefs: 007538ED
CURRENTTAB, xrefs: 007536BD
SENDCOMMANDID, xrefs: 007539DA
ADDSTRING, xrefs: 00753716
SETCURRENTSELECTION, xrefs: 007537B6
CHECK, xrefs: 0075386D
GETLINE, xrefs: 0075399B
SHOWDROPDOWN, xrefs: 007536E0
HIDEDROPDOWN, xrefs: 00753700
ISCHECKED, xrefs: 00753839

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: a5d0ab243d756f205403f9571f3c19c2a96deb44c0fc101bd3906a4df8a71a38
Instruction ID: 7d81c7e57550746dad590d499d6eebc7b6e29f4e92807157530a1aa52b5d792b
Opcode Fuzzy Hash: a5d0ab243d756f205403f9571f3c19c2a96deb44c0fc101bd3906a4df8a71a38
Instruction Fuzzy Hash: D2D19E706043019BCB04EF20C555AAE77A2AF94385F08486DFD825B3B3DB79EE0ACB55

Function 0075A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0075A630
GetSysColorBrush.USER32(0000000F), ref: 0075A661
GetSysColor.USER32(0000000F), ref: 0075A66D
SetBkColor.GDI32(?,000000FF), ref: 0075A687
SelectObject.GDI32(?,00000000), ref: 0075A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0075A6C1
GetSysColor.USER32(00000010), ref: 0075A6C9
CreateSolidBrush.GDI32(00000000), ref: 0075A6D0
FrameRect.USER32(?,?,00000000), ref: 0075A6DF
DeleteObject.GDI32(00000000), ref: 0075A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0075A731
FillRect.USER32(?,?,00000000), ref: 0075A763
GetWindowLongW.USER32(?,000000F0), ref: 0075A78E

Part of subcall function 0075A8CA: GetSysColor.USER32(00000012), ref: 0075A903
Part of subcall function 0075A8CA: SetTextColor.GDI32(?,?), ref: 0075A907
Part of subcall function 0075A8CA: GetSysColorBrush.USER32(0000000F), ref: 0075A91D
Part of subcall function 0075A8CA: GetSysColor.USER32(0000000F), ref: 0075A928
Part of subcall function 0075A8CA: GetSysColor.USER32(00000011), ref: 0075A945
Part of subcall function 0075A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0075A953
Part of subcall function 0075A8CA: SelectObject.GDI32(?,00000000), ref: 0075A964
Part of subcall function 0075A8CA: SetBkColor.GDI32(?,00000000), ref: 0075A96D
Part of subcall function 0075A8CA: SelectObject.GDI32(?,?), ref: 0075A97A
Part of subcall function 0075A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0075A999
Part of subcall function 0075A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0075A9B0
Part of subcall function 0075A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0075A9C5
Part of subcall function 0075A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0075A9ED

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 2e848ea1fd51148215ab587d94cb56fe2993f1faef933fbe9c61df12d4ae3742
Instruction ID: d6345fd42f986d1d9fbd13ef9169953c5c0c3eebe1d593e41d0303a8da4888c1
Opcode Fuzzy Hash: 2e848ea1fd51148215ab587d94cb56fe2993f1faef933fbe9c61df12d4ae3742
Instruction Fuzzy Hash: 9C919E72408305FFD7119F64DC08A9B7BA9FF88322F148B29F962961E0D7B9D844CB56

Function 007474AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007474DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0074759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007475DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007475ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00747633
GetClientRect.USER32(00000000,?), ref: 0074763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00747683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00747692
GetStockObject.GDI32(00000011), ref: 007476A2
SelectObject.GDI32(00000000,00000000), ref: 007476A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007476B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007476BF
DeleteDC.GDI32(00000000), ref: 007476C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007476F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0074770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00747746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0074775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0074776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0074779B
GetStockObject.GDI32(00000011), ref: 007477A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007477B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007477BB

Strings

static, xrefs: 0074767D, 00747795
DISPLAY, xrefs: 00747688
msctls_progress32, xrefs: 0074773C
AutoIt v3, xrefs: 0074762B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 17fd393b93cc405c35a353a3bfbc8e5c435910bc19209cbcb2d92d5212aeff2c
Instruction ID: 1775a184ab82b3b870ae13196fc6602d654b00510db9d9361fa032c7eeafb1cc
Opcode Fuzzy Hash: 17fd393b93cc405c35a353a3bfbc8e5c435910bc19209cbcb2d92d5212aeff2c
Instruction Fuzzy Hash: 09A171B1A40619BFEB14DBA4DC4AFAE7B69EB04711F008115FA15E72E0D7B4AD01CB64

Function 0073AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0073AD1E
GetDriveTypeW.KERNEL32(?,0075FAC0,?,\\.\,0075F910), ref: 0073ADFB
SetErrorMode.KERNEL32(00000000,0075FAC0,?,\\.\,0075F910), ref: 0073AF59

Strings

ATA, xrefs: 0073AED4
Fixed, xrefs: 0073AE43
MMC, xrefs: 0073AF1A
RAID, xrefs: 0073AEF7
RAMDisk, xrefs: 0073AE25
Virtual, xrefs: 0073AF21
Unknown, xrefs: 0073AE1B, 0073AEBF
SCSI, xrefs: 0073AEC6
Network, xrefs: 0073AE39
SSD, xrefs: 0073AE86
SATA, xrefs: 0073AF0C
PhysicalDrive, xrefs: 0073ADA7
1394, xrefs: 0073AEDB
CDROM, xrefs: 0073AE2F
FileBackedVirtual, xrefs: 0073AF28
Fibre, xrefs: 0073AEE9
iSCSI, xrefs: 0073AEFE
ATAPI, xrefs: 0073AECD
Removable, xrefs: 0073AE4D
SSA, xrefs: 0073AEE2
SAS, xrefs: 0073AF05
USB, xrefs: 0073AEF0
\\.\, xrefs: 0073AD70

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e72e41c4c630b0f2a99170c05aa84ab03d3292c2a78997048b0df3742a6abad9
Instruction ID: babd4c8f687c99e18a259e351b4bbef2cbf3cfdd4b4c6028ac36b98f2c0079bb
Opcode Fuzzy Hash: e72e41c4c630b0f2a99170c05aa84ab03d3292c2a78997048b0df3742a6abad9
Instruction Fuzzy Hash: 65517FF4A8420AFB9B94EB10C943CB977A1EF48700F60855BE486A72D2DA7DDD01DB53

Function 006D68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006D6931
__wcsnicmp.LIBCMT ref: 006D6949
__wcsnicmp.LIBCMT ref: 006D6961
__wcsnicmp.LIBCMT ref: 006D6979
__wcsnicmp.LIBCMT ref: 006D6991
__wcsnicmp.LIBCMT ref: 006D69A9
__wcsnicmp.LIBCMT ref: 006D69C1
__wcsnicmp.LIBCMT ref: 006D69D5
__wcsnicmp.LIBCMT ref: 006D6A16
__wcsnicmp.LIBCMT ref: 006D6A2A
__wcsnicmp.LIBCMT ref: 006D6A3E
__wcsnicmp.LIBCMT ref: 006D6A52

Strings

#pragma compile, xrefs: 006D692B
#requireadmin, xrefs: 006D695B
#notrayicon, xrefs: 006D6943
Bad directive syntax error, xrefs: 0070E31A
Unterminated group of comments, xrefs: 0070E403
#OnAutoItStartRegister, xrefs: 006D6973
#comments-end, xrefs: 006D6A38
#cs, xrefs: 006D69CF, 006D6A24
#ce, xrefs: 006D6A4C
#include-once, xrefs: 006D698B
#comments-start, xrefs: 006D69BB, 006D6A10
Cannot parse #include, xrefs: 0070E3F0
#include, xrefs: 006D69A3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 24e76d375d971f15b79f3469f222d0d55cddbdfdd15f153b97cb79e00371cb77
Instruction ID: c6bb1db3f92025f86a66e32cfa270b7c324d519704be9a649ef3fd82fa41c77c
Opcode Fuzzy Hash: 24e76d375d971f15b79f3469f222d0d55cddbdfdd15f153b97cb79e00371cb77
Instruction Fuzzy Hash: 74814EB1A4021AA6CB60BB60DC53FBF77AAAF05740F04402AFD45AB3D6EB74DD05C259

Function 006D2C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 006D2CA2
DeleteObject.GDI32(00000000), ref: 006D2CE8
DeleteObject.GDI32(00000000), ref: 006D2CF3
DestroyCursor.USER32(00000000), ref: 006D2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 006D2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0070C43B
6F550200.COMCTL32(?,000000FF,?), ref: 0070C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0070C89D

Part of subcall function 006D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006D2036,?,00000000,?,?,?,?,006D16CB,00000000,?), ref: 006D1B9A

SendMessageW.USER32(?,00001053), ref: 0070C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0070C8F1

Strings

0, xrefs: 0070C731

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorF550200InvalidateMoveRect
String ID: 0
API String ID: 2586706302-4108050209
Opcode ID: 493efc3b0d813542aa70a270e94d9bc7b2df6866d67d247cd5442f2e9d7572ce
Instruction ID: 9365fddf00a4122b70742f9ca22fc0ae7553880aea063200f901507c95adb1a3
Opcode Fuzzy Hash: 493efc3b0d813542aa70a270e94d9bc7b2df6866d67d247cd5442f2e9d7572ce
Instruction Fuzzy Hash: 6D128D30500202EFDB62CF24C894BA9B7E6FF54311F54866AF955CB2A2C775EC52CB91

Function 0075A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0075A903
SetTextColor.GDI32(?,?), ref: 0075A907
GetSysColorBrush.USER32(0000000F), ref: 0075A91D
GetSysColor.USER32(0000000F), ref: 0075A928
CreateSolidBrush.GDI32(?), ref: 0075A92D
GetSysColor.USER32(00000011), ref: 0075A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0075A953
SelectObject.GDI32(?,00000000), ref: 0075A964
SetBkColor.GDI32(?,00000000), ref: 0075A96D
SelectObject.GDI32(?,?), ref: 0075A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0075A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0075A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0075A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0075A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0075AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0075AA32
DrawFocusRect.USER32(?,?), ref: 0075AA3D
GetSysColor.USER32(00000011), ref: 0075AA4B
SetTextColor.GDI32(?,00000000), ref: 0075AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0075AA67
SelectObject.GDI32(?,0075A5FA), ref: 0075AA7E
DeleteObject.GDI32(?), ref: 0075AA89
SelectObject.GDI32(?,?), ref: 0075AA8F
DeleteObject.GDI32(?), ref: 0075AA94
SetTextColor.GDI32(?,?), ref: 0075AA9A
SetBkColor.GDI32(?,?), ref: 0075AAA4

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: cd77837c683f0e2cb0bcc7cd32518638662e5ac96786cc9c609d3aa626418eda
Instruction ID: 92a221aa687c87f9fc1ab2101091b468ddfa73c998aa398a47e6d258cf425a6d
Opcode Fuzzy Hash: cd77837c683f0e2cb0bcc7cd32518638662e5ac96786cc9c609d3aa626418eda
Instruction Fuzzy Hash: 4C514D71900218FFDF119FA4DC48EEE7B79EF08321F118225F911AB2A1D7B99940CB94

Function 007589D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00758AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00758AD2
CharNextW.USER32(0000014E), ref: 00758B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00758B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00758B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00758B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00758B86
SetWindowTextW.USER32(?,0000014E), ref: 00758BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00758BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00758C1F
_memset.LIBCMT ref: 00758C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00758C8D
_memset.LIBCMT ref: 00758CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00758D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00758D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00758E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00758E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00758E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00758EB4
DrawMenuBar.USER32(?), ref: 00758EC3
SetWindowTextW.USER32(?,0000014E), ref: 00758EEB

Strings

0, xrefs: 00758E55

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: e99a3440900f578f3182ce6ec966c638df073745e85aace3d9124e284e1e6eca
Instruction ID: 6f28abc4c7506a3fab7aa3c908292318a74ef81c4d239b657be8ffc5e5ca4b51
Opcode Fuzzy Hash: e99a3440900f578f3182ce6ec966c638df073745e85aace3d9124e284e1e6eca
Instruction Fuzzy Hash: FBE17270900218EBDF509F60CC84EEE7BB9EF09711F10815AFD15AA290DBB88A84DF65

Function 0075488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007549CA
GetDesktopWindow.USER32 ref: 007549DF
GetWindowRect.USER32(00000000), ref: 007549E6
GetWindowLongW.USER32(?,000000F0), ref: 00754A48
DestroyWindow.USER32(?), ref: 00754A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00754A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00754ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00754AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00754AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00754B09
IsWindowVisible.USER32(?), ref: 00754B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00754B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00754B58
GetWindowRect.USER32(?,?), ref: 00754B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00754B96
GetMonitorInfoW.USER32(00000000,?), ref: 00754BB0
CopyRect.USER32(?,?), ref: 00754BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00754C32

Strings

tooltips_class32, xrefs: 00754A96
0, xrefs: 00754975
(, xrefs: 00754BA3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: dbe5a3c478bc6ced1c41a171b6a942662763563b4bd8d98d287b17d4e1d3b2f6
Instruction ID: fe704f02c875f2cf6cd6fa3eaff093450dc55887ea41033f08d502f81855000c
Opcode Fuzzy Hash: dbe5a3c478bc6ced1c41a171b6a942662763563b4bd8d98d287b17d4e1d3b2f6
Instruction Fuzzy Hash: 32B1AC70604340AFDB44DF64C848BAABBE5FF88305F00891DF9999B291D7B4EC49CB95

Function 006D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006D28BC
GetSystemMetrics.USER32(00000007), ref: 006D28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006D28EF
GetSystemMetrics.USER32(00000008), ref: 006D28F7
GetSystemMetrics.USER32(00000004), ref: 006D291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006D2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006D2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006D297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006D2990
GetClientRect.USER32(00000000,000000FF), ref: 006D29AE
GetStockObject.GDI32(00000011), ref: 006D29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 006D29D5

Part of subcall function 006D2344: GetCursorPos.USER32(?), ref: 006D2357
Part of subcall function 006D2344: ScreenToClient.USER32(007957B0,?), ref: 006D2374
Part of subcall function 006D2344: GetAsyncKeyState.USER32(00000001), ref: 006D2399
Part of subcall function 006D2344: GetAsyncKeyState.USER32(00000002), ref: 006D23A7

SetTimer.USER32(00000000,00000000,00000028,006D1256), ref: 006D29FC

Strings

AutoIt v3 GUI, xrefs: 006D2974

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 5fe1c4e3d4c42d1043bff9672f53b86523c278772b4d9fee4b70f99e110e94a8
Instruction ID: 5dde92b2f13f7b612fba8984eaf4ab6b72c0cbe73578e9496e60db15669cd99d
Opcode Fuzzy Hash: 5fe1c4e3d4c42d1043bff9672f53b86523c278772b4d9fee4b70f99e110e94a8
Instruction Fuzzy Hash: 37B18C71A0020AEFDB15DFA8DC55BEE7BB5FB18311F10822AFA15A7390DB789841CB54

Function 0070A8CB Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0070A92B
___wtomb_environ.LIBCMT ref: 0070A94D

Part of subcall function 006F8B28: __getptd_noexit.LIBCMT ref: 006F8B28

__malloc_crt.LIBCMT ref: 0070A975
__malloc_crt.LIBCMT ref: 0070A992
_free.LIBCMT ref: 0070A9C9
__recalloc_crt.LIBCMT ref: 0070AA02
__recalloc_crt.LIBCMT ref: 0070AA47
_strlen.LIBCMT ref: 0070AA73
__calloc_crt.LIBCMT ref: 0070AA7D
_strlen.LIBCMT ref: 0070AA8C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0070AABA
_free.LIBCMT ref: 0070AAD4
_free.LIBCMT ref: 0070AAE1
_free.LIBCMT ref: 0070AAF3
__invoke_watson.LIBCMT ref: 0070AB0D

Strings

{no, xrefs: 0070AAAD
{no, xrefs: 0070A932

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID: {no${no
API String ID: 884005220-186142753
Opcode ID: 8abee0d6eb5b733280a8959d11fd595310605681a60ae7a567e0005035a15703
Instruction ID: 5a5895f560c136460d37f4b09e66ba9fc141c2f26f54caa1d4f06060b0a537c5
Opcode Fuzzy Hash: 8abee0d6eb5b733280a8959d11fd595310605681a60ae7a567e0005035a15703
Instruction Fuzzy Hash: 1361E5B261470AFFDB119F64DD0176977E4EF00361F218319E901A71E1EB7CA941CB96

Function 0072A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0072A47A
__swprintf.LIBCMT ref: 0072A51B
_wcscmp.LIBCMT ref: 0072A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0072A583
_wcscmp.LIBCMT ref: 0072A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0072A5F6
GetDlgCtrlID.USER32(?), ref: 0072A648
GetWindowRect.USER32(?,?), ref: 0072A67E
GetParent.USER32(?), ref: 0072A69C
ScreenToClient.USER32(00000000), ref: 0072A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0072A71D
_wcscmp.LIBCMT ref: 0072A731
GetWindowTextW.USER32(?,?,00000400), ref: 0072A757
_wcscmp.LIBCMT ref: 0072A76B

Part of subcall function 006F362C: _iswctype.LIBCMT ref: 006F3634

Strings

%s%u, xrefs: 0072A515

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 40e31f0e31b6e415ec1ec4bf4ea4b732f668cf6d9f092e204a909f7fdb9d828c
Instruction ID: 9fae5d0c9ec7dfa41a9a3f927a27442d91b42f99fde910dc445dbe1cadd059a0
Opcode Fuzzy Hash: 40e31f0e31b6e415ec1ec4bf4ea4b732f668cf6d9f092e204a909f7fdb9d828c
Instruction Fuzzy Hash: F4A1E071204326BFD714DF64D888FAAB7E8FF44314F008529F999C2291DB38EA55CB96

Function 0072AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0072AF18
_wcscmp.LIBCMT ref: 0072AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0072AF51
CharUpperBuffW.USER32(?,00000000), ref: 0072AF6E
_wcscmp.LIBCMT ref: 0072AF8C
_wcsstr.LIBCMT ref: 0072AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0072AFD5
_wcscmp.LIBCMT ref: 0072AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0072B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0072B055
_wcscmp.LIBCMT ref: 0072B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0072B08D
GetWindowRect.USER32(00000004,?), ref: 0072B0F6

Strings

ThumbnailClass, xrefs: 0072AFE0, 0072B060
@, xrefs: 0072AEF9

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 183ec10c7d52f8ef67760941c042af19ed5a01d08e18c7c0fa866c4f46cc5474
Instruction ID: 9a0c1629c33097910e846180690faf5651c9b2595d67e1f52f680565e4b683e3
Opcode Fuzzy Hash: 183ec10c7d52f8ef67760941c042af19ed5a01d08e18c7c0fa866c4f46cc5474
Instruction Fuzzy Hash: 6781CF71008319ABDB11DF14D985FBABBE9FF84314F04846AFD858A092DB38DD49CB61

Function 0072ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0072AC33

Strings

[ALL, xrefs: 0072ACD9
HANDLE=, xrefs: 0072AC2C
[CLASS:, xrefs: 0072AC83
REGEXP=, xrefs: 0072AC48
[REGEXPTITLE:, xrefs: 0072AC5B
[ACTIVE, xrefs: 0072AC20
LAST, xrefs: 0072ABF8
CLASSNAME=, xrefs: 0072AC70
ACTIVE, xrefs: 0072AC0E
ALL, xrefs: 0072ACC7
[HANDLE:, xrefs: 0072AC3F
[LAST, xrefs: 0072ACE0

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 276cb76445848cf785d9e757ae2520aaa9fa7ee716582d4e9142ef2df3230814
Instruction ID: 07b3f586bcbfa735cd15e2ed15daf9887c94036da56659b236fef5baa9fafddd
Opcode Fuzzy Hash: 276cb76445848cf785d9e757ae2520aaa9fa7ee716582d4e9142ef2df3230814
Instruction Fuzzy Hash: E131B470988219ABDA18FA64EE53EBE77659B20750F30401EB402711D1FE699F04C6A7

Function 00744FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00745013
LoadCursorW.USER32(00000000,00007F00), ref: 0074501E
LoadCursorW.USER32(00000000,00007F03), ref: 00745029
LoadCursorW.USER32(00000000,00007F8B), ref: 00745034
LoadCursorW.USER32(00000000,00007F01), ref: 0074503F
LoadCursorW.USER32(00000000,00007F81), ref: 0074504A
LoadCursorW.USER32(00000000,00007F88), ref: 00745055
LoadCursorW.USER32(00000000,00007F80), ref: 00745060
LoadCursorW.USER32(00000000,00007F86), ref: 0074506B
LoadCursorW.USER32(00000000,00007F83), ref: 00745076
LoadCursorW.USER32(00000000,00007F85), ref: 00745081
LoadCursorW.USER32(00000000,00007F82), ref: 0074508C
LoadCursorW.USER32(00000000,00007F84), ref: 00745097
LoadCursorW.USER32(00000000,00007F04), ref: 007450A2
LoadCursorW.USER32(00000000,00007F02), ref: 007450AD
LoadCursorW.USER32(00000000,00007F89), ref: 007450B8
GetCursorInfo.USER32(?), ref: 007450C8

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 431c94fcc101b2360935d3fdef4da87c0d505976a667f4d9d8d7b9e69fd7d28e
Instruction ID: 4c90785127d78a9594a3c25e634f5db4701ad9fac6cc57f21c87e13b37ba347d
Opcode Fuzzy Hash: 431c94fcc101b2360935d3fdef4da87c0d505976a667f4d9d8d7b9e69fd7d28e
Instruction Fuzzy Hash: 003103B1D0831D6ADB109FB68C8999EBFE8FB08750F50452AE50CE7281DB7865008EA5

Function 0075A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075A259
DestroyWindow.USER32(?,?), ref: 0075A2D3

Part of subcall function 006D7BCC: _memmove.LIBCMT ref: 006D7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0075A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0075A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0075A382
DestroyWindow.USER32(00000000), ref: 0075A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006D0000,00000000), ref: 0075A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0075A3F4
GetDesktopWindow.USER32 ref: 0075A40D
GetWindowRect.USER32(00000000), ref: 0075A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0075A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0075A444

Part of subcall function 006D25DB: GetWindowLongW.USER32(?,000000EB), ref: 006D25EC

Strings

tooltips_class32, xrefs: 0075A346, 0075A3D4
0, xrefs: 0075A26F

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 1aec6b624dd15885465e1af04febf14f34e22e1869fb7febe616c9b311bb36cd
Instruction ID: 194ea63bb6caa26c2098f287b268645479cad6909b48f222c301ce39eae71f96
Opcode Fuzzy Hash: 1aec6b624dd15885465e1af04febf14f34e22e1869fb7febe616c9b311bb36cd
Instruction Fuzzy Hash: 9E71AC70540345AFD721CF28CC49FAA7BE6FB88305F04862DF985872A0D7B9E906CB56

Function 00754392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00754424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0075446F

Strings

EXPAND, xrefs: 00754521
EXISTS, xrefs: 007544D8
UNCHECK, xrefs: 0075464B
GETSELECTED, xrefs: 0075457F
GETTOTALCOUNT, xrefs: 00754456
COLLAPSE, xrefs: 007544B5
SELECT, xrefs: 00754620
GETITEMCOUNT, xrefs: 00754551
CHECK, xrefs: 0075448F
GETTEXT, xrefs: 007545C2
ISCHECKED, xrefs: 007545F2

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 33016ee6337afbdfff2f87f640c81e04824a7e3a26b1e8ea35f2b44a3f0d939a
Instruction ID: f4461a9dfe11126f2b2f78a4884bfc01b50f68da28929fdfd23cde19f2e191ee
Opcode Fuzzy Hash: 33016ee6337afbdfff2f87f640c81e04824a7e3a26b1e8ea35f2b44a3f0d939a
Instruction Fuzzy Hash: 84918B306047019FCB04EF20C451AAEB7E2AF95754F04886DFC925B3A2DB78ED4ACB95

Function 0075B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0075B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00756B11,?), ref: 0075B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0075B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0075B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0075B9C3
FreeLibrary.KERNEL32(?), ref: 0075B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0075B9DF
DestroyCursor.USER32(?), ref: 0075B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0075BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0075BA17

Part of subcall function 006F2EFD: __wcsicmp_l.LIBCMT ref: 006F2F86

Strings

.dll, xrefs: 0075B86D
.icl, xrefs: 0075B82A
.exe, xrefs: 0075B84A

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: 73c27d2b6340dac9a00a4ca1d7a927ad19e95ca2c98258bb345399dd92212051
Instruction ID: a4a910f8220b692d04ca5c8b1de7fd5aaf79875b22d923f92c368226dea6fa61
Opcode Fuzzy Hash: 73c27d2b6340dac9a00a4ca1d7a927ad19e95ca2c98258bb345399dd92212051
Instruction Fuzzy Hash: 9B61CE71900219FAEB14DF64DC45FFA7BA8EB08712F10851AFE15D61C0DBB8A984DBA0

Function 0073A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 006D9837: __itow.LIBCMT ref: 006D9862
Part of subcall function 006D9837: __swprintf.LIBCMT ref: 006D98AC

CharLowerBuffW.USER32(?,?), ref: 0073A3CB
GetDriveTypeW.KERNEL32 ref: 0073A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0073A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0073A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0073A4C5

Part of subcall function 006D7BCC: _memmove.LIBCMT ref: 006D7C06

Strings

type cdaudio alias cd wait, xrefs: 0073A443
close, xrefs: 0073A3D1
closed, xrefs: 0073A3DF, 0073A3E8
open, xrefs: 0073A3F2
set cd door , xrefs: 0073A466
open , xrefs: 0073A427
wait, xrefs: 0073A482
close cd wait, xrefs: 0073A4B0

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: a23175e407c79c06807752da3bd0683cb4f01978abd185953fc88e62a3d23551
Instruction ID: a712689ca8f7273995ac4169c7e78b4ed11941ed40b7900bbf2a0434c9502c9e
Opcode Fuzzy Hash: a23175e407c79c06807752da3bd0683cb4f01978abd185953fc88e62a3d23551
Instruction Fuzzy Hash: 30518D71504345AFC780EF24C89186AB3E5EF88718F40886EF886973A2DB35ED09CB56

Function 0072F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0070E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0072F8DF
LoadStringW.USER32(00000000,?,0070E029,00000001), ref: 0072F8E8

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0070E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0072F90A
LoadStringW.USER32(00000000,?,0070E029,00000001), ref: 0072F90D
__swprintf.LIBCMT ref: 0072F95D
__swprintf.LIBCMT ref: 0072F96E
_wprintf.LIBCMT ref: 0072FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0072FA2E

Strings

^ ERROR, xrefs: 0072F9C3
Line %d (File "%s"):, xrefs: 0072F957
Error: , xrefs: 0072F9E5
Line %d:, xrefs: 0072F968
%s (%d) : ==> %s: %s %s, xrefs: 0072FA12

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: b1894df753f3f13c6c249009da73de527aebb454b616992acdc02357676822d4
Instruction ID: 098253960afc086800f4e1e11948dadbc9d5d2ebda7ea001484191cd74eaa8bc
Opcode Fuzzy Hash: b1894df753f3f13c6c249009da73de527aebb454b616992acdc02357676822d4
Instruction Fuzzy Hash: 57414D72C0021DAACB44FFE0DD56DEEB779AF14300F50006AF505B6192EA356F49CB65

Function 0075BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0075BA56
GetFileSize.KERNEL32(00000000,00000000), ref: 0075BA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 0075BA78
CloseHandle.KERNEL32(00000000), ref: 0075BA85
GlobalLock.KERNEL32(00000000), ref: 0075BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0075BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0075BAA6
CloseHandle.KERNEL32(00000000), ref: 0075BAAD
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0075BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00762CAC,?), ref: 0075BAD7
GlobalFree.KERNEL32(00000000), ref: 0075BAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 0075BB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0075BB36
DeleteObject.GDI32(00000000), ref: 0075BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0075BB74

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 55a4fd906a01f6a1f6f5065c8ec7c79ab048c89bf86479c1d9c4977ae1305da5
Instruction ID: ea15813bd3ffc3d4700114d5b8284e26e488f5258fb53ebeab5e36994bf107ca
Opcode Fuzzy Hash: 55a4fd906a01f6a1f6f5065c8ec7c79ab048c89bf86479c1d9c4977ae1305da5
Instruction Fuzzy Hash: FB4108B5600208EFDB119F65DC88EFABBB9FB89712F108069F905D7260D7B89905CB64

Function 006D6A8C Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 006F0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,006D6B0C,?,00008000), ref: 006F0973

Part of subcall function 006D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D4743,?,?,006D37AE,?), ref: 006D4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 006D6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 006D6CFA

Part of subcall function 006D586D: _wcscpy.LIBCMT ref: 006D58A5

Part of subcall function 006F363D: _iswctype.LIBCMT ref: 006F3645

Strings

AU3!, xrefs: 006D6B61
Unterminated string, xrefs: 0070E7E4
/vm, xrefs: 0070E4ED, 0070E511
Error opening the file, xrefs: 0070E43D, 0070E4B8
Bad directive syntax error, xrefs: 0070E79D
>>>AUTOIT SCRIPT<<<, xrefs: 0070E496
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0070E421
EA06, xrefs: 0070E452

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$/vm$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1393011383
Opcode ID: 07af09e81172cf483e9d4e17da0fdd8f68085ad3d510417fc20b38ebbb2dfd4d
Instruction ID: 66e2dc50a943f06519554c80023f471f04ff3ad1f1d5e1bf0b1fe58192547d3d
Opcode Fuzzy Hash: 07af09e81172cf483e9d4e17da0fdd8f68085ad3d510417fc20b38ebbb2dfd4d
Instruction Fuzzy Hash: 8002AB70908341DFC764EF24C8819AFBBE6AF94314F10492EF49A973A2DB34D949CB56

Function 0073D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0073DA10
_wcscat.LIBCMT ref: 0073DA28
_wcscat.LIBCMT ref: 0073DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0073DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0073DA63
GetFileAttributesW.KERNEL32(?), ref: 0073DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0073DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0073DAA7

Strings

*.*, xrefs: 0073DAE6

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 123f66bb859491ec6b3e4139e41b71590e6c4ff539cd64f20a83abe721fda47a
Instruction ID: ff6fbcf8845cb77e14bd6d417f74b2d52d40c27a6991d3189e9282bf75524df8
Opcode Fuzzy Hash: 123f66bb859491ec6b3e4139e41b71590e6c4ff539cd64f20a83abe721fda47a
Instruction Fuzzy Hash: BD81A1B19042459FDB70DF64D844AAAB7E9FF88310F14882EF889C7252E738ED44CB52

Function 0074731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0074738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0074739B
CreateCompatibleDC.GDI32(?), ref: 007473A7
SelectObject.GDI32(00000000,?), ref: 007473B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00747408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00747444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00747468
SelectObject.GDI32(00000006,?), ref: 00747470
DeleteObject.GDI32(?), ref: 00747479
DeleteDC.GDI32(00000006), ref: 00747480
ReleaseDC.USER32(00000000,?), ref: 0074748B

Strings

(, xrefs: 00747410

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3fa3d907f4c691a2e76c4d9e3005fedf33e2efe165f76eaee07115bbb77b7ced
Instruction ID: 275986b0469af21133e3abffaa5b29a4f338e77164a63a4e6d9cf864da7a4ed2
Opcode Fuzzy Hash: 3fa3d907f4c691a2e76c4d9e3005fedf33e2efe165f76eaee07115bbb77b7ced
Instruction Fuzzy Hash: 4D514771904349EFCB14CFA8CC85EAEBBB9EF48310F14842DFA9A97251C775A940CB54

Function 00732D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00732D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00732DDD
GetMenuItemCount.USER32(00795890), ref: 00732E66
DeleteMenu.USER32(00795890,00000005,00000000,000000F5,?,?), ref: 00732EF6
DeleteMenu.USER32(00795890,00000004,00000000), ref: 00732EFE
DeleteMenu.USER32(00795890,00000006,00000000), ref: 00732F06
DeleteMenu.USER32(00795890,00000003,00000000), ref: 00732F0E
GetMenuItemCount.USER32(00795890), ref: 00732F16
SetMenuItemInfoW.USER32(00795890,00000004,00000000,00000030), ref: 00732F4C
GetCursorPos.USER32(?), ref: 00732F56
SetForegroundWindow.USER32(00000000), ref: 00732F5F
TrackPopupMenuEx.USER32(00795890,00000000,?,00000000,00000000,00000000), ref: 00732F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00732F7E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 531a1575acb8b90cad27618707b4dac246ea32580a94c1db527786ae3532b8c3
Instruction ID: 5a75e2760ab6f6af1b1aecf21c4ec4329aa5907a54f47bed34fa5d2d076a425d
Opcode Fuzzy Hash: 531a1575acb8b90cad27618707b4dac246ea32580a94c1db527786ae3532b8c3
Instruction Fuzzy Hash: 1271D470640209BEFB219F54DC4AFAABF64FF04714F104216F625AA1E3C7B96C21DB95

Function 007277DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7BCC: _memmove.LIBCMT ref: 006D7C06

_memset.LIBCMT ref: 0072786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007278A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007278BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007278D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00727902
CLSIDFromString.COMBASE(?,?), ref: 0072792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00727935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0072793A

Strings

SOFTWARE\Classes\, xrefs: 0072780C
\IPC$, xrefs: 00727882
\CLSID, xrefs: 00727822

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: e52fbfd60b0ebbc5202fa7f1db4e57d03f3310f3962b3eac987de7d51b954be5
Instruction ID: 01ba38b962aea748a34dd9d6ad1afdb73e0d2a125949f79e1277253aaa4a4e0b
Opcode Fuzzy Hash: e52fbfd60b0ebbc5202fa7f1db4e57d03f3310f3962b3eac987de7d51b954be5
Instruction Fuzzy Hash: 67411672C1422DAACF15EBA4EC95DEEB779FF04310F44406AE805A72A1EA749E04CB94

Function 00750E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074FDAD,?,?), ref: 00750E31

Strings

HKU, xrefs: 00750F43
HKCC, xrefs: 00750EFF
HKEY_CURRENT_CONFIG, xrefs: 00750EEE
HKEY_CLASSES_ROOT, xrefs: 00750EC4
HKEY_LOCAL_MACHINE, xrefs: 00750E9A
HKLM, xrefs: 00750EAF
HKEY_CURRENT_USER, xrefs: 00750F10
HKEY_USERS, xrefs: 00750F32
HKCU, xrefs: 00750F21
HKCR, xrefs: 00750ED9

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 57cf991c096a76b8e06e14df512cf1975f1cd40a81d87a65a98c4506255c5d0e
Instruction ID: 897f53fb93fc5c98035f243adcaf69d3ecc6e227131fd2c112e1db543d878cc4
Opcode Fuzzy Hash: 57cf991c096a76b8e06e14df512cf1975f1cd40a81d87a65a98c4506255c5d0e
Instruction Fuzzy Hash: F3418E3114028A8BEF60EF10D966AFF3761BF11301F140429FD561B293DB789D1ACBA0

Function 0072F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0070E2A0,00000010,?,Bad directive syntax error,0075F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0072F7C2
LoadStringW.USER32(00000000,?,0070E2A0,00000010), ref: 0072F7C9

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

_wprintf.LIBCMT ref: 0072F7FC
__swprintf.LIBCMT ref: 0072F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0072F88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0072F7F7
., xrefs: 0072F873
Line %d (File "%s"):, xrefs: 0072F833
Line %d:, xrefs: 0072F818
Error: , xrefs: 0072F85B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 70f0a76e8e6ce0f1850aae393b2ae6b956c9a6f36c28ad88164e5aeae06e3a2d
Instruction ID: 27c59a3beba6ead76f14e413e500fef8eb58e883dfdc0b4f0b472b61b97d67f0
Opcode Fuzzy Hash: 70f0a76e8e6ce0f1850aae393b2ae6b956c9a6f36c28ad88164e5aeae06e3a2d
Instruction Fuzzy Hash: 6F218D32C4021EEFCF51EF90CC0AEEEB73ABF18300F04046AF505661A1EA75A618CB55

Function 007352C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 006D7BCC: _memmove.LIBCMT ref: 006D7C06

Part of subcall function 006D7924: _memmove.LIBCMT ref: 006D79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00735330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00735346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00735357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00735369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0073537A

Strings

play PlayMe, xrefs: 00735375
alias PlayMe, xrefs: 00735309
status PlayMe mode, xrefs: 0073532B
open , xrefs: 007352DF
play PlayMe wait, xrefs: 00735364
close PlayMe, xrefs: 00735341, 0073536E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 1731e8bfd132f9340b0755b8d247e4321488c1109b87614f9fde322677fd98a7
Instruction ID: 723878df4e02c829532cf719d4683ef8e6977d9bb8869d3ccdd7c863206e85a5
Opcode Fuzzy Hash: 1731e8bfd132f9340b0755b8d247e4321488c1109b87614f9fde322677fd98a7
Instruction Fuzzy Hash: 74119471E9016979D7A0B7B5CC5ADFF7B7CEF96B44F80042AB401A21D2FEA40D04C6A6

Function 007346B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 007346D2
gethostname.WS2_32(?,00000100), ref: 007346EC
gethostbyname.WS2_32(?), ref: 007346F9
_wcscpy.LIBCMT ref: 00734721
_memmove.LIBCMT ref: 00734734
inet_ntoa.WS2_32(?), ref: 0073473F
_strcat.LIBCMT ref: 0073474D
_wcscpy.LIBCMT ref: 00734764
WSACleanup.WS2_32 ref: 00734772
_wcscpy.LIBCMT ref: 00734780

Strings

0.0.0.0, xrefs: 0073471B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 5937fb8e618363fc1699267c5622b5510ecfbfff2f51a0fa56a5d6a31b51cf54
Instruction ID: 03ac61344c3ff0371a80919d7df099d38364e170580b0638666fa92530a865ad
Opcode Fuzzy Hash: 5937fb8e618363fc1699267c5622b5510ecfbfff2f51a0fa56a5d6a31b51cf54
Instruction Fuzzy Hash: 19110A31500219AFEB54AB309C4AEFB77BCEF02712F0441BAF54596092FFB9AD818B55

Function 00734F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00734F7A

Part of subcall function 006F049F: timeGetTime.WINMM(?,75C0B400,006E0E7B), ref: 006F04A3

Sleep.KERNEL32(0000000A), ref: 00734FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00734FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00734FEC
SetActiveWindow.USER32 ref: 0073500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00735019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00735038
Sleep.KERNEL32(000000FA), ref: 00735043
IsWindow.USER32 ref: 0073504F
EndDialog.USER32(00000000), ref: 00735060

Strings

BUTTON, xrefs: 00734FDE

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 3f3da818c6f853e672900b8d97b90a881dc5ece05236c0eef6b20a6a001461bc
Instruction ID: cb558bc6bd7975836afcb601de725d7d49492b07d3e427f0a0fffedf7b5e01a4
Opcode Fuzzy Hash: 3f3da818c6f853e672900b8d97b90a881dc5ece05236c0eef6b20a6a001461bc
Instruction Fuzzy Hash: 0421C6B0200705EFF7159F30EC89A663B69EB0A746F0A9125F101821B2DBBD9D218769

Function 0073D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9837: __itow.LIBCMT ref: 006D9862
Part of subcall function 006D9837: __swprintf.LIBCMT ref: 006D98AC

CoInitialize.OLE32(00000000), ref: 0073D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0073D67D
SHGetDesktopFolder.SHELL32(?), ref: 0073D691
CoCreateInstance.COMBASE(00762D7C,00000000,00000001,00788C1C,?), ref: 0073D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0073D74C
CoTaskMemFree.COMBASE(?), ref: 0073D7A4
_memset.LIBCMT ref: 0073D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0073D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0073D840
CoTaskMemFree.COMBASE(00000000), ref: 0073D847
CoTaskMemFree.COMBASE(00000000), ref: 0073D87E
CoUninitialize.COMBASE ref: 0073D880

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 528c3b934b61554280485b383d2ea9d488faa2c91833e040e5b2cac2939af7af
Instruction ID: d0fa5807c49cedf3e9a98efabd9b866965ca43a8b751b6a3f40b05d0c564a886
Opcode Fuzzy Hash: 528c3b934b61554280485b383d2ea9d488faa2c91833e040e5b2cac2939af7af
Instruction Fuzzy Hash: B3B11975A00209EFDB14DFA4D888DAEBBB9FF48314F048469E909EB261DB34ED41CB54

Function 0072C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0072C283
GetWindowRect.USER32(00000000,?), ref: 0072C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0072C2F3
GetDlgItem.USER32(?,00000002), ref: 0072C2FE
GetWindowRect.USER32(00000000,?), ref: 0072C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0072C364
GetDlgItem.USER32(?,000003E9), ref: 0072C372
GetWindowRect.USER32(00000000,?), ref: 0072C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0072C3C6
GetDlgItem.USER32(?,000003EA), ref: 0072C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0072C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0072C3FE

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 02cccf1199c6c5c00f7f3b78be78775a7962c305bc0c1bdcb40dddc977c0111f
Instruction ID: 5447be782f3ec7214bfcd8a3ec8a03bbea61cc5b70beb25c22ea0c421ce3cc62
Opcode Fuzzy Hash: 02cccf1199c6c5c00f7f3b78be78775a7962c305bc0c1bdcb40dddc977c0111f
Instruction Fuzzy Hash: 54516071B00305AFDB18CFA9DD89AAEBBBAFB98311F14852DF515D7290D7B49D008B14

Function 006D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006D25DB: GetWindowLongW.USER32(?,000000EB), ref: 006D25EC

GetSysColor.USER32(0000000F), ref: 006D21D3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 543402a4c4f56d781c899bdc18b5f2ebb3a45fa05d855945eebb765f0d646de2
Instruction ID: c37e41bb7a32dfc094f37e0d0989995fc8c02ba2d101b95ba790ee27c19e7801
Opcode Fuzzy Hash: 543402a4c4f56d781c899bdc18b5f2ebb3a45fa05d855945eebb765f0d646de2
Instruction Fuzzy Hash: B941D431404605DBDB215F28DC98BF93BA6EB16331F248366FE618A3E1C7758E42DB21

Function 0073A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0075F910), ref: 0073A90B
GetDriveTypeW.KERNEL32(00000061,007889A0,00000061), ref: 0073A9D5
_wcscpy.LIBCMT ref: 0073A9FF

Strings

removable, xrefs: 0073A93D
ramdisk, xrefs: 0073A97F
cdrom, xrefs: 0073A927
all, xrefs: 0073A911
fixed, xrefs: 0073A953
unknown, xrefs: 0073A996
network, xrefs: 0073A969

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: a7d6fcc749cecf9b945ce8eb9ed98ecc5618fc34cf36b25b6b5e1fca0d7bcf46
Instruction ID: ed87b73ab01327a8d9580e02f8e14c8f363edf10f64db1732e8128cbd81ed486
Opcode Fuzzy Hash: a7d6fcc749cecf9b945ce8eb9ed98ecc5618fc34cf36b25b6b5e1fca0d7bcf46
Instruction Fuzzy Hash: 8951AD31518301AFD340EF14C992AAFB7AAEF84300F50482EF5D5972A3DB35A909CB53

Function 006D9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 006D9862
__swprintf.LIBCMT ref: 006D98AC
__i64tow.LIBCMT ref: 0070F5E6

Strings

False, xrefs: 0070F5AE
True, xrefs: 0070F5A7
%.15g, xrefs: 006D98A6
0x%p, xrefs: 0070F5C8

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: feea7da157d44cce1ce92bacca008c9550ab927fcb0837b9fd867d0cf73831ad
Instruction ID: eb2c0ef06c304565c26bd151e16774b2bbbfef1ef5237907c0197031c22dc691
Opcode Fuzzy Hash: feea7da157d44cce1ce92bacca008c9550ab927fcb0837b9fd867d0cf73831ad
Instruction Fuzzy Hash: D241E371910209EEEB64DF34DC42A7A73EAEF05700F20496FE54AD7382EA359902DB21

Function 006E6192 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006E6248
_memmove.LIBCMT ref: 006E62E4
_memset.LIBCMT ref: 006E6308

Strings

ERCP, xrefs: 006E61B3
failed to get memory, xrefs: 006E6326
argument not compiled in 16 bit mode, xrefs: 00720D77
3cn, xrefs: 006E62AF
internal error: opcode not recognized, xrefs: 006E631B
argument is not a compiled regular expression, xrefs: 00720D87
internal error: missing capturing bracket, xrefs: 00720D7F

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cn$ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
API String ID: 2532777613-1634663518
Opcode ID: 0a03be6d66caa2ee151c7db7c0e5dfcba344ca427cf96ee3e61714cdb740594e
Instruction ID: 1239019770f6f2841ba822d35cf46686cd40dc15ead5814797a98d3146fc6ee2
Opcode Fuzzy Hash: 0a03be6d66caa2ee151c7db7c0e5dfcba344ca427cf96ee3e61714cdb740594e
Instruction Fuzzy Hash: D651C070A01309DFDB24CF66C8417EAB7E5EF14344F20857EEA4AD7241E774AA45CB90

Function 00757152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075716A
CreateMenu.USER32 ref: 00757185
SetMenu.USER32(?,00000000), ref: 00757194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00757221
IsMenu.USER32(?), ref: 00757237
CreatePopupMenu.USER32 ref: 00757241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0075726E
DrawMenuBar.USER32 ref: 00757276

Strings

F, xrefs: 00757262
0, xrefs: 00757160

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 07e85258e2b065f4ffd30cdc3776b9933ee9a65a2a302489a72d503bc6a688eb
Instruction ID: 9e5d1bcef78542918f872c8f88cf11c3934195897d0d30048158a686cfcd76ab
Opcode Fuzzy Hash: 07e85258e2b065f4ffd30cdc3776b9933ee9a65a2a302489a72d503bc6a688eb
Instruction Fuzzy Hash: 43414674A01209AFDB14DF64E844EDA7BB5FF48351F148029FD0597360D7B5A924CB94

Function 007574BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0075755E
CreateCompatibleDC.GDI32(00000000), ref: 00757565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00757578
SelectObject.GDI32(00000000,00000000), ref: 00757580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0075758B
DeleteDC.GDI32(00000000), ref: 00757594
GetWindowLongW.USER32(?,000000EC), ref: 0075759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007575B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007575BE

Strings

static, xrefs: 007574F6

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: faa348713f3b080cb7c2313c8fb89f2d1d10c05123ac22f71828295fdc9ed1ee
Instruction ID: 892400ae129d27ac9075ba59128efe7d866e9db041529a05e3cebf1cf23a3329
Opcode Fuzzy Hash: faa348713f3b080cb7c2313c8fb89f2d1d10c05123ac22f71828295fdc9ed1ee
Instruction Fuzzy Hash: 77317071104218BBDF169F64DC08FDB3B6DFF09322F114225FA15961A0D7B9D825DBA4

Function 006F6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F6E3E

Part of subcall function 006F8B28: __getptd_noexit.LIBCMT ref: 006F8B28

__gmtime64_s.LIBCMT ref: 006F6ED7
__gmtime64_s.LIBCMT ref: 006F6F0D
__gmtime64_s.LIBCMT ref: 006F6F2A
__allrem.LIBCMT ref: 006F6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F6F9C
__allrem.LIBCMT ref: 006F6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F6FD1
__allrem.LIBCMT ref: 006F6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F7006
__invoke_watson.LIBCMT ref: 006F7077

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 5dc30ce40c7c7e16445364f3ff34612485c94d1b0a4f88dd2e6d7fa6e55f9ef0
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: C871E8B6A0471BEBD7149E68DC42BBAB7EAAF05724F148229F614D72C1EB74DD008790

Function 00732527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00732542
GetMenuItemInfoW.USER32(00795890,000000FF,00000000,00000030), ref: 007325A3
SetMenuItemInfoW.USER32(00795890,00000004,00000000,00000030), ref: 007325D9
Sleep.KERNEL32(000001F4), ref: 007325EB
GetMenuItemCount.USER32(?), ref: 0073262F
GetMenuItemID.USER32(?,00000000), ref: 0073264B
GetMenuItemID.USER32(?,-00000001), ref: 00732675
GetMenuItemID.USER32(?,?), ref: 007326BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00732700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00732714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00732735

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 396808b73878b959dc3464738b1934cdbed0676061574f2b4f0d3154c8051422
Instruction ID: 8c895cdab0a128bcd47b1b564030c44583a261cb07fdeb2497b31e87a2d7121e
Opcode Fuzzy Hash: 396808b73878b959dc3464738b1934cdbed0676061574f2b4f0d3154c8051422
Instruction Fuzzy Hash: 22618BB0900259EFEB11CF64DC89DAE7BB8FF41304F144059E942A7253D779AE16DB21

Function 00756F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00756FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00756FA8
GetWindowLongW.USER32(?,000000F0), ref: 00756FCC
_memset.LIBCMT ref: 00756FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00756FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00757067

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 5d0bda45d7a2225f5e55593d9be82f2a33b4228c1f8683c8de105784f9873d6c
Instruction ID: 7c902562f2d06d4730d7eedb72fd16fbe6f6b1e1290499d6fe7438c5812f65bb
Opcode Fuzzy Hash: 5d0bda45d7a2225f5e55593d9be82f2a33b4228c1f8683c8de105784f9873d6c
Instruction Fuzzy Hash: 16617E71900218AFDB11DFA4DC81EEE77F8EB08711F10415AFA14AB2A1C7B9AD45CB50

Function 00726B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00726BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00726C18
VariantInit.OLEAUT32(?), ref: 00726C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00726C4A
VariantCopy.OLEAUT32(?,?), ref: 00726C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00726CB1
VariantClear.OLEAUT32(?), ref: 00726CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00726CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00726CDC
VariantClear.OLEAUT32(?), ref: 00726CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00726CF9

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 4ae8bcb7cd1c2f4712485733c709890ef0db40874343ff47b39373a8cce413eb
Instruction ID: c0400b2706e43e392fc596fcb2f222769246ff44d1a9377e125ed32cda5e00b5
Opcode Fuzzy Hash: 4ae8bcb7cd1c2f4712485733c709890ef0db40874343ff47b39373a8cce413eb
Instruction Fuzzy Hash: 3A415271A00229DFCF00EF64D848DEEBBB9EF08351F00C06AE955E7261CB75A945CBA4

Function 00749113 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00749167
VariantInit.OLEAUT32(?), ref: 00749238
VariantInit.OLEAUT32(?), ref: 00749339
VariantClear.OLEAUT32(?), ref: 00749343
VariantClear.OLEAUT32(?), ref: 007493A0

Strings

_NewEnum, xrefs: 00749121
Incorrect Object type in FOR..IN loop, xrefs: 0074931C
get__NewEnum, xrefs: 0074913F
Null Object assignment in FOR..IN loop, xrefs: 007491C8, 007492F6, 007493AE

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2862541840-1765764032
Opcode ID: 30853888bb6d9c34a5f7f4cf8f062bdbf99024bbb6b68bafb55defe846c4c345
Instruction ID: 5bc76d9b71d5632486ee8c61e56bb94183d00f1f73e582dc1723c22b98130d85
Opcode Fuzzy Hash: 30853888bb6d9c34a5f7f4cf8f062bdbf99024bbb6b68bafb55defe846c4c345
Instruction Fuzzy Hash: B1919E71A00219EBDF24DFA5C848FAFB7B8EF46710F108559FA15AB281D7789905CFA0

Function 00745732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00745793
inet_addr.WS2_32(?), ref: 007457D8
gethostbyname.WS2_32(?), ref: 007457E4
IcmpCreateFile.IPHLPAPI ref: 007457F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00745862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00745878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 007458ED
WSACleanup.WS2_32 ref: 007458F3

Strings

Ping, xrefs: 00745816

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: fd988c0e3ae5f1614a95f369ff0fe011ee5fd892b2649ee1bea5aadbbf7968a2
Instruction ID: 1a0f83f016e2d8b34bec98dc8e8a154e64ec3af4ce4dce11ee9489611bf06821
Opcode Fuzzy Hash: fd988c0e3ae5f1614a95f369ff0fe011ee5fd892b2649ee1bea5aadbbf7968a2
Instruction Fuzzy Hash: CE518F31604700DFD710EF25DC45B6A77E9EF48720F04892AF956DB2A2DB78E900DB55

Function 0073B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0073B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0073B546
GetLastError.KERNEL32 ref: 0073B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0073B5BD

Strings

INVALID, xrefs: 0073B58F
READONLY, xrefs: 0073B588
UNKNOWN, xrefs: 0073B575
NOTREADY, xrefs: 0073B57C
READY, xrefs: 0073B596

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5830e1c68133c2e57fce14d755e8d8fa9d12dcccc36d8227c9de8fb12f5daef6
Instruction ID: 29344a8286839d8078cbfedd410502fae054484579dcd8d0c4c462febcdf27eb
Opcode Fuzzy Hash: 5830e1c68133c2e57fce14d755e8d8fa9d12dcccc36d8227c9de8fb12f5daef6
Instruction Fuzzy Hash: 4B31C6B5A40209EFEB00EF68C885EAD7BB4FF44311F54402AF602DB292DB799A11CB51

Function 00728F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

Part of subcall function 0072AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0072AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00729014
GetDlgCtrlID.USER32 ref: 0072901F
GetParent.USER32 ref: 0072903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0072903E
GetDlgCtrlID.USER32(?), ref: 00729047
GetParent.USER32(?), ref: 00729063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00729066

Strings

ComboBox, xrefs: 00728F9C
ListBox, xrefs: 00728FD1

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 1564c30b6c8db423c522e09addd1cfef90f64a1a9b74550d6d613533e1b7c19b
Instruction ID: fcf43d11212792ed19b8353931c54c2cfea8595b3a695f66d15f6914c9f350c1
Opcode Fuzzy Hash: 1564c30b6c8db423c522e09addd1cfef90f64a1a9b74550d6d613533e1b7c19b
Instruction Fuzzy Hash: D321D370A00209BBDF14ABA4DC85EFEBBB5EF49310F10411AF962972A1DB799815DB24

Function 0072907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

Part of subcall function 0072AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0072AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007290FD
GetDlgCtrlID.USER32 ref: 00729108
GetParent.USER32 ref: 00729124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00729127
GetDlgCtrlID.USER32(?), ref: 00729130
GetParent.USER32(?), ref: 0072914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0072914F

Strings

ComboBox, xrefs: 00729087
ListBox, xrefs: 007290BC

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 28173d807ab1ea5b884d3de121d309fc14cf3d0fffd66c39fb635b81931b060e
Instruction ID: 95445ac4a26061a0093a16531e904497a85c7dff29b813f3b0260337a5da96b9
Opcode Fuzzy Hash: 28173d807ab1ea5b884d3de121d309fc14cf3d0fffd66c39fb635b81931b060e
Instruction Fuzzy Hash: D521D374A00209FBDF10ABA5DC89EFEBBB5EF44300F10401AFA51972A1DB798815DB24

Function 00729163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0072916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00729184
_wcscmp.LIBCMT ref: 00729196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00729211

Strings

details, xrefs: 007291BF
largeicons, xrefs: 007291A5
smallicons, xrefs: 007291D9
SHELLDLL_DefView, xrefs: 00729190
list, xrefs: 007291F3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: d06df1b96fc38e576eb951a5e05f7f101c2551d0228d67320fa0efdba8672e70
Instruction ID: be61b571426b9931c77556456d8d30b4a3512da33f231880b9c0a808e46b3745
Opcode Fuzzy Hash: d06df1b96fc38e576eb951a5e05f7f101c2551d0228d67320fa0efdba8672e70
Instruction Fuzzy Hash: BE110D7618831BF5FA153624FC16DB737DCEB15720F30002AFB11A50D2FE99A8515A98

Function 007488AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007488D7
CoInitialize.OLE32(00000000), ref: 00748904
CoUninitialize.COMBASE ref: 0074890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00748A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00748B3B
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00762C0C), ref: 00748B6F
CoGetObject.OLE32(?,00000000,00762C0C,?), ref: 00748B92
SetErrorMode.KERNEL32(00000000), ref: 00748BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00748C25
VariantClear.OLEAUT32(?), ref: 00748C35

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 974dde0cfa3221d8d13a862dd2796a547ecb7e469a8f30d039a8a0ce8b710d23
Instruction ID: dd4e13837c482ca4be99682a63e11bdf1c7e6ff67024c53cd2dd4b69693351f4
Opcode Fuzzy Hash: 974dde0cfa3221d8d13a862dd2796a547ecb7e469a8f30d039a8a0ce8b710d23
Instruction Fuzzy Hash: CEC125B1608309AFC740DF64C88496BB7E9FF89348F00495DF98A9B251DB75ED05CB62

Function 00737990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00737A6C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 571d9e9a9adf85397956bb24c38e46367607ca1bfb34da813bc6bf9d1e7551fd
Instruction ID: 187a935c584451d1ae80d0a2ddc830a88e61d4ced4c99758be6537b39743e066
Opcode Fuzzy Hash: 571d9e9a9adf85397956bb24c38e46367607ca1bfb34da813bc6bf9d1e7551fd
Instruction Fuzzy Hash: AEB1A2B190420A9FEB24DF94C885BBEB7F9FF09321F144429E541E7252D778E941DBA0

Function 007311CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007311F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00730268,?,00000001), ref: 00731204
GetWindowThreadProcessId.USER32(00000000), ref: 0073120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00730268,?,00000001), ref: 0073121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0073122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00730268,?,00000001), ref: 00731245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00730268,?,00000001), ref: 00731257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00730268,?,00000001), ref: 0073129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00730268,?,00000001), ref: 007312B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00730268,?,00000001), ref: 007312BC

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f17b71df0218d619a077aac27e4fb1d7d575ab2d60298a1ed955ddff432d5d5f
Instruction ID: 16aed3ee6eac756e6d1bc713e750a0f5193b7ae4434af32a76224f1745ea2d6f
Opcode Fuzzy Hash: f17b71df0218d619a077aac27e4fb1d7d575ab2d60298a1ed955ddff432d5d5f
Instruction Fuzzy Hash: 5E315C75600304ABEB10EF54EC88FAA77BAFB59312F50C226F905D61A1D7BC9D418B68

Function 006DFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006DFAA6
OleUninitialize.OLE32(?,00000000), ref: 006DFB45
UnregisterHotKey.USER32(?), ref: 006DFC9C
DestroyWindow.USER32(?), ref: 007145D6
FreeLibrary.KERNEL32(?), ref: 0071463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00714668

Strings

close all, xrefs: 006DFAA1

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d19b88c16e25555370a70a68733f78836b69c1c1fda6b091f9fa009bd35f176f
Instruction ID: 9ed72815e47b08658939b6c288f168da8ba324f470f47699eecb391131b0f3ad
Opcode Fuzzy Hash: d19b88c16e25555370a70a68733f78836b69c1c1fda6b091f9fa009bd35f176f
Instruction Fuzzy Hash: DBA19330701212CFDB19EF14C595AA9F366BF15704F1442AEE80AAB3A2DB34ED52CF54

Function 0072A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0072A439), ref: 0072A377

Strings

REGEXPCLASS, xrefs: 0072A13C
INSTANCE, xrefs: 0072A285
NAME, xrefs: 0072A1A9
CLASSNN, xrefs: 0072A119
CLASS, xrefs: 0072A0F6
TEXT, xrefs: 0072A2AE

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 5520876c6f3dbea56a39a0cef2a72a6615fc4f60cd985cc06989c1b8d2851801
Instruction ID: ccd347a332aa90105174133f86280749ace37ded1fb13f272d9291e116704fc9
Opcode Fuzzy Hash: 5520876c6f3dbea56a39a0cef2a72a6615fc4f60cd985cc06989c1b8d2851801
Instruction Fuzzy Hash: 92910631A0061AFBDB48EFA0D441BEDFBB6BF44300F50811DD95AA7242DF34A999CB95

Function 006D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006D2EAE

Part of subcall function 006D1DB3: GetClientRect.USER32(?,?), ref: 006D1DDC
Part of subcall function 006D1DB3: GetWindowRect.USER32(?,?), ref: 006D1E1D
Part of subcall function 006D1DB3: ScreenToClient.USER32(?,?), ref: 006D1E45

GetDC.USER32 ref: 0070CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0070CD45
SelectObject.GDI32(00000000,00000000), ref: 0070CD53
SelectObject.GDI32(00000000,00000000), ref: 0070CD68
ReleaseDC.USER32(?,00000000), ref: 0070CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0070CDFB

Strings

U, xrefs: 0070CCD0

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7560d11e52c1a63990a088d06dd9a937f8b268ca2738227470efcc78237f6b20
Instruction ID: 787be8cfd4794944578b8a187c5ac3542740015597e76a0adfa38618dde9ec96
Opcode Fuzzy Hash: 7560d11e52c1a63990a088d06dd9a937f8b268ca2738227470efcc78237f6b20
Instruction Fuzzy Hash: 8D71D131900205EFCF228F64CC94AEA7BF6FF58320F14837AED555A2A6C7398841DB60

Function 00756D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00756E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00756E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00756E52
_wcscat.LIBCMT ref: 00756EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00756EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00756EF2

Strings

-----, xrefs: 00756EA5
SysListView32, xrefs: 00756DF6

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: -----$SysListView32
API String ID: 307300125-3975388722
Opcode ID: 1d786eeac84b60418669eda903c021a79b6d2c8bd4bd533927e0c344241a86c1
Instruction ID: 22ddbd8e31d0c1eceeb41b1ed95163f6465c49dab8b32eb26aadd959b87234b3
Opcode Fuzzy Hash: 1d786eeac84b60418669eda903c021a79b6d2c8bd4bd533927e0c344241a86c1
Instruction Fuzzy Hash: 2A41A470A00348EBEF219F64CC45BEE77F9EF08351F50442AF944D7191D6B99D888B64

Function 00741A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00741A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00741A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00741ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00741AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00741AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00741B10
InternetCloseHandle.WININET(00000000), ref: 00741B57

Part of subcall function 00742483: GetLastError.KERNEL32(?,?,00741817,00000000,00000000,00000001), ref: 00742498
Part of subcall function 00742483: SetEvent.KERNEL32(?,?,00741817,00000000,00000000,00000001), ref: 007424AD

Strings

, xrefs: 00741B01

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: bebfc8910a7cf89c4a450f6953258d6c7ee42d5f5dab00ce71b77f48eff6b491
Instruction ID: 30186ad5aefee3f792d79dcb27cbe2b28a393b85f69801ac06b4ff714611b80b
Opcode Fuzzy Hash: bebfc8910a7cf89c4a450f6953258d6c7ee42d5f5dab00ce71b77f48eff6b491
Instruction Fuzzy Hash: D14184B1501218BFEB119F60CC89FFB7BACEF08355F408126F9059A141E7B89E94DBA4

Function 00748C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0075F910), ref: 00748D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0075F910), ref: 00748D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00748ED6
SysFreeString.OLEAUT32(?), ref: 00748F00

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 40e5c6561c28070ec288fc11c14143c414dd51851b6f12028f96e9b84844c531
Instruction ID: 70c02135eb961fb53eae2023628e87fd24ecc4f67bf44549c9ce8c9618e18bc2
Opcode Fuzzy Hash: 40e5c6561c28070ec288fc11c14143c414dd51851b6f12028f96e9b84844c531
Instruction Fuzzy Hash: 7EF15A71A00219EFCF44DF94C888EAEB7B9FF49314F108499F905AB261DB35AE45CB61

Function 0074F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0074F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0074F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0074F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0074F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0074F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0074FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0074FA7C
CloseHandle.KERNEL32(?), ref: 0074FAAB
CloseHandle.KERNEL32(?), ref: 0074FB22

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 4fa54e7a4a123a820b026dec746cb9943c91c367574c15eceaa6e4b619fb82a8
Instruction ID: 0727731970e1af8bc1d616413d07e9bd7f4b4a7d84877e03d4b2f086340707ad
Opcode Fuzzy Hash: 4fa54e7a4a123a820b026dec746cb9943c91c367574c15eceaa6e4b619fb82a8
Instruction Fuzzy Hash: 37E1BD316043419FD714EF34C895B6ABBE2EF85314F14896EF8998B2A2CB35EC41CB56

Function 006D201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006D2036,?,00000000,?,?,?,?,006D16CB,00000000,?), ref: 006D1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006D20D3
KillTimer.USER32(-00000001,?,?,?,?,006D16CB,00000000,?,?,006D1AE2,?,?), ref: 006D216E
DestroyAcceleratorTable.USER32(00000000), ref: 0070BCA6
DeleteObject.GDI32(00000000), ref: 0070BD1C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 632a9d78a077c4793973357059b88f759bc1e54799405adbdc9dda162dd47433
Instruction ID: 6d65bfbde8385509c47eb72e8f7d73c1d5cf5ce198bd0cba2e8969a07b93a3a3
Opcode Fuzzy Hash: 632a9d78a077c4793973357059b88f759bc1e54799405adbdc9dda162dd47433
Instruction Fuzzy Hash: 2961AE30900B11DFDB26AF14DD58B66B7F2FB64312F10852AE5424B6A0C7B8A992DB54

Function 00734CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0073466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00733697,?), ref: 0073468B

Part of subcall function 0073466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00733697,?), ref: 007346A4

Part of subcall function 00734A31: GetFileAttributesW.KERNEL32(?,0073370B), ref: 00734A32

lstrcmpiW.KERNEL32(?,?), ref: 00734D40
_wcscmp.LIBCMT ref: 00734D5A
MoveFileW.KERNEL32(?,?), ref: 00734D75

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 965f18f68220f7717a66c5958ab15d7b9063adbef0d3edbdf165e231b8fe3156
Instruction ID: 7efcff2fd38a5340add7eaeb229a9f10003230433cdac5504e1492e67ab48dc5
Opcode Fuzzy Hash: 965f18f68220f7717a66c5958ab15d7b9063adbef0d3edbdf165e231b8fe3156
Instruction Fuzzy Hash: EE5152B25083899BD764DBA0D8959DFB3ECAF84310F00492FF685D3152EE74B588CB5A

Function 00758645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007586FF

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 9c0be3cfc74b7d61ba256695cb86197cda4de34fac351c94243e6df3d5cabdbf
Instruction ID: 16d634060d6386a5afccf5aae4cac91648dc6c41138f4e74f7db7838caa2623f
Opcode Fuzzy Hash: 9c0be3cfc74b7d61ba256695cb86197cda4de34fac351c94243e6df3d5cabdbf
Instruction Fuzzy Hash: E951B430500244BFEBA09B65CC89FDD3BA5EB05312F604516FD11F61A1CFF9A948CB46

Function 006D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0070C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0070C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0070C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0070C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0070C370
DestroyCursor.USER32(00000000), ref: 0070C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0070C39C
DestroyCursor.USER32(?), ref: 0070C3AB

Part of subcall function 0075A4AF: DeleteObject.GDI32(00000000), ref: 0075A4E8

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: 05e7a3bfd3df735c33eeb0744d26afa7f713946c5bef2f70ede2ed5ee4d11fe6
Instruction ID: 96548a099a99dc5a55d6968445f97e2b378943e06327d8a32b71aa8b29e9a35c
Opcode Fuzzy Hash: 05e7a3bfd3df735c33eeb0744d26afa7f713946c5bef2f70ede2ed5ee4d11fe6
Instruction Fuzzy Hash: 62516A70A10206EFDB21DF64CC95FAA7BE6EB58311F10862AF902973D0D7B4AD91DB50

Function 0072966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0072A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0072A84C
Part of subcall function 0072A82C: GetCurrentThreadId.KERNEL32 ref: 0072A853
Part of subcall function 0072A82C: AttachThreadInput.USER32(00000000,?,00729683,?,00000001), ref: 0072A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0072968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007296AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007296AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 007296B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007296D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007296D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 007296E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007296F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007296FB

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: ef5a76a4637177f25c0cfb5f011dba5798821f36f1f783a069a90816c84d22bd
Instruction ID: 1e470e79fdb475ef47c3fb3f4748aded4d4dae78b5bd689c73e41a5b4caf31b9
Opcode Fuzzy Hash: ef5a76a4637177f25c0cfb5f011dba5798821f36f1f783a069a90816c84d22bd
Instruction Fuzzy Hash: 5B11A1B1950618FFF6106F60EC8DFAA7B6DEB4C752F114425F344AB0A0C9F65C50DAA8

Function 00728921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0072853C,00000B00,?,?), ref: 0072892A
RtlAllocateHeap.NTDLL(00000000,?,0072853C), ref: 00728931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0072853C,00000B00,?,?), ref: 00728946
GetCurrentProcess.KERNEL32(?,00000000,?,0072853C,00000B00,?,?), ref: 0072894E
DuplicateHandle.KERNEL32(00000000,?,0072853C,00000B00,?,?), ref: 00728951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0072853C,00000B00,?,?), ref: 00728961
GetCurrentProcess.KERNEL32(0072853C,00000000,?,0072853C,00000B00,?,?), ref: 00728969
DuplicateHandle.KERNEL32(00000000,?,0072853C,00000B00,?,?), ref: 0072896C
CreateThread.KERNEL32(00000000,00000000,00728992,00000000,00000000,00000000), ref: 00728986

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 454d9102746aca358bc831f5c2f6313efd2dc175a37b78fc7a69293d3d433a84
Instruction ID: 9e54cf814b2848a668270a0496906ae85eb49e6e42b5114603ca065e3846a13e
Opcode Fuzzy Hash: 454d9102746aca358bc831f5c2f6313efd2dc175a37b78fc7a69293d3d433a84
Instruction Fuzzy Hash: 0E01BBB5240748FFE710ABA5DC4DFAB3BACEB89711F408421FA05DB1A1CAB59C00CB25

Function 00749B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00749BA4, 00749EC8
Not an Object type, xrefs: 00749B7B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6fb317c6e70814f834e3c938fcc2e6ab30e32430940726ba8d9c5f3e0448c68b
Instruction ID: b12261ee3648f3663aa3ab122336b11eea872f152c41e95e99e29876d1aa27a9
Opcode Fuzzy Hash: 6fb317c6e70814f834e3c938fcc2e6ab30e32430940726ba8d9c5f3e0448c68b
Instruction Fuzzy Hash: 46C18371A002199FDF14DF68D884AAFB7F5FF48314F148469EA05A7281E7789D45CBA0

Function 0074975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0072710A: CLSIDFromProgID.COMBASE ref: 00727127
Part of subcall function 0072710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00727142
Part of subcall function 0072710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00727044,80070057,?,?), ref: 00727150
Part of subcall function 0072710A: CoTaskMemFree.COMBASE(00000000), ref: 00727160

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00749806
_memset.LIBCMT ref: 00749813
_memset.LIBCMT ref: 00749956
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00749982
CoTaskMemFree.COMBASE(?), ref: 0074998D

Strings

NULL Pointer assignment, xrefs: 007499DB

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 8f68225d5a989eedc3193d8cb64551db94a205679e5ee3d4b8e4bc8e02dbcda7
Instruction ID: 909b379d5c3600f347b603509c4f39e8ca6aaeb6c5ff63d731b1682b4024e1e2
Opcode Fuzzy Hash: 8f68225d5a989eedc3193d8cb64551db94a205679e5ee3d4b8e4bc8e02dbcda7
Instruction Fuzzy Hash: 38914971D00229EBDB10DFA5DC45EDEBBB9BF08310F10815AF519A7281EB75AA44CFA0

Function 0074E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00733C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00733C7A
Part of subcall function 00733C55: Process32FirstW.KERNEL32(00000000,?), ref: 00733C88
Part of subcall function 00733C55: CloseHandle.KERNEL32(00000000), ref: 00733D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0074E9A4
GetLastError.KERNEL32 ref: 0074E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0074E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0074EA63
GetLastError.KERNEL32(00000000), ref: 0074EA6E
CloseHandle.KERNEL32(00000000), ref: 0074EAA3

Strings

SeDebugPrivilege, xrefs: 0074E9C2

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: bf5d2f0bfd2484310f3527f170d7b252ebce8b0fa1fcc1a3ee1690668c709f63
Instruction ID: c2dea40da0ed1663908821678bbdaf363a93bc515df51dd1591f9b0065e8dca8
Opcode Fuzzy Hash: bf5d2f0bfd2484310f3527f170d7b252ebce8b0fa1fcc1a3ee1690668c709f63
Instruction Fuzzy Hash: E0416A717002019FDB14EF24DC99B79BBA6BF40724F14845DF9429B3D2CBB9A904CB96

Function 00732F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00733033

Strings

blank, xrefs: 00732FB5
question, xrefs: 00732FEC
warning, xrefs: 0073301C
info, xrefs: 00732FD4
stop, xrefs: 00733004

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 47f8b5a07cdc7ffc599df93d7d63ab20ac53be971aaf412683705662df645e70
Instruction ID: a332052db2fc82667e6639dbc5fea7bcca87a2f2631cbba87b0da60b2f14fdbb
Opcode Fuzzy Hash: 47f8b5a07cdc7ffc599df93d7d63ab20ac53be971aaf412683705662df645e70
Instruction Fuzzy Hash: 1B11EB7178C34BBEF7289A54EC82CAB779DDF15360F20002AFA0066183DBBD5F4056A5

Function 007342F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00734312
LoadStringW.USER32(00000000), ref: 00734319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0073432F
LoadStringW.USER32(00000000), ref: 00734336
_wprintf.LIBCMT ref: 0073435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0073437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00734357

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 8b2f7fe555d81782e2e5cb16f473367f34faf312c4bf68acaf814054ea3cc392
Instruction ID: 0dd574fd64d841fc7e5219337a652eb5cdde752619dbd03b81a2f38a84a1299b
Opcode Fuzzy Hash: 8b2f7fe555d81782e2e5cb16f473367f34faf312c4bf68acaf814054ea3cc392
Instruction Fuzzy Hash: A2014FF290030CBFE751ABA0DD89EEB776CEB08301F4045A5FB45E2051EAB86E854B75

Function 006D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0070C1C7,00000004,00000000,00000000,00000000), ref: 006D2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0070C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 006D2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0070C1C7,00000004,00000000,00000000,00000000), ref: 0070C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0070C1C7,00000004,00000000,00000000,00000000), ref: 0070C286

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 63e1062712fc34d154d87d59e7ba653b67577fd3f7e6651162a9bc286bceacbc
Instruction ID: 1a12ae8111a9be94c409b710b2e502cb3e618fa9125de7f749e3ac32dcfd5ef6
Opcode Fuzzy Hash: 63e1062712fc34d154d87d59e7ba653b67577fd3f7e6651162a9bc286bceacbc
Instruction Fuzzy Hash: 9A41D830A04782DAD7369B288CACBAB7B93FB65314F5CC91FE147867A1C6799842D710

Function 007370C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007370DD

Part of subcall function 006F0DB6: std::exception::exception.LIBCMT ref: 006F0DEC
Part of subcall function 006F0DB6: __CxxThrowException@8.LIBCMT ref: 006F0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00737114
RtlEnterCriticalSection.NTDLL(?), ref: 00737130
_memmove.LIBCMT ref: 0073717E
_memmove.LIBCMT ref: 0073719B
RtlLeaveCriticalSection.NTDLL(?), ref: 007371AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007371BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 007371DE

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 51c3d744b48068243e20199bf2a55e5feaa49877740078f5ee174e8bdd4cbfa7
Instruction ID: f0a43c250632650153cd58a63b16659cbfb5eeb5dcc58d29f819c63262c17a72
Opcode Fuzzy Hash: 51c3d744b48068243e20199bf2a55e5feaa49877740078f5ee174e8bdd4cbfa7
Instruction Fuzzy Hash: 04317276900209EBDF50DFA4DC85AAEB779FF45310F1481A9EA049B247DB749E10CB64

Function 007561D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007561EB
GetDC.USER32(00000000), ref: 007561F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007561FE
ReleaseDC.USER32(00000000,00000000), ref: 0075620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00756246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00756257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0075902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00756291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007562B1

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c5949db9193f6165976da4070654fa1a4ce40f4a07f9ad3bc3d9c0b0b7000f38
Instruction ID: 5d94e753a57c66e992269cd08f908396ddcc1a914124ff55f54a7009379786dd
Opcode Fuzzy Hash: c5949db9193f6165976da4070654fa1a4ce40f4a07f9ad3bc3d9c0b0b7000f38
Instruction Fuzzy Hash: 64314F72101614BFEB118F50CC8AFEB3BA9FF49766F044065FE089A191D6B99C41CB74

Function 006D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc89e68e703447c042d4ce5fa8af88e77b50e7eaf30fed525ff6a51efe1ef684
Instruction ID: 34e7c2f86a5230c5f564205a78222f6a0422b3aea081a59ff05079ecf7a05eb3
Opcode Fuzzy Hash: dc89e68e703447c042d4ce5fa8af88e77b50e7eaf30fed525ff6a51efe1ef684
Instruction Fuzzy Hash: C0714B70900109FFCB149F98CC49AAEBBBAFF86314F14815AF915AB391C774AA51CB64

Function 0075B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(011D3A10), ref: 0075B3EB
IsWindowEnabled.USER32(011D3A10), ref: 0075B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0075B4DB
SendMessageW.USER32(011D3A10,000000B0,?,?), ref: 0075B512
IsDlgButtonChecked.USER32(?,?), ref: 0075B54F
GetWindowLongW.USER32(011D3A10,000000EC), ref: 0075B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0075B589

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: db27498de01ca95152ca7ffba939f7ce7877a4836680648e20a750e3768377d1
Instruction ID: 41c2e1511b08ba2e184c90720a97f76c98a43b28ce90e2330ff07f2189652baa
Opcode Fuzzy Hash: db27498de01ca95152ca7ffba939f7ce7877a4836680648e20a750e3768377d1
Instruction Fuzzy Hash: 7A718B34600244EFDF319F94C894FFABBA9EF09302F148069ED45972A2C7B9AD49CB50

Function 0074F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0074F448
_memset.LIBCMT ref: 0074F511
ShellExecuteExW.SHELL32(?), ref: 0074F556

Part of subcall function 006D9837: __itow.LIBCMT ref: 006D9862
Part of subcall function 006D9837: __swprintf.LIBCMT ref: 006D98AC

Part of subcall function 006EFC86: _wcscpy.LIBCMT ref: 006EFCA9

GetProcessId.KERNEL32(00000000), ref: 0074F5CD
CloseHandle.KERNEL32(00000000), ref: 0074F5FC

Strings

@, xrefs: 0074F525

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 18927f201fcab7e433a476f63b90619f964e734a195843f417ee87422fbb5105
Instruction ID: c7788e2d4852eba46e3e380ab0e538a3851f56bcf7f524faddc0df7d50b375fe
Opcode Fuzzy Hash: 18927f201fcab7e433a476f63b90619f964e734a195843f417ee87422fbb5105
Instruction Fuzzy Hash: E9617C75E006599FCB14EF68C4819AEBBB6FF48310F14846EE855AB351CB34AD41CB94

Function 00730F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00730F8C
GetKeyboardState.USER32(?), ref: 00730FA1
SetKeyboardState.USER32(?), ref: 00731002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00731030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0073104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00731095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007310B8

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5f658c9fae5d2526d087ce7678abe0f19771af6554d2144a1f32113d81131448
Instruction ID: e366055547cbb9c074aeda543d5370b898121d2d71c6b195a78c42525a08aa62
Opcode Fuzzy Hash: 5f658c9fae5d2526d087ce7678abe0f19771af6554d2144a1f32113d81131448
Instruction Fuzzy Hash: 5A5102A06047D67DFB3642348C19BBABFA96B06304F488989E1D4868D3C2DDECD8D761

Function 00730D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00730DA5
GetKeyboardState.USER32(?), ref: 00730DBA
SetKeyboardState.USER32(?), ref: 00730E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00730E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00730E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00730EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00730EC9

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 237f9159a163be2109b2ae1445eb9ae0ceb6ffde765e698eca85484a8bcdb67f
Instruction ID: bc4f342a59a86c98b4f64749c74387f673785cb7544b8d7afc7be0ab3351642c
Opcode Fuzzy Hash: 237f9159a163be2109b2ae1445eb9ae0ceb6ffde765e698eca85484a8bcdb67f
Instruction Fuzzy Hash: 1C51E4A06547D57DFB3693748C65BBABFE96B06300F088889E1D4468C3D399AC98D7A0

Function 007355FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0073560A
_wcsncpy.LIBCMT ref: 0073563F
_wcsncpy.LIBCMT ref: 00735671
_wcsncpy.LIBCMT ref: 007356A4
_wcsncpy.LIBCMT ref: 007356E6
_wcsncpy.LIBCMT ref: 00735720
_wcsncpy.LIBCMT ref: 0073574F

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 8c6ce1ed92129200595e5ccb7529e25558f1d6c65b307dfa7091e86c06331b63
Instruction ID: a57224ac78e2e9c7a9653c7cfc30714962826712b586bb0b53298566f7107d1f
Opcode Fuzzy Hash: 8c6ce1ed92129200595e5ccb7529e25558f1d6c65b307dfa7091e86c06331b63
Instruction Fuzzy Hash: 5041A565C11618B6DB51EBF48C469DFB3BDAF04310F50895AE608E3222FB34E245C7AA

Function 00733671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0073466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00733697,?), ref: 0073468B

Part of subcall function 0073466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00733697,?), ref: 007346A4

lstrcmpiW.KERNEL32(?,?), ref: 007336B7
_wcscmp.LIBCMT ref: 007336D3
MoveFileW.KERNEL32(?,?), ref: 007336EB
_wcscat.LIBCMT ref: 00733733
SHFileOperationW.SHELL32(?), ref: 0073379F

Strings

\*.*, xrefs: 0073372D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: bdd6118dbbf4ce64cf9a679de557e1b02aa1ba631ff65d70267707ca8ff30e1b
Instruction ID: cf22f532da4158a5639bb9443adf09b2c0a8bf2932e69c5322c701402147d3b7
Opcode Fuzzy Hash: bdd6118dbbf4ce64cf9a679de557e1b02aa1ba631ff65d70267707ca8ff30e1b
Instruction Fuzzy Hash: 2941B3B1508344AED765EF64C4469DFB7E8EF88340F00092EF49AC3252EB38D689CB56

Function 00757291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007572AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00757351
IsMenu.USER32(?), ref: 00757369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007573B1
DrawMenuBar.USER32 ref: 007573C4

Strings

0, xrefs: 0075729E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: e127cdad468ef78f295ccd03fe8f23bee2d4cd1560cdb0fc8c63299850bcd5cd
Instruction ID: f9584f27620159fbda228ae303baa90fe7febfb085346121d2cabbe99148aa66
Opcode Fuzzy Hash: e127cdad468ef78f295ccd03fe8f23bee2d4cd1560cdb0fc8c63299850bcd5cd
Instruction Fuzzy Hash: 70413571A04248AFDB20DF50E884ADABBB8FF04362F148029FD059B250D7B8AD18DB50

Function 00750FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00750FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00750FFE
FreeLibrary.KERNEL32(00000000), ref: 007510B5

Part of subcall function 00750FA5: RegCloseKey.ADVAPI32(?), ref: 0075101B
Part of subcall function 00750FA5: FreeLibrary.KERNEL32(?), ref: 0075106D
Part of subcall function 00750FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00751090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00751058

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 5fe6bc4b9542570ffc4073d84b7d616c3b75f1e891b0857588e8a94f0d6caef8
Instruction ID: 594c16e1a74477a977ca408cf68f506363248de7369ae0b49c4eda6b05dffe42
Opcode Fuzzy Hash: 5fe6bc4b9542570ffc4073d84b7d616c3b75f1e891b0857588e8a94f0d6caef8
Instruction Fuzzy Hash: 31312371900109FFDB15DF90DC89EFFB7BCEF04312F444169E905A2181EBB85E899AA4

Function 007562CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007562EC
GetWindowLongW.USER32(011D3A10,000000F0), ref: 0075631F
GetWindowLongW.USER32(011D3A10,000000F0), ref: 00756354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00756386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007563B0
GetWindowLongW.USER32(00000000,000000F0), ref: 007563C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007563DB

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a6998a2d04c22e542be6fdf1c0dccf7e0daf60c1410fc128420f03eea74d43a6
Instruction ID: f5347e30d7e0987885ba4d7051acc398658d852d2ace8b0ec8e8137d076d549a
Opcode Fuzzy Hash: a6998a2d04c22e542be6fdf1c0dccf7e0daf60c1410fc128420f03eea74d43a6
Instruction Fuzzy Hash: 2B311130600250EFEB21CF18DC84F9537E1FB4A716F5981A8F9018F2B2CBB9A848CB54

Function 0072DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0072DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0072DB54
SysAllocString.OLEAUT32(00000000), ref: 0072DB57
SysAllocString.OLEAUT32(?), ref: 0072DB75
SysFreeString.OLEAUT32(?), ref: 0072DB7E
StringFromGUID2.COMBASE(?,?,00000028), ref: 0072DBA3
SysAllocString.OLEAUT32(?), ref: 0072DBB1

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 24595e66739870260d883250fe13662fcd96f6b053c6bfda08bd9b34a59ee4ac
Instruction ID: 19384aab29f896d2d6feaf1b084b9a7b56fe7df3c903d4c9dc8f90dec14750ab
Opcode Fuzzy Hash: 24595e66739870260d883250fe13662fcd96f6b053c6bfda08bd9b34a59ee4ac
Instruction Fuzzy Hash: 64219576601219AFDF20DFA8DC84CFB73ACEB09360B018529FD14DB251D678EC418768

Function 00746173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00747D8B: inet_addr.WS2_32(00000000), ref: 00747DB6

socket.WS2_32(00000002,00000001,00000006), ref: 007461C6
WSAGetLastError.WS2_32(00000000), ref: 007461D5
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0074620E
connect.WSOCK32(00000000,?,00000010), ref: 00746217
WSAGetLastError.WS2_32 ref: 00746221
closesocket.WS2_32(00000000), ref: 0074624A
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00746263

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 651231741d3dfb54931e01adcf49d8bf5b57610c97d044348e4ab15b3ef26dc2
Instruction ID: 074d7893f0cd6fc95c77a43447fcc9ddff063f9b0c7c8a6ddb9f2f66bd105eba
Opcode Fuzzy Hash: 651231741d3dfb54931e01adcf49d8bf5b57610c97d044348e4ab15b3ef26dc2
Instruction Fuzzy Hash: 6931A431600218ABDF10AF24CC85BBE77ADEF45711F048429F905E7291DBB8AC049B66

Function 0072F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0072F671
__wcsnicmp.LIBCMT ref: 0072F692
__wcsnicmp.LIBCMT ref: 0072F6AC

Strings

#requireadmin, xrefs: 0072F68C
#notrayicon, xrefs: 0072F669
#OnAutoItStartRegister, xrefs: 0072F6A6

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 2e4a993e87a4659115b7e96d27fc733b57e139d904e44167e593f2e0c2c0d5f3
Instruction ID: b40fb90dc40a67000cdcf37eef8e28c91e4d7dfb2eae8d636f4809a466ce4d99
Opcode Fuzzy Hash: 2e4a993e87a4659115b7e96d27fc733b57e139d904e44167e593f2e0c2c0d5f3
Instruction Fuzzy Hash: 042168B2204631A6D230BB34FC02EB773FAEF55740F94403EF94686292EB599D46C399

Function 0072DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0072DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0072DC2F
SysAllocString.OLEAUT32(00000000), ref: 0072DC32
SysAllocString.OLEAUT32 ref: 0072DC53
SysFreeString.OLEAUT32 ref: 0072DC5C
StringFromGUID2.COMBASE(?,?,00000028), ref: 0072DC76
SysAllocString.OLEAUT32(?), ref: 0072DC84

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b0e2588e6d74d5eacb1f6539f25c11cdf491f4b878397559fc8abedf6a1f90c6
Instruction ID: ba3c4df1e304ab10087411a2bff27259100d4e291bde62097137e6dbd5133c79
Opcode Fuzzy Hash: b0e2588e6d74d5eacb1f6539f25c11cdf491f4b878397559fc8abedf6a1f90c6
Instruction Fuzzy Hash: 62215675605214AF9B20DFA8EC88DAB77ECEB09360B50C125F914CB261D6B8EC81C774

Function 007575CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006D1D73
Part of subcall function 006D1D35: GetStockObject.GDI32(00000011), ref: 006D1D87
Part of subcall function 006D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00757632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0075763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0075764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00757659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00757665

Strings

Msctls_Progress32, xrefs: 00757603

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 124b15e34cba8a4a41c14f3733eb6419abc708ea3ba91545fd5a6585b710b244
Instruction ID: 5cf06419ae35ec291d52c9f3b1f84b5cb9becf993f6a33773e94c822476001cf
Opcode Fuzzy Hash: 124b15e34cba8a4a41c14f3733eb6419abc708ea3ba91545fd5a6585b710b244
Instruction Fuzzy Hash: C011B6B1150219BFEF159F64CC85EE77F5DEF08798F014115FA04A6050C7B6AC21DBA4

Function 006F9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 006F9AE6

Part of subcall function 006F3187: RtlEncodePointer.NTDLL(00000000), ref: 006F318A
Part of subcall function 006F3187: __initp_misc_winsig.LIBCMT ref: 006F31A5
Part of subcall function 006F3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006F9EA0
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 006F9EB4
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 006F9EC7
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 006F9EDA
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 006F9EED
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 006F9F00
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 006F9F13
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 006F9F26
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 006F9F39
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 006F9F4C
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 006F9F5F
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 006F9F72
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 006F9F85
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 006F9F98
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 006F9FAB
Part of subcall function 006F3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 006F9FBE

__mtinitlocks.LIBCMT ref: 006F9AEB
__mtterm.LIBCMT ref: 006F9AF4

Part of subcall function 006F9B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 006F9C56
Part of subcall function 006F9B5C: _free.LIBCMT ref: 006F9C5D
Part of subcall function 006F9B5C: RtlDeleteCriticalSection.NTDLL(02y), ref: 006F9C7F

__calloc_crt.LIBCMT ref: 006F9B19
__initptd.LIBCMT ref: 006F9B3B
GetCurrentThreadId.KERNEL32 ref: 006F9B42

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 576944c275448d427127f4626d2ea9b8e59cd24ad418457b307bef95a9071992
Instruction ID: 9e24466bc30171cd71eddad91d0fd0de0b27972e138b71803f4a402244d3d6e8
Opcode Fuzzy Hash: 576944c275448d427127f4626d2ea9b8e59cd24ad418457b307bef95a9071992
Instruction Fuzzy Hash: D9F0F032519B191AE6B47778BC07BBB36839F02334F304A1DF720C62D6EF60944006B8

Function 006F406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006F3F85), ref: 006F4085
GetProcAddress.KERNEL32(00000000), ref: 006F408C
RtlEncodePointer.NTDLL(00000000), ref: 006F4097
RtlDecodePointer.NTDLL(006F3F85), ref: 006F40B2

Strings

RoUninitialize, xrefs: 006F4074
combase.dll, xrefs: 006F4080

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 28458a5489e656716dfab9f32a9f893729f919b6219116c2f89eb6e6a3438922
Instruction ID: ace37eb8385f8bddce1b0125cd3850274287e498df83083f0895a75db0d13d86
Opcode Fuzzy Hash: 28458a5489e656716dfab9f32a9f893729f919b6219116c2f89eb6e6a3438922
Instruction Fuzzy Hash: 22E0BFB0681B08EFEB60AF61EC0DB963AA5B704743F10C125F506D11B0CFBE4601CA1C

Function 00746B76 Relevance: 9.2, APIs: 6, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae951d5534a8e3f72771c9f1c53bbff5846610a21c64ca1ea63cbe5899e5c62
Instruction ID: 7f25a211625d78e2bcf9a3b22f07a14ce8d9db9d6364a87780cb8e143f9dce95
Opcode Fuzzy Hash: bae951d5534a8e3f72771c9f1c53bbff5846610a21c64ca1ea63cbe5899e5c62
Instruction Fuzzy Hash: 1B61D071A04300ABCB50EB24CC86E6FB7EAEF85714F10491EF5569B292DB74ED04CB96

Function 007364B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0073660B
_memmove.LIBCMT ref: 00736546

Part of subcall function 006D9837: __itow.LIBCMT ref: 006D9862
Part of subcall function 006D9837: __swprintf.LIBCMT ref: 006D98AC

_memmove.LIBCMT ref: 007365B9
_memmove.LIBCMT ref: 007366A0
_memmove.LIBCMT ref: 007366B9
_memmove.LIBCMT ref: 007366D5

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 7a9d2276f8bc6090ad2ff2e4bc0facee7f220cdfea25bb18be49390af5a0a179
Instruction ID: 7379b0204dc505cbd57745b00b5fcba6021f7a1f50df6aac62759050e049f0b4
Opcode Fuzzy Hash: 7a9d2276f8bc6090ad2ff2e4bc0facee7f220cdfea25bb18be49390af5a0a179
Instruction Fuzzy Hash: E661AE3190025AABEF41EF60CC82EFE37A6AF05308F04856AF9555B293DB38DD05DB64

Function 007501E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

Part of subcall function 00750E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074FDAD,?,?), ref: 00750E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007502BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007502FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00750320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00750349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0075038C
RegCloseKey.ADVAPI32(00000000), ref: 00750399

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 5eb1ce7bea529af90c15d2e5bd99ca9b6dffadbce76a5739886b49eb5ffd0414
Instruction ID: 878c4967efef50ed559c65918e8b4a96a7945e96a7f87f639172e7f3276167bc
Opcode Fuzzy Hash: 5eb1ce7bea529af90c15d2e5bd99ca9b6dffadbce76a5739886b49eb5ffd0414
Instruction Fuzzy Hash: 0C516A31508344AFC710EF64C885EAEBBE9FF84314F04491EF9458B2A2DB75E909CB96

Function 00755799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007557FB
GetMenuItemCount.USER32(00000000), ref: 00755832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0075585A
GetMenuItemID.USER32(?,?), ref: 007558C9
GetSubMenu.USER32(?,?), ref: 007558D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00755928

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 1e21881a59bb95f7e2ec1689974992577d50212560138431c1d159299170cdb4
Instruction ID: 9b689f9f1b2ff420602a76ac41b8a2e7a09c27cb9ef8030bcc71b530ee35f070
Opcode Fuzzy Hash: 1e21881a59bb95f7e2ec1689974992577d50212560138431c1d159299170cdb4
Instruction Fuzzy Hash: 51516B31E00619EFDF11EF64C855AEEB7B5EF48321F104069EC01AB351CBB8AE418B94

Function 0072EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0072EF06
VariantClear.OLEAUT32(00000013), ref: 0072EF78
VariantClear.OLEAUT32(00000000), ref: 0072EFD3
_memmove.LIBCMT ref: 0072EFFD
VariantClear.OLEAUT32(?), ref: 0072F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0072F078

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 98feca02f5e7106f165e11c45b974257c4359c0516c1d2d0d8945cff3c750b12
Instruction ID: c901dda7759a128b216bf9f0060c055affb39907561d193ecf370c79c42a6b2f
Opcode Fuzzy Hash: 98feca02f5e7106f165e11c45b974257c4359c0516c1d2d0d8945cff3c750b12
Instruction Fuzzy Hash: CC516AB5A00219EFDB24DF58D884AAAB7B8FF4C314B158569ED59DB301E334E911CFA0

Function 0073220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00732258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007322A3
IsMenu.USER32(00000000), ref: 007322C3
CreatePopupMenu.USER32 ref: 007322F7
GetMenuItemCount.USER32(000000FF), ref: 00732355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00732386

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 4616de7de83bd1f5d006c93edfd3fcf319fce671b3b1ed2919e122423ddf46fc
Instruction ID: f4e6c837c3b82978d5dfba78b4cd6594ca0f2e6667ba12e4141d07b8622f35e0
Opcode Fuzzy Hash: 4616de7de83bd1f5d006c93edfd3fcf319fce671b3b1ed2919e122423ddf46fc
Instruction Fuzzy Hash: 5A51AE70601309DBEF21DF68D888BAEBBF5BF45314F108129E851A7293D3BD9946CB51

Function 006D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 006D179A
GetWindowRect.USER32(?,?), ref: 006D17FE
ScreenToClient.USER32(?,?), ref: 006D181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006D182C
EndPaint.USER32(?,?), ref: 006D1876

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: e2c77557b32ea9cb008dbee1e0fdce98fef168114892c61873435de0cb824f46
Instruction ID: 64400055d35acad4293440a725db9ed7aae8f9fa0960179b11dfef3c80d90a37
Opcode Fuzzy Hash: e2c77557b32ea9cb008dbee1e0fdce98fef168114892c61873435de0cb824f46
Instruction Fuzzy Hash: FD41BD30900700EFD711DF24CC84FBA7BE9EB46724F04822AF9A48B2B1C7B59946DB65

Function 0075B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(007957B0,00000000,011D3A10,?,?,007957B0,?,0075B5A8,?,?), ref: 0075B712
EnableWindow.USER32(00000000,00000000), ref: 0075B736
ShowWindow.USER32(007957B0,00000000,011D3A10,?,?,007957B0,?,0075B5A8,?,?), ref: 0075B796
ShowWindow.USER32(00000000,00000004,?,0075B5A8,?,?), ref: 0075B7A8
EnableWindow.USER32(00000000,00000001), ref: 0075B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0075B7EF

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 52a740be4e1992caba246c70d4c71555f08b288b5532518a3a74ca0f3be276c6
Instruction ID: ca39eb814db61406482d22be7511b4f0a1cc1b49d02e2b882b6a8cc1da04d76b
Opcode Fuzzy Hash: 52a740be4e1992caba246c70d4c71555f08b288b5532518a3a74ca0f3be276c6
Instruction Fuzzy Hash: 9C417734500244EFDB21CF24C499BE47BE1FF49312F5845BAED488F562C7B5A859CB50

Function 0074709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00744E41,?,?,00000000,00000001), ref: 007470AC

Part of subcall function 007439A0: GetWindowRect.USER32(?,?), ref: 007439B3

GetDesktopWindow.USER32 ref: 007470D6
GetWindowRect.USER32(00000000), ref: 007470DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0074710F

Part of subcall function 00735244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007352BC

GetCursorPos.USER32(?), ref: 0074713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00747199

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 820672f9e688973fbc0fd98a81e3420fc609ec07fa5b2ee7a86b51570d6717c0
Instruction ID: 9189c704ee4818a76c0f1519c7bad59ae25283ecc3a21f2068f04d0e34557385
Opcode Fuzzy Hash: 820672f9e688973fbc0fd98a81e3420fc609ec07fa5b2ee7a86b51570d6717c0
Instruction Fuzzy Hash: DC31E472509309ABD724DF14C849F9BB7E9FFC8314F000919F585A7191D778EA09CB96

Function 0073EB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 006D9837: __itow.LIBCMT ref: 006D9862
Part of subcall function 006D9837: __swprintf.LIBCMT ref: 006D98AC

Part of subcall function 006EFC86: _wcscpy.LIBCMT ref: 006EFCA9

_wcstok.LIBCMT ref: 0073EC94
_wcscpy.LIBCMT ref: 0073ED23
_memset.LIBCMT ref: 0073ED56

Strings

X, xrefs: 0073ED93

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 57b855c246a78189b8de0cc5f79bfef50b1dfe0a522506029b851385513db5a1
Instruction ID: dc57a1a2f5400bea867de073d7a21d998dd1cf93f92d0e46d2fc4547a29c85d0
Opcode Fuzzy Hash: 57b855c246a78189b8de0cc5f79bfef50b1dfe0a522506029b851385513db5a1
Instruction Fuzzy Hash: 4AC190719083419FD794EF24C885A6AB7E1AF85310F00492EF8999B3A2DB74EC05CB96

Function 00728879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007280A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007280C0
Part of subcall function 007280A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007280CA
Part of subcall function 007280A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007280D9
Part of subcall function 007280A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 007280E0
Part of subcall function 007280A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007280F6

GetLengthSid.ADVAPI32(?,00000000,0072842F), ref: 007288CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007288D6
RtlAllocateHeap.NTDLL(00000000), ref: 007288DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 007288F6
GetProcessHeap.KERNEL32(00000000,00000000,0072842F), ref: 0072890A
HeapFree.KERNEL32(00000000), ref: 00728911

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 7d408b072b8c0c3363ebddce437e810c262914ebfcc25becb2580796853f00d7
Instruction ID: c6c9fa981409495b648957f974c32807fe051150ae5ff06dceea403d0c6221a2
Opcode Fuzzy Hash: 7d408b072b8c0c3363ebddce437e810c262914ebfcc25becb2580796853f00d7
Instruction Fuzzy Hash: 9D11B131512619FFDB509FA4EC09BFE7768EB44312F148028E895D7210CB7BAD40DB62

Function 0072B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0072B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0072B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0072B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0072B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0072B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0072B7FE

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b33dabc50623e48d0df76cd4c549a8a55b3e377b0e5cb84e1ec66484845ff130
Instruction ID: 0a01ac012dc642b633105e0e15460846d0c0ed163b34af4db2d8dcacc124ac96
Opcode Fuzzy Hash: b33dabc50623e48d0df76cd4c549a8a55b3e377b0e5cb84e1ec66484845ff130
Instruction Fuzzy Hash: 69018475E00319BBEB109BA69D49A5EBFB8EB48311F008076FA08A7291D6759C00CF91

Function 006F0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006F0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 006F019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006F01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006F01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 006F01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 006F01C1

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 4844013ab18127f6e25a90a5eb9af2ea5e36fd2e407e6cbdaa96d36aa2d53ad8
Instruction ID: 3b1d2d278ab6ea47de52b57e541a50a57173a653e47cab5954237c452027736b
Opcode Fuzzy Hash: 4844013ab18127f6e25a90a5eb9af2ea5e36fd2e407e6cbdaa96d36aa2d53ad8
Instruction Fuzzy Hash: E10148B0901759BDE3009F5A8C85A52FEA8FF19354F00411BE15847941C7F5A864CBE5

Function 007353E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007353F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0073540F
GetWindowThreadProcessId.USER32(?,?), ref: 0073541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0073542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00735437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0073543E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e7327fdd9f8d66b0fbb88b4b9d0fa7674b41b25b01c4fa4295c842ef71e5dbee
Instruction ID: e9ae2bf822b65eeb92f0bfba054e1735165e0a4348776623e0fc6a0f69e19db1
Opcode Fuzzy Hash: e7327fdd9f8d66b0fbb88b4b9d0fa7674b41b25b01c4fa4295c842ef71e5dbee
Instruction Fuzzy Hash: CCF03032241658BBE7215BA2DC0DEEF7F7CEFC6B12F004169FA04D2061D7E91A0186B9

Function 00737230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00737243
RtlEnterCriticalSection.NTDLL(?), ref: 00737254
TerminateThread.KERNEL32(00000000,000001F6,?,006E0EE4,?,?), ref: 00737261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,006E0EE4,?,?), ref: 0073726E

Part of subcall function 00736C35: CloseHandle.KERNEL32(00000000,?,0073727B,?,006E0EE4,?,?), ref: 00736C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00737281
RtlLeaveCriticalSection.NTDLL(?), ref: 00737288

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: dd4317222513a3881e0977b5018d0ca68db3a9fa19b4d87f40226662c3ca4c30
Instruction ID: db44a4562c7f4c2a2bba6c16e64bd0c1abbf038133930e98074c3a94a6970e30
Opcode Fuzzy Hash: dd4317222513a3881e0977b5018d0ca68db3a9fa19b4d87f40226662c3ca4c30
Instruction Fuzzy Hash: 81F017B6541712EBEA122B64ED4C9DF7729BB45702F104521F502914A1CBAE5801CA64

Function 007485ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00748613
CharUpperBuffW.USER32(?,?), ref: 00748722
VariantClear.OLEAUT32(?), ref: 0074889A

Part of subcall function 00737562: VariantInit.OLEAUT32(00000000), ref: 007375A2
Part of subcall function 00737562: VariantCopy.OLEAUT32(00000000,?), ref: 007375AB
Part of subcall function 00737562: VariantClear.OLEAUT32(00000000), ref: 007375B7

Strings

AUTOIT.ERROR, xrefs: 00748728
Incorrect Parameter format, xrefs: 0074864B, 0074880D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 28df5cb2ab4c4abeeaa2f1c5f8ba68aa1717b04cb99116bdf74ebaab59e67704
Instruction ID: 1c90df64919b53f5e66a50c3961778046c6361cf47e95c41db819bb1ca4efa9e
Opcode Fuzzy Hash: 28df5cb2ab4c4abeeaa2f1c5f8ba68aa1717b04cb99116bdf74ebaab59e67704
Instruction Fuzzy Hash: 0A919E71A04345DFC790DF24C48496EBBE5EF89714F14892EF89A8B362DB34E905CB92

Function 00732A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006EFC86: _wcscpy.LIBCMT ref: 006EFCA9

_memset.LIBCMT ref: 00732B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00732BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00732C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00732C97

Strings

0, xrefs: 00732B73

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 78d9ec8ad5ced3662bf47e72519e1231e94bb9911c224e41f4306ad757f7a6fd
Instruction ID: 724bb7a76cdd8c2328f1233320113fc9aa1556949c4a15c63eb9f283bb257a69
Opcode Fuzzy Hash: 78d9ec8ad5ced3662bf47e72519e1231e94bb9911c224e41f4306ad757f7a6fd
Instruction Fuzzy Hash: D45100B16083019BE7659F28D844A6FB7E4EF44310F045A2EF881D31A3EB78CD068766

Function 006E3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006E3277
_memmove.LIBCMT ref: 006E3310
_free.LIBCMT ref: 006E3336
_memmove.LIBCMT ref: 006E33E9

Strings

_n, xrefs: 006E3322
3cn, xrefs: 006E3225

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cn$_n
API String ID: 2620147621-1566527804
Opcode ID: 7073fd949349b733b6e232aca65390645a8963e2079e8ab45a4f1f3011a2dce2
Instruction ID: cd1959a4c53521b084fb40412f755090b7d2fe5cef891135bb64cf157e9ad99e
Opcode Fuzzy Hash: 7073fd949349b733b6e232aca65390645a8963e2079e8ab45a4f1f3011a2dce2
Instruction Fuzzy Hash: 7C519B716053918FDB24CF29C845BAEBBE6FF85310F08492CE98987391EB31E945CB42

Function 0072D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0072D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0072D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0072D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0072D69D

Strings

DllGetClassObject, xrefs: 0072D610

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 61b07b70243744ae171da50278a7828ce1726a64bd7e8acb6675911bffae71e7
Instruction ID: c4b7b29aae5251cfc0a788a5f4028de8586298229874d58803e6957a5f358b76
Opcode Fuzzy Hash: 61b07b70243744ae171da50278a7828ce1726a64bd7e8acb6675911bffae71e7
Instruction Fuzzy Hash: F941B3B1600214EFDB25DF64D884A9A7BBAEF44350F1580ADEC09DF205D7B9DE44CBA0

Function 00732753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007327C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007327DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00732822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00795890,00000000), ref: 0073286B

Strings

0, xrefs: 007327B5

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 548ec845a240d143106c995bf99c54fe2b4503d7d67f273b7aeeedfbc8b43120
Instruction ID: a3143bf20138ddfdb08affaa355e5b146156fec4122fa4419ec61e3ac0ec74f6
Opcode Fuzzy Hash: 548ec845a240d143106c995bf99c54fe2b4503d7d67f273b7aeeedfbc8b43120
Instruction Fuzzy Hash: 4141B2702043019FE720DF24C844B9ABBE5EF85314F14492EF9A597293D778E906CB66

Function 0074D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0074D7C5

Part of subcall function 006D784B: _memmove.LIBCMT ref: 006D7899

Strings

winapi, xrefs: 0074D836
stdcall, xrefs: 0074D847
cdecl, xrefs: 0074D81C
none, xrefs: 0074D8A0

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: dadad0b517d31b6801fa6127b0dcfb2f02e36c83e9a50c8d0c6bdf04ffc0bb2f
Instruction ID: 5b3bda57a7b54e39bb585ba387f37a9970d17100106498b2757c150f92b88eb2
Opcode Fuzzy Hash: dadad0b517d31b6801fa6127b0dcfb2f02e36c83e9a50c8d0c6bdf04ffc0bb2f
Instruction Fuzzy Hash: 42318F71904619ABDF10EF59C8519FEB3BAFF04320B10862EE866977D2DB75AD05CB80

Function 00728E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

Part of subcall function 0072AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0072AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00728F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00728F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00728F57

Part of subcall function 006D7BCC: _memmove.LIBCMT ref: 006D7C06

Strings

ComboBox, xrefs: 00728E9E
ListBox, xrefs: 00728ED3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: d105f7ec5fe4af14ef524705647e17709758d6d48a1400f45a42c957b606889f
Instruction ID: 437e726f82da97697c018a2eb3bc3d9a0c14be8d33a6130d6b3a11984f8ce4b9
Opcode Fuzzy Hash: d105f7ec5fe4af14ef524705647e17709758d6d48a1400f45a42c957b606889f
Instruction Fuzzy Hash: 4E210471A01108BEEB54ABB0DC85DFFB76ADF05320F14811AF821A72E1DF3E4909D611

Function 0074182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0074184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00741872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007418A2
InternetCloseHandle.WININET(00000000), ref: 007418E9

Part of subcall function 00742483: GetLastError.KERNEL32(?,?,00741817,00000000,00000000,00000001), ref: 00742498
Part of subcall function 00742483: SetEvent.KERNEL32(?,?,00741817,00000000,00000000,00000001), ref: 007424AD

Strings

, xrefs: 00741893

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 5ac52756e34b33c7aab6ce26f97cfe8491bf9db2520bad3ede72ec9754e9bd68
Instruction ID: ac512c63b88187d65ad95da86d7933ba4ecb3da945eaa979763c3fd00ba0c3df
Opcode Fuzzy Hash: 5ac52756e34b33c7aab6ce26f97cfe8491bf9db2520bad3ede72ec9754e9bd68
Instruction Fuzzy Hash: F921D1B1500308BFEB11AF64CC89EBF77EDEB48755F50812AF805E3240EB689D4597A4

Function 007563E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006D1D73
Part of subcall function 006D1D35: GetStockObject.GDI32(00000011), ref: 006D1D87
Part of subcall function 006D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00756461
LoadLibraryW.KERNEL32(?), ref: 00756468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0075647D
DestroyWindow.USER32(?), ref: 00756485

Strings

SysAnimate32, xrefs: 0075643C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 148986610e32ab8c0233e380810d6a8e3df01f3db48e0f11f54855d6776c351f
Instruction ID: 8e2b00e04d395c591278a813ef1787e9518851374bdff9086524b3575a66a1a0
Opcode Fuzzy Hash: 148986610e32ab8c0233e380810d6a8e3df01f3db48e0f11f54855d6776c351f
Instruction Fuzzy Hash: 9F21BB71200245BBEF104FA4DC80EFB77A9EB58725FA08629FE1093190D7B9DC469760

Function 00736D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00736DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00736DEF
GetStdHandle.KERNEL32(0000000C), ref: 00736E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00736E3B

Strings

nul, xrefs: 00736E36

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 411fc192f4464d7ade9407eaa6fda8c0f94e774ae8482b8536e9f069d8bc7487
Instruction ID: 353f90ec637041f04a9615d4acb0b0da48eccac698e1765ea57ab15d8052aea9
Opcode Fuzzy Hash: 411fc192f4464d7ade9407eaa6fda8c0f94e774ae8482b8536e9f069d8bc7487
Instruction Fuzzy Hash: 492181B5700309BBEF209F29DC04A9A77B4FF45720F208629FDA0D72D1DB7499548B54

Function 00736E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00736E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00736EBB
GetStdHandle.KERNEL32(000000F6), ref: 00736ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00736F06

Strings

nul, xrefs: 00736F01

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: be719ba1505b1fd39933ec9096e3e4505862c0dc03382ba4b12b544312449059
Instruction ID: d7fc4cb1b23477c8c5e27d99deb0e3f71291d23daf156b5a1685b63c8eadd62e
Opcode Fuzzy Hash: be719ba1505b1fd39933ec9096e3e4505862c0dc03382ba4b12b544312449059
Instruction Fuzzy Hash: C221B6B9540305BBEB209F69DC04A9A77F8FF45720F208A19FCA0D72D1EB78A854C761

Function 0073AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0073AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0073ACA8
__swprintf.LIBCMT ref: 0073ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0075F910), ref: 0073ACFF

Strings

%lu, xrefs: 0073ACBB

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: a333fdf786206c02a44fd30d0e156ca3cfea411929e043bc0fceb2a5c5c91858
Instruction ID: a03c7a46191f169f9cf491abda417cf04daea21552a56037c2a297b519346200
Opcode Fuzzy Hash: a333fdf786206c02a44fd30d0e156ca3cfea411929e043bc0fceb2a5c5c91858
Instruction Fuzzy Hash: 1421AF71A00209EFCB10EF69C945DEE7BB8EF89314B004069F909EB352DB75EA01CB61

Function 00731142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0072FCED,?,00730D40,?,00008000), ref: 0073115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0072FCED,?,00730D40,?,00008000), ref: 00731184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0072FCED,?,00730D40,?,00008000), ref: 0073118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0072FCED,?,00730D40,?,00008000), ref: 007311C1

Strings

@s, xrefs: 0073119D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @s
API String ID: 2875609808-4084795929
Opcode ID: 754214805032daf14c6ca43670fd16fab88f222679b48707f2fce0d5920a69b6
Instruction ID: 87fc866c44d7661c4d7124e29a0c9b8ec725dadc74721cec915b2b00ffe2d8a1
Opcode Fuzzy Hash: 754214805032daf14c6ca43670fd16fab88f222679b48707f2fce0d5920a69b6
Instruction Fuzzy Hash: CC116172D01A1DD7DF00EFA5D948AEEBF78FF09711F408055EA81B2241CB789950CB95

Function 00731AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00731B19

Strings

EXISTS, xrefs: 00731B41
APPEND, xrefs: 00731B52
KEYS, xrefs: 00731B30
REMOVE, xrefs: 00731B1F

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: e6881123d7ff3abec15de2f2d8d8cf5ec9b4ce21249b681249f853372c4de71e
Instruction ID: 88edc5c49ae365a07ac365949bccbaa411caa64979fa16bc415ac5e43899518b
Opcode Fuzzy Hash: e6881123d7ff3abec15de2f2d8d8cf5ec9b4ce21249b681249f853372c4de71e
Instruction Fuzzy Hash: 461139709402088BDF80EFA4D9618FEF7B5FF26304F9484A9E815A7693EB365906CB54

Function 0074EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0074EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0074EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0074ED6A
CloseHandle.KERNEL32(?), ref: 0074EDEB

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 6aa3d084d5f3134e171a7a5799e7b05f4b7b3de5d8a306f27dac023a7965e00e
Instruction ID: d4ee0fee99b7413097a80392f785c9abe1ded8e077361049570987bafa987abe
Opcode Fuzzy Hash: 6aa3d084d5f3134e171a7a5799e7b05f4b7b3de5d8a306f27dac023a7965e00e
Instruction Fuzzy Hash: 79813D71A007109FD760EF28C846F2AB7E6AF48720F14891EF9999B3D2D7B4AD40CB55

Function 00750037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

Part of subcall function 00750E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074FDAD,?,?), ref: 00750E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007500FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00750183
RegCloseKey.ADVAPI32(?,?), ref: 007501AF
RegCloseKey.ADVAPI32(00000000), ref: 007501BC

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 1a7d5645b3cc100d8e07ba6418d6528bd70560a9d6cc4547cac7553796cde198
Instruction ID: eae2e465510fc2f50cfd5094c957b5580ccea6725eadda34fcb5d199d7db4abf
Opcode Fuzzy Hash: 1a7d5645b3cc100d8e07ba6418d6528bd70560a9d6cc4547cac7553796cde198
Instruction Fuzzy Hash: 04516E71604204AFC704EF68CC81EAEB7E9FF84315F44491EF95587291DB75E908CB96

Function 0074D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9837: __itow.LIBCMT ref: 006D9862
Part of subcall function 006D9837: __swprintf.LIBCMT ref: 006D98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0074D927
GetProcAddress.KERNEL32(00000000,?), ref: 0074D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0074D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0074DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0074DA21

Part of subcall function 006D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00737896,?,?,00000000), ref: 006D5A2C
Part of subcall function 006D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00737896,?,?,00000000,?,?), ref: 006D5A50

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: c05e0d9ea54f6826af63757dc7915303e3110c0978275d8f26b287a2b80ec03b
Instruction ID: 7db824f63bee6aa68d7582fefcc5a27a61967a9fb8dcb7d30e8c6a0eff2a38a2
Opcode Fuzzy Hash: c05e0d9ea54f6826af63757dc7915303e3110c0978275d8f26b287a2b80ec03b
Instruction Fuzzy Hash: 09512735A00609DFCB50EFA8C4849ADB7B5FF09310B04C06AE856AB312DB35AD45CF95

Function 0073E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0073E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0073E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0073E687

Part of subcall function 006D9837: __itow.LIBCMT ref: 006D9862
Part of subcall function 006D9837: __swprintf.LIBCMT ref: 006D98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0073E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0073E6B4

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: bcc1cc7f08371c866cd63021397f9b1579e337dc055bdac74492306fdf932966
Instruction ID: bf4d44ffdeb89f1ffaece5bfe7d5168a6cb75bc9680bcc6330da58bc0e4a205c
Opcode Fuzzy Hash: bcc1cc7f08371c866cd63021397f9b1579e337dc055bdac74492306fdf932966
Instruction Fuzzy Hash: 2E512A35A00205DFDB41EF64C9819AEBBF6FF09314F1484A9E809AB362CB35ED51DB64

Function 0075A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f92e783c4a03422107b4ed2b007a649162685c7f4a98ccd182ad5603bc1319
Instruction ID: 0254033dbb393408ebbfa4633df3eae7e3a25778b8d6e69005e8778f2fc3927b
Opcode Fuzzy Hash: 16f92e783c4a03422107b4ed2b007a649162685c7f4a98ccd182ad5603bc1319
Instruction Fuzzy Hash: B841B235904618BFD710DB28CC48FE9BBB4EB09312F144275EC19A72E1DBB89D49DA91

Function 006D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006D2357
ScreenToClient.USER32(007957B0,?), ref: 006D2374
GetAsyncKeyState.USER32(00000001), ref: 006D2399
GetAsyncKeyState.USER32(00000002), ref: 006D23A7

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9f9faa37d1ce45db9cffc367109cd17fdf1e01535b61e3328b04f8902051f808
Instruction ID: f1077010bdbe193606b2f06b70a2429d474dc820b9f1990b410fb9ac0baa9a73
Opcode Fuzzy Hash: 9f9faa37d1ce45db9cffc367109cd17fdf1e01535b61e3328b04f8902051f808
Instruction Fuzzy Hash: 43418175A0410AFBDF159F68CC44AE9BBB5FB15360F20431AF829932D0C778AD54DB91

Function 007263AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007263E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00726433
TranslateMessage.USER32(?), ref: 0072645C
DispatchMessageW.USER32(?), ref: 00726466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00726475

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 8a058d1b01023918139d8a47f6549ad3594d022c6af59607a61c158971a75722
Instruction ID: b27227595d4177b68e6c2ac3f40105732ab7bdbe14e10d0256c05c75ea022f1f
Opcode Fuzzy Hash: 8a058d1b01023918139d8a47f6549ad3594d022c6af59607a61c158971a75722
Instruction Fuzzy Hash: 763105719006B2EFDB21DFB0EC44FB67BA8AB00300F10816BE561C31A1E77D9686C760

Function 00728A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00728A30
PostMessageW.USER32(?,00000201,00000001), ref: 00728ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00728AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00728AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00728AF8

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: aa040d95bed1eae9e68e995e13fe1206f14d45137488e77127561cc0bfbe0f7b
Instruction ID: be6bd250b5ef99b53b5a77f176192911b290d6d9033a3ccb6918fc67b19a635c
Opcode Fuzzy Hash: aa040d95bed1eae9e68e995e13fe1206f14d45137488e77127561cc0bfbe0f7b
Instruction Fuzzy Hash: 6631B171501229EBDB14CF68E94CADE3BB5EB04316F108229F925E72D0CBB99914DB91

Function 0072B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0072B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0072B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0072B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0072B27F
_wcsstr.LIBCMT ref: 0072B289

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: d9fb419715bd83d807ab147a1c8b707ca13a8caadc4e9c4de616e60c78f17f24
Instruction ID: bdbcdb3e44eb8230750c7d15ee61abd36c5acb230424198b46ae92e30d30ad66
Opcode Fuzzy Hash: d9fb419715bd83d807ab147a1c8b707ca13a8caadc4e9c4de616e60c78f17f24
Instruction Fuzzy Hash: 0E212532204314BAEB159B75AC09E7F7BD9EF49720F00802DF904CA161EBA99C4092A4

Function 0075B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 006D2612: GetWindowLongW.USER32(?,000000EB), ref: 006D2623

GetWindowLongW.USER32(?,000000F0), ref: 0075B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0075B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0075B1CF
GetSystemMetrics.USER32(00000004), ref: 0075B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00740E90,00000000), ref: 0075B216

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 6aa6a76d26b754d3ba0d95641c88eb82a3896d5a37c0d1a5a6d91b877a8fe42a
Instruction ID: 452adfe93b30faadbf7e10b4e15745d64b20161480f187426b35ce194870b923
Opcode Fuzzy Hash: 6aa6a76d26b754d3ba0d95641c88eb82a3896d5a37c0d1a5a6d91b877a8fe42a
Instruction Fuzzy Hash: 8A219171910665AFCB509F389C18ABA37A4FB05362F108739FD32D71E0E77898258B90

Function 00729307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00729320

Part of subcall function 006D7BCC: _memmove.LIBCMT ref: 006D7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00729352
__itow.LIBCMT ref: 0072936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00729392
__itow.LIBCMT ref: 007293A3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: b26946ec6851ec0ff979c5fab3f8e3d69a0500bff447afa0eac235945194bab6
Instruction ID: 157254644888cdbc54a5a5b8a3d41730771317600c4711bdb0a70bf8564dfc91
Opcode Fuzzy Hash: b26946ec6851ec0ff979c5fab3f8e3d69a0500bff447afa0eac235945194bab6
Instruction Fuzzy Hash: 5421DA31B00218AFDB10DE649C89EEE7BA9EB49711F084029FF05D72D2D6B4CD4587A6

Function 00745A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00745A6E
GetForegroundWindow.USER32 ref: 00745A85
GetDC.USER32(00000000), ref: 00745AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00745ACD
ReleaseDC.USER32(00000000,00000003), ref: 00745B08

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e6d8d16311f56db850df1c12ffbdd60de12c3ac4512337b269d1047106d483dc
Instruction ID: bbeaf02c60bb5eb9047331cbb5d7df5512872898f92e2d4018116d6d2e4c2dc2
Opcode Fuzzy Hash: e6d8d16311f56db850df1c12ffbdd60de12c3ac4512337b269d1047106d483dc
Instruction Fuzzy Hash: C1218135A00204AFD714EFA5DC88AAABBE5EF48311F14C479F84997362CB74AD00CB95

Function 006D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006D134D
SelectObject.GDI32(?,00000000), ref: 006D135C
BeginPath.GDI32(?), ref: 006D1373
SelectObject.GDI32(?,00000000), ref: 006D139C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5517397ec04508793ed6dde04da90da62b59af3d9f2d54311515079b318e98c4
Instruction ID: 976ad1089096fd9348cb392d30a368e2736d2ea6eac307b8e23060bfc4e0c1bc
Opcode Fuzzy Hash: 5517397ec04508793ed6dde04da90da62b59af3d9f2d54311515079b318e98c4
Instruction Fuzzy Hash: 34215130C01B18EBDB129F15DC04BA97BA9EB11322F188217F4149A3B0D7B99992DF98

Function 00734A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00734ABA
__beginthreadex.LIBCMT ref: 00734AD8
MessageBoxW.USER32(?,?,?,?), ref: 00734AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00734B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00734B0A

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 5452a94164b33b9011108af4b1fb4250166bd1433221a40c5e2b840ad0f8b16c
Instruction ID: ffb7f6e39306a1ca7790e3d8d74e3baf3bd30e6b2bb5f2b009d1e1f853df34e6
Opcode Fuzzy Hash: 5452a94164b33b9011108af4b1fb4250166bd1433221a40c5e2b840ad0f8b16c
Instruction Fuzzy Hash: ED1148B2904618BBD7019FA89C04ADB7FACEB49321F14826AF814D3251D6B8DD0087A4

Function 00728202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0072821E
GetLastError.KERNEL32(?,00727CE2,?,?,?), ref: 00728228
GetProcessHeap.KERNEL32(00000008,?,?,00727CE2,?,?,?), ref: 00728237
RtlAllocateHeap.NTDLL(00000000,?,00727CE2), ref: 0072823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00728255

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 82d1e9366115ee02988fac1e2bf5571702b2b10d2d19007d84d4702b220f1f5a
Instruction ID: bb1c99caf2a3f2903c0ffc3609bb6c69d559590a877445c0ba5eee76a7f873f9
Opcode Fuzzy Hash: 82d1e9366115ee02988fac1e2bf5571702b2b10d2d19007d84d4702b220f1f5a
Instruction Fuzzy Hash: 42016D71602718FFDB204FA5EC48DAB7BACFF8A755B504569F809C3220DA768C00CA60

Function 0072710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 00727127
ProgIDFromCLSID.COMBASE(?,00000000), ref: 00727142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00727044,80070057,?,?), ref: 00727150
CoTaskMemFree.COMBASE(00000000), ref: 00727160
CLSIDFromString.COMBASE(?,?), ref: 0072716C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 48723f8d69e89190a355cb0d3275bf136ecdef31838261314c49e29f2a1c1115
Instruction ID: a68b7334eb3681c963e7795e4fd245da828b1d81d7db7e6f4c83f2528e33746f
Opcode Fuzzy Hash: 48723f8d69e89190a355cb0d3275bf136ecdef31838261314c49e29f2a1c1115
Instruction Fuzzy Hash: 6C01717260132CABDB154F64ED44AAA7BADEF84762F144064FD04D7210D779DD50DBA0

Function 00735244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00735260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0073526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00735276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00735280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007352BC

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: fe8e51d9821385abc160d7b684b56a1cdddecf9722607ada15937d9da7a50339
Instruction ID: d3fd4bed6fb29d802e9de385aff7643aba5ee88a007751f7dc1c7c40fc6e5b56
Opcode Fuzzy Hash: fe8e51d9821385abc160d7b684b56a1cdddecf9722607ada15937d9da7a50339
Instruction Fuzzy Hash: 980169B1D01A1DDBDF00EFE4E8499EEBB78FB0C312F404156E941B2192CB7859508BA5

Function 0072810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00728121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0072812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0072813A
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00728141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00728157

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: fddd51d6503b09902a8eee3b2317c3228d55066607950f12cd696d0f49c1ff06
Instruction ID: 83eea9a46a951b8077693c6dfa3a0a4a1142860edbb8fe0bce1f9680b5a9ac4e
Opcode Fuzzy Hash: fddd51d6503b09902a8eee3b2317c3228d55066607950f12cd696d0f49c1ff06
Instruction Fuzzy Hash: 1DF0C270202328AFEB510FA4EC8DEAB3BACFF49755B00402DF949C3190CBA99C11DA61

Function 0072C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0072C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0072C20E
MessageBeep.USER32(00000000), ref: 0072C226
KillTimer.USER32(?,0000040A), ref: 0072C242
EndDialog.USER32(?,00000001), ref: 0072C25C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e42ff484b160dbdf6722578a9082f9739088f10d8d7122f9ac1f06a215e346ab
Instruction ID: 6b9de99bbb43f3ff9c44b016a2bb0057e1199fd64d737898447714ce437e3d60
Opcode Fuzzy Hash: e42ff484b160dbdf6722578a9082f9739088f10d8d7122f9ac1f06a215e346ab
Instruction Fuzzy Hash: 6F01A230404714ABEB216B60ED4EF9A77F8FF10B06F00466AE542A14E0DBE869448B95

Function 006D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006D13BF
StrokeAndFillPath.GDI32(?,?,0070B888,00000000,?), ref: 006D13DB
SelectObject.GDI32(?,00000000), ref: 006D13EE
DeleteObject.GDI32 ref: 006D1401
StrokePath.GDI32(?), ref: 006D141C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7ccab02e8f0a8da1fa8c0c993c44128a1004e74a1a9d67c6146bad42e063e22e
Instruction ID: ae0675690c8f259ec5990dd093d77435eabf96be5f118b276748ee50a121edb3
Opcode Fuzzy Hash: 7ccab02e8f0a8da1fa8c0c993c44128a1004e74a1a9d67c6146bad42e063e22e
Instruction Fuzzy Hash: 9AF0E130405B18EBDB125F16EC4CB983FE5A701326F08C326E429892F1C7B949A6DF58

Function 00728992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0072899D
CloseHandle.KERNEL32(?), ref: 007289B2
CloseHandle.KERNEL32(?), ref: 007289BA
GetProcessHeap.KERNEL32(00000000,?), ref: 007289C3
HeapFree.KERNEL32(00000000), ref: 007289CA

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: 359d1c720d15f8255a1049b56ac5f4cb8b2de56ac951d9cb900bf1c6a4f4120e
Instruction ID: af45ecbb35d373e35d8aec2a6544b6894e57de15d6334603ff8041e4904dff77
Opcode Fuzzy Hash: 359d1c720d15f8255a1049b56ac5f4cb8b2de56ac951d9cb900bf1c6a4f4120e
Instruction Fuzzy Hash: 01E0C236004605FBDA012FE1EC0C98ABF69FB89323B508630F21981470CBBAA820DB58

Function 0073C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0073C432
CoCreateInstance.COMBASE(00762D6C,00000000,00000001,00762BDC,?), ref: 0073C44A

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

CoUninitialize.COMBASE ref: 0073C6B7

Strings

.lnk, xrefs: 0073C3C6, 0073C3EE, 0073C3F8

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 1fefeb91fcdadd25c164069eb49dc25b8d4a061fd71edd5ea73ab0f268196cee
Instruction ID: 63f24fd49793f6ce96267ab9e61d22b0ce55a975dfe75336c3bb76bd49f773cb
Opcode Fuzzy Hash: 1fefeb91fcdadd25c164069eb49dc25b8d4a061fd71edd5ea73ab0f268196cee
Instruction Fuzzy Hash: 68A15DB1504205AFD740EF54C881EAFB7E9FF84314F00491EF5569B292EB71EA09CB66

Function 006E2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 006F0DB6: std::exception::exception.LIBCMT ref: 006F0DEC
Part of subcall function 006F0DB6: __CxxThrowException@8.LIBCMT ref: 006F0E01

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

Part of subcall function 006D7A51: _memmove.LIBCMT ref: 006D7AAB

__swprintf.LIBCMT ref: 006E2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 006E2D66

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: e2f08a8390a052259febb11c4c79881292e05140680ef6acaa22aab45cb793db
Instruction ID: a1f638ad2fc5ce34b85f426ba8017655fdf349635756232f08a248124dff9459
Opcode Fuzzy Hash: e2f08a8390a052259febb11c4c79881292e05140680ef6acaa22aab45cb793db
Instruction Fuzzy Hash: D7919C715083569FC764EF28C895CAEB7AAEF85310F00091EF4469B2A1EA30ED44CB56

Function 0073B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 006D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D4743,?,?,006D37AE,?), ref: 006D4770

CoInitialize.OLE32(00000000), ref: 0073B9BB
CoCreateInstance.COMBASE(00762D6C,00000000,00000001,00762BDC,?), ref: 0073B9D4
CoUninitialize.COMBASE ref: 0073B9F1

Part of subcall function 006D9837: __itow.LIBCMT ref: 006D9862
Part of subcall function 006D9837: __swprintf.LIBCMT ref: 006D98AC

Strings

.lnk, xrefs: 0073B99D, 0073B9AB

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: f71a3bb1b968bd6a1bea15a72d08abc57d771dc6c34625bb4235159ef6e9f13f
Instruction ID: 66ef32ca824640ed98b83954f51536c8c885dabfc03f17b1522515c71f9d3701
Opcode Fuzzy Hash: f71a3bb1b968bd6a1bea15a72d08abc57d771dc6c34625bb4235159ef6e9f13f
Instruction Fuzzy Hash: 22A14475A043059FDB00DF24C484D6ABBE6FF89314F048999F99A9B3A2CB35EC45CB91

Function 0072B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0072B4BE

Strings

AutoIt3GUI, xrefs: 0072B436
%v, xrefs: 0072B561
Container, xrefs: 0072B43B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%v
API String ID: 3565006973-1258757215
Opcode ID: a406a9c80d1a9b858acc248c9e91f50eee55b6238a49095e992de102dc50410d
Instruction ID: c6bb5cdbd9c22bf924c8cbf80992424670da5cbe17dd86ecd12db22595e102d6
Opcode Fuzzy Hash: a406a9c80d1a9b858acc248c9e91f50eee55b6238a49095e992de102dc50410d
Instruction Fuzzy Hash: 0C9159B0600611AFDB54DF65D884B6ABBE9FF48710F20856DF94ACF292DB74E841CB60

Function 006F501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006F50AD

Part of subcall function 007000F0: __87except.LIBCMT ref: 0070012B

Strings

pow, xrefs: 006F5085, 006F50A2

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: d216c45d6581a13c5acdc3975a445444ad45be3fab77988ba92a6e0c5743d7dc
Instruction ID: 2af0ca6e587cc8a07455e484fd7525151e99df39cae8359959b2cee581773a23
Opcode Fuzzy Hash: d216c45d6581a13c5acdc3975a445444ad45be3fab77988ba92a6e0c5743d7dc
Instruction Fuzzy Hash: 61515B31908A09D7DB15B714C8053BE2BD6AB40760F208E59E6D7863E9EF3C8DC4D6CA

Function 00718584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0071862B
_memmove.LIBCMT ref: 00718685

Strings

_n, xrefs: 007186FF, 0071DFDC, 0071DFF8
3cn, xrefs: 0071860C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memmove
String ID: 3cn$_n
API String ID: 4104443479-1566527804
Opcode ID: cca583c1448b0829ea5e7526f6b9bfa5e4e98e7dca002a1e9b816c1064c87f15
Instruction ID: d4e75a0bb8de270fce9ce4ab6726b0782736d04a250825029ec07317878dfdfb
Opcode Fuzzy Hash: cca583c1448b0829ea5e7526f6b9bfa5e4e98e7dca002a1e9b816c1064c87f15
Instruction Fuzzy Hash: 4E514E70D01609DFCB64CF68C884AEEB7B2FF44304F248529E85AD7291EB35A995CB51

Function 007297F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00729296,?,?,00000034,00000800,?,00000034), ref: 007314E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0072983F

Part of subcall function 00731487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 007314B1

Part of subcall function 007313DE: GetWindowThreadProcessId.USER32(?,?), ref: 00731409
Part of subcall function 007313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0072925A,00000034,?,?,00001004,00000000,00000000), ref: 00731419
Part of subcall function 007313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0072925A,00000034,?,?,00001004,00000000,00000000), ref: 0073142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007298AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007298F9

Strings

@, xrefs: 00729911

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b5c6b3ddf3f810dcb190e263b6bebc75ccd0ff693fcb91fd62cc29fb656e0a95
Instruction ID: a455421eec346173bfb90c174b23b42097fb97bf0012e7268a3ee80603da4584
Opcode Fuzzy Hash: b5c6b3ddf3f810dcb190e263b6bebc75ccd0ff693fcb91fd62cc29fb656e0a95
Instruction Fuzzy Hash: 8F41617690121CBFDB10DFA4CD85ADEBBB8EF49300F044099FA45B7191DA756E85CBA0

Function 00757946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0075F910,00000000,?,?,?,?), ref: 007579DF
GetWindowLongW.USER32 ref: 007579FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00757A0C

Strings

SysTreeView32, xrefs: 007579B1

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 20dd61c31668632821564ad7502ede0c46ff6846f2bbf5efbc08b2fd9b266e42
Instruction ID: a45de58354ed32f4355bbf5d7ebbe1e2cae7a2c5c61a446d39f0093be97e1680
Opcode Fuzzy Hash: 20dd61c31668632821564ad7502ede0c46ff6846f2bbf5efbc08b2fd9b266e42
Instruction Fuzzy Hash: BD31F031604606ABDB158E38DC05BEA77A9EF05325F208725F875932E0D778E955CB60

Function 007573D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00757461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00757475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00757499

Strings

SysMonthCal32, xrefs: 0075742C

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 189b69238aacb0da617f5ce305494945b46c450ea69befcd7d49a5996a0e3b36
Instruction ID: 7456bc233f7dbedb184e6e0be9c0b99819059a266e59af03998f6570c6435885
Opcode Fuzzy Hash: 189b69238aacb0da617f5ce305494945b46c450ea69befcd7d49a5996a0e3b36
Instruction Fuzzy Hash: 6021D132500258BFDF158FA4DC46FEA3B6AEF48725F110214FE156B1D0DAB9AC55CBA0

Function 00756CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00756D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00756D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00756D70

Strings

Listbox, xrefs: 00756D08

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b63c5fb3712f36c8de71ed113c1fd742c883a12c76ac4b525b5968657f35baad
Instruction ID: 93a24df0c82d87219c63fdadc9c48ac6ce0c4b9035dbae4dcc1f6d499240b1de
Opcode Fuzzy Hash: b63c5fb3712f36c8de71ed113c1fd742c883a12c76ac4b525b5968657f35baad
Instruction Fuzzy Hash: A921B332600218BFDF118F54CC45EFB3BBAEF89751F418128F9455B190C6B5AC5587A0

Function 007439E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00743A66

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00743A58
%v, xrefs: 007439F4
, $, xrefs: 00743AA6

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%v
API String ID: 3506404897-1777412257
Opcode ID: b98d84fd7526d0c0635f3c7c0f829c6c9797bc941eb8e43285bb0c8153e8037d
Instruction ID: ee6bbd3f916463bff7a72438ab86e19bc8d85d24249ba7c19c0a6e43e6dc8be1
Opcode Fuzzy Hash: b98d84fd7526d0c0635f3c7c0f829c6c9797bc941eb8e43285bb0c8153e8037d
Instruction Fuzzy Hash: 0821D770B40118AFCF50EF64CC86EAD77B6AF44300F504459F459AB241DB38EA45CB66

Function 0075770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00757772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00757787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00757794

Strings

msctls_trackbar32, xrefs: 00757749

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 6919611cd0810b2c7b89ce0444accd250d89e39f8e7947592bc7d1450aa6ba28
Instruction ID: d7e82f52fd6c64392697fb2d4bf674b78c27796a17df74fd6e543ea725853f6d
Opcode Fuzzy Hash: 6919611cd0810b2c7b89ce0444accd250d89e39f8e7947592bc7d1450aa6ba28
Instruction Fuzzy Hash: 51113672240208BFEF245F70EC05FEB3BA9EF8CB55F014528FA41A6090D6B6E811CB20

Function 006D4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006D4AD0), ref: 006D4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006D4B57

Strings

GetNativeSystemInfo, xrefs: 006D4B51
kernel32.dll, xrefs: 006D4B40

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 574e90c62c8d1ec3aaa4a224a177882089b930c532c3a15d3dcfe5485467f52b
Instruction ID: 0d0d712b4f9642822c7c12c7f20489d479f484267fbcbea0926989a541e1d6a8
Opcode Fuzzy Hash: 574e90c62c8d1ec3aaa4a224a177882089b930c532c3a15d3dcfe5485467f52b
Instruction Fuzzy Hash: 30D012B4A10B17CFD7209F31D818B8676D5AF15352B11C83BD8C5D6250EAB8D880C698

Function 006D4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006D4B83,?), ref: 006D4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006D4C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 006D4C50
kernel32.dll, xrefs: 006D4C3F

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 83fd88367ac766fcddf48b8b83a8afa6d858f195b8dfbeb4b091e6e25e3dda52
Instruction ID: b4121a3d72d1d8b18a565573174a623da17f1b50d0e5774a5e79bbb865bab30f
Opcode Fuzzy Hash: 83fd88367ac766fcddf48b8b83a8afa6d858f195b8dfbeb4b091e6e25e3dda52
Instruction Fuzzy Hash: FFD012B0911B13CFD7205F31D90869677D6AF05352B11C83AD495D6660EAB8D880C650

Function 006D4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006D4BD0,?,006D4DEF,?,007952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 006D4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006D4C23

Strings

kernel32.dll, xrefs: 006D4C0C
Wow64DisableWow64FsRedirection, xrefs: 006D4C1D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 5e7f038a716e8a3442696ee34195a42a6aa8503aa22641b863f519e438a5b731
Instruction ID: b4125da1276384d9a5be38c86801283ed4c8c11989d5b97aa1a9ca9861fb5e40
Opcode Fuzzy Hash: 5e7f038a716e8a3442696ee34195a42a6aa8503aa22641b863f519e438a5b731
Instruction Fuzzy Hash: CED0EC70911B12CFD7206B71D948686B6D6AF09352B11C83AD485D6650EAB8D8808A51

Function 00750DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00751039), ref: 00750DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00750E07

Strings

RegDeleteKeyExW, xrefs: 00750E01
advapi32.dll, xrefs: 00750DF0

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: e60330d8fa387b82a06ba2cec0ab85522bd4345d0aeb74357de2fb3e486c5b15
Instruction ID: fcb421c94bd8383ab9d6d423f31c6dd7c0d83c70286b03666ffa9885c4d5b409
Opcode Fuzzy Hash: e60330d8fa387b82a06ba2cec0ab85522bd4345d0aeb74357de2fb3e486c5b15
Instruction Fuzzy Hash: E7D082B0440B26CFC321AB71C80928272E5AF00342F24CC2ED982C2190EAF8D8A08A84

Function 007490E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00748CF4,?,0075F910), ref: 007490EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00749100

Strings

GetModuleHandleExW, xrefs: 007490FA
kernel32.dll, xrefs: 007490E9

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: c5c105d2d4bbb415d2cbed4d1018d0ae7904f8eb950492b46d35de05a5afbce8
Instruction ID: adc1f56668c56e9d9aa6d7e972e84326c0f23b51cfe56f80c292bf0554adc37f
Opcode Fuzzy Hash: c5c105d2d4bbb415d2cbed4d1018d0ae7904f8eb950492b46d35de05a5afbce8
Instruction Fuzzy Hash: 20D01274550B17CFD7209F31D81C64776D5AF05352F11C839D685D6550EBB8C480C791

Function 00711714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00711718
__swprintf.LIBCMT ref: 00711749

Strings

WIN_XPe, xrefs: 00711788
%.3d, xrefs: 00711723

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 76a3307e8a897ab27bb0210ef79bf8a33a6d3f504b424f9fc1343de41fc0925d
Instruction ID: 70de73d8bafa283e947f0c5207105758776dbc2a9726391ae3b7bd7adda949b0
Opcode Fuzzy Hash: 76a3307e8a897ab27bb0210ef79bf8a33a6d3f504b424f9fc1343de41fc0925d
Instruction Fuzzy Hash: FBD012B1C4511DEAC7409B94988D8F9737CA708311F940462F702D62C0E22987D4D725

Function 0072717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8fc58db09e5be44f66712eb11a7a41717349f40278a7f87023e8507b409b32
Instruction ID: faa16755afe231d13196609583a887e0c95ab696d33d87c141272218993b0586
Opcode Fuzzy Hash: 9b8fc58db09e5be44f66712eb11a7a41717349f40278a7f87023e8507b409b32
Instruction Fuzzy Hash: 52C19E74A04226EFCB18DFA4D984EAEBBF5FF48314B148598E805EB251D734ED81DB90

Function 0074E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0074E0BE
CharLowerBuffW.USER32(?,?), ref: 0074E101

Part of subcall function 0074D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0074D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0074E301
_memmove.LIBCMT ref: 0074E314

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 586de55b546123f364d30af86eec01d30bcb58bc2c7d582965ae2bdd2f1ccc8c
Instruction ID: ba9f26c64d5588813f1a556c7587841eed42d8c0d3970c6d8895510ee4c28ee8
Opcode Fuzzy Hash: 586de55b546123f364d30af86eec01d30bcb58bc2c7d582965ae2bdd2f1ccc8c
Instruction Fuzzy Hash: 5BC17871A08301DFC754DF28C480A6ABBE5FF89724F04896EF8999B351D774E946CB82

Function 00748093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007480C3
CoUninitialize.COMBASE ref: 007480CE

Part of subcall function 0072D56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0072D5D4

VariantInit.OLEAUT32(?), ref: 007480D9
VariantClear.OLEAUT32(?), ref: 007483AA

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 9be472d039c621c27440e3738254f4723d9b9ec8e2764f3bd1858e733168b2c2
Instruction ID: b6f9a1348d1be594718667ad1ba81da6e1773ec792f94535d678c8235ca12ec1
Opcode Fuzzy Hash: 9be472d039c621c27440e3738254f4723d9b9ec8e2764f3bd1858e733168b2c2
Instruction Fuzzy Hash: 49A15875A047059FCB80DF64C481A2EB7E5BF89724F04880DF9969B3A1CB78EC01CB96

Function 00727530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.COMBASE(?,00000000), ref: 007276EA
CoTaskMemFree.COMBASE(00000000), ref: 00727702
CLSIDFromProgID.COMBASE(?,?), ref: 00727727
_memcmp.LIBCMT ref: 00727748

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c08b0f47f71be10fea8b57a1e565d9b3cb9d68fb478d045db9b19b394498c372
Instruction ID: 5196f39a3d12bfd0ca1c53fdd65257ac2f6715d438bf8198d1e1e91c3d399fca
Opcode Fuzzy Hash: c08b0f47f71be10fea8b57a1e565d9b3cb9d68fb478d045db9b19b394498c372
Instruction Fuzzy Hash: 48813B71A00119EFCB04DFA4C984EEEB7B9FF89315F204198F506AB250DB75AE06CB60

Function 0072687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0072688E
SysAllocString.OLEAUT32(00000000), ref: 00726937
VariantCopy.OLEAUT32 ref: 00726966
VariantClear.OLEAUT32(?), ref: 0072698D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 2900aa95d4484870bda201ea7adbcb9ff3a401e452b2dc877fc9feb410e4df0d
Instruction ID: 4a662ecc2da7279d71ab2778e4dde73f605f439ea373503100e0144717686596
Opcode Fuzzy Hash: 2900aa95d4484870bda201ea7adbcb9ff3a401e452b2dc877fc9feb410e4df0d
Instruction Fuzzy Hash: C351B274B043119ADB64AF65E8A5A7AB3F5AF44310F20C81FE586DB291DB78DC808B15

Function 007597F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(011DE678,?), ref: 00759863
ScreenToClient.USER32(00000002,00000002), ref: 00759896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00759903

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: a35b8e6dafd6b4beaae77fe74b6b99852a22d7cab730d0de412a5777cb69c352
Instruction ID: bacacf05acbf87dbc75a835b72b61d042ca57bf1113055d7bbcfb2211b9d5199
Opcode Fuzzy Hash: a35b8e6dafd6b4beaae77fe74b6b99852a22d7cab730d0de412a5777cb69c352
Instruction Fuzzy Hash: CF514D34A00209EFCF10CF64C884AEE7BB6FF95361F148169F9659B2A0D775AD85CB90

Function 00729A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00729AD2
__itow.LIBCMT ref: 00729B03

Part of subcall function 00729D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00729DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00729B6C
__itow.LIBCMT ref: 00729BC3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 3ba8a951eac0231a62a27084de4afb7bbd4237ed62cc9c169fbf101c3c01c635
Instruction ID: e477aa658218c3a1b1ea15362bcce61b92b5884bb7d5e170979b10c76ecb5a3e
Opcode Fuzzy Hash: 3ba8a951eac0231a62a27084de4afb7bbd4237ed62cc9c169fbf101c3c01c635
Instruction Fuzzy Hash: EB417170A00218ABDF21EF54D845BEE7BBAEF44710F04006AFA05A7291DB749A44CB55

Function 0073B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0073B89E
GetLastError.KERNEL32(?,00000000), ref: 0073B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0073B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0073B915

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 14b7765e3fa96b460bd0d2a13b97c70755723c50efcb1832a153c03a91929e86
Instruction ID: 39e950f3038e492cfef15fa5c330b5016af2a0002a931b954c9749b41af3eb73
Opcode Fuzzy Hash: 14b7765e3fa96b460bd0d2a13b97c70755723c50efcb1832a153c03a91929e86
Instruction Fuzzy Hash: DA413939A00610DFCB50EF24C485A5DBBE2EF4A710F098499ED4A9B362CB34FD01DBA5

Function 00758851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007588DE

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: d56ca32b2e4135b7b64b0eecf3003813b959d6d0f5078883cb1d74fde1572b18
Instruction ID: 65ca459955f1eb2e691de18fc9ba796e42ec10683225da9b706d34cb9ab3e925
Opcode Fuzzy Hash: d56ca32b2e4135b7b64b0eecf3003813b959d6d0f5078883cb1d74fde1572b18
Instruction Fuzzy Hash: 2731E334610108EFEBA09A58CC45FF877A1EB05312F944112FE11F62A0CFF9B9489B97

Function 0075AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0075AB60
GetWindowRect.USER32(?,?), ref: 0075ABD6
PtInRect.USER32(?,?,0075C014), ref: 0075ABE6
MessageBeep.USER32(00000000), ref: 0075AC57

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b308ede8a33a9d069e521ae335cd972216c71bf25035e49c685d2da4469913cf
Instruction ID: 564af45fba638f9fd4ce9d441e6f78e11ae8d1667bd321ba6fad07481e7bf6e6
Opcode Fuzzy Hash: b308ede8a33a9d069e521ae335cd972216c71bf25035e49c685d2da4469913cf
Instruction Fuzzy Hash: E6418230600219EFCB11DF58C884FE97BF5FF49312F1482B9E8559B260D7B9A845CBA2

Function 00730AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00730B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00730B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00730BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00730BFB

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d0bf04550eacdf42034e9c35b89e0807ae7ba6dcb1f65df4a711413fd07e6b7b
Instruction ID: 1892764f69b10dcb621743942bfebaf32dbd4f78517558b38b5c19f761f16e22
Opcode Fuzzy Hash: d0bf04550eacdf42034e9c35b89e0807ae7ba6dcb1f65df4a711413fd07e6b7b
Instruction Fuzzy Hash: 50315CB0D40718AEFF318B298C19BFAFBA9AB45315F04425AF4C1521D3C3BC895197E5

Function 00730C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00730C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00730C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00730CE1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00730D33

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9a5d5e8ab774bebaa0ff43c521a5d785ccb5e66c2cd36b03718bf5134836f85c
Instruction ID: a83ab33171504b1df044dd86a0038277ab6ccecf238c550922ca458bbe22f716
Opcode Fuzzy Hash: 9a5d5e8ab774bebaa0ff43c521a5d785ccb5e66c2cd36b03718bf5134836f85c
Instruction Fuzzy Hash: 75315830A00718AEFF308B648C287FEBBB6BB45311F04936AE481521D2D37D9955D7E2

Function 007061C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007061FB
__isleadbyte_l.LIBCMT ref: 00706229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00706257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0070628D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b35b7d29a1153b364fe51d5afaa2314bec99cff0c6c5e3723006355d033a1778
Instruction ID: 1e7c612d1719297bf3ff6e67a81dcf9be7040f610bab5322efe6ee05e51f864b
Opcode Fuzzy Hash: b35b7d29a1153b364fe51d5afaa2314bec99cff0c6c5e3723006355d033a1778
Instruction Fuzzy Hash: 3F31AF3160424AEFDF218F65CC54BBA7BE9FF41320F154229E864971E1E735D960DB90

Function 00754EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00754F02

Part of subcall function 00733641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0073365B
Part of subcall function 00733641: GetCurrentThreadId.KERNEL32 ref: 00733662
Part of subcall function 00733641: AttachThreadInput.USER32(00000000,?,00735005), ref: 00733669

GetCaretPos.USER32(?), ref: 00754F13
ClientToScreen.USER32(00000000,?), ref: 00754F4E
GetForegroundWindow.USER32 ref: 00754F54

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 69040c8700b6f67b51a2b8283c32fe34e7b18559282b337716d1085c9ace85ae
Instruction ID: 3b04a2f2839dcee593302b8e6d3e80e57bb7ebaea69ea61c726f01e969a89822
Opcode Fuzzy Hash: 69040c8700b6f67b51a2b8283c32fe34e7b18559282b337716d1085c9ace85ae
Instruction Fuzzy Hash: 13313E71D00208AFDB40EFA5C8859EFB7FDEF88304F10446AE415E7241EA759E458BA4

Function 00728656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0072810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00728121
Part of subcall function 0072810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0072812B
Part of subcall function 0072810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0072813A
Part of subcall function 0072810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00728141
Part of subcall function 0072810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00728157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007286A3
_memcmp.LIBCMT ref: 007286C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007286FC
HeapFree.KERNEL32(00000000), ref: 00728703

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: f833090b6d209e510cd594803107b1071b4d1c88aae291bd8a138828345db3de
Instruction ID: a521fd9e4454ae1cba815acef91b3f8a48e4c4dc095681e205b473bffee63978
Opcode Fuzzy Hash: f833090b6d209e510cd594803107b1071b4d1c88aae291bd8a138828345db3de
Instruction Fuzzy Hash: 6C21C431D02218EFDB10DF94D948BEEB7B8EF50315F148059E405A7242DB35AE05CB51

Function 006F098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 006F09AE

Part of subcall function 006D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00737896,?,?,00000000), ref: 006D5A2C
Part of subcall function 006D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00737896,?,?,00000000,?,?), ref: 006D5A50

_fprintf.LIBCMT ref: 006F09E5
OutputDebugStringW.KERNEL32(?), ref: 00725DBB

Part of subcall function 006F4AAA: _flsall.LIBCMT ref: 006F4AC3

__setmode.LIBCMT ref: 006F0A1A

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 4220f7aee145a3d6044cab6866836abce79a04c7612b28e6679f6d3807b69323
Instruction ID: 661157db3f01c87daa76f78c4c71ea1177efe46730ccccd648c49acdfb08e9d4
Opcode Fuzzy Hash: 4220f7aee145a3d6044cab6866836abce79a04c7612b28e6679f6d3807b69323
Instruction Fuzzy Hash: 72113A71A0420C6FEB44B7B49C8A9FF776B9F41320F24015EF30597683EE74484257A9

Function 00741767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007417A3

Part of subcall function 0074182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0074184C
Part of subcall function 0074182D: InternetCloseHandle.WININET(00000000), ref: 007418E9

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 4721f17d6b2dd9944757d4f7bb52752be37571158d7d7517e58cfd54ba9de537
Instruction ID: 748e9c8bbfb588d29403fe126a77e0db5e20223550c87e770a22158e55706694
Opcode Fuzzy Hash: 4721f17d6b2dd9944757d4f7bb52752be37571158d7d7517e58cfd54ba9de537
Instruction Fuzzy Hash: 7721F335200705BFEB12AF60CC00FBABBEDFF48721F90442AFA4196650DB79D86197A0

Function 00733A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0075FAC0), ref: 00733A64
GetLastError.KERNEL32 ref: 00733A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00733A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0075FAC0), ref: 00733ADF

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 10981004197413fcbb627b88cf30ced604d570e815a7323c27ab165975954cf7
Instruction ID: 9ee6caceb16057cd6139ae362c60d7a2af7bfa9c311d1a195ff2a1efb608d447
Opcode Fuzzy Hash: 10981004197413fcbb627b88cf30ced604d570e815a7323c27ab165975954cf7
Instruction Fuzzy Hash: 3621A6745083019F9320DF28C8858AAB7E4BF55364F108A1EF499C72A2D775DE45CB43

Function 007050E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00705101

Part of subcall function 006F571C: __FF_MSGBANNER.LIBCMT ref: 006F5733
Part of subcall function 006F571C: __NMSG_WRITE.LIBCMT ref: 006F573A
Part of subcall function 006F571C: RtlAllocateHeap.NTDLL(011C0000,00000000,00000001), ref: 006F575F

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: cd2e0acf0d2c4f2e51d288511c4004a210c16bbfe00fcd0f2df9985deba2b17c
Instruction ID: 6865d08d8b653f17e381050a892505ed48833c0c34e8ffa79c6ed0ac834680eb
Opcode Fuzzy Hash: cd2e0acf0d2c4f2e51d288511c4004a210c16bbfe00fcd0f2df9985deba2b17c
Instruction Fuzzy Hash: 4011C172904A1DEECF212F74AC4977F37D99B00361B204A6EFA049B290DE7C88408B98

Function 007285B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007285E2
OpenProcessToken.ADVAPI32(00000000), ref: 007285E9
CloseHandle.KERNEL32(00000004), ref: 00728603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00728632

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: ceb7598bc4a7a7efc21423823e94b424e4cc910087e8cb3017a635768752e7b4
Instruction ID: cd09f2e4ded6c2c119aab01dc6a6f29662f139ea3344a9467f167ad79bf0d093
Opcode Fuzzy Hash: ceb7598bc4a7a7efc21423823e94b424e4cc910087e8cb3017a635768752e7b4
Instruction Fuzzy Hash: 4F116D7250124DABDF018FA4ED49FDE7BA9EF08305F048064FE04A2161C77A9D60DB61

Function 00746369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00737896,?,?,00000000), ref: 006D5A2C
Part of subcall function 006D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00737896,?,?,00000000,?,?), ref: 006D5A50

gethostbyname.WS2_32(?), ref: 00746399
WSAGetLastError.WS2_32(00000000), ref: 007463A4
_memmove.LIBCMT ref: 007463D1
inet_ntoa.WS2_32(?), ref: 007463DC

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: eb26a7c5866b4a13f49e20365689272e06c2c913f9a222ed5b4b6f76b063c51d
Instruction ID: 1e5bf2f433aed1f033cb8534b0d13f567cbc2c3a1b3ae3091232d29f1e87d491
Opcode Fuzzy Hash: eb26a7c5866b4a13f49e20365689272e06c2c913f9a222ed5b4b6f76b063c51d
Instruction Fuzzy Hash: 1711B232900109EFCB04FFA4DD46CEEB7B9AF04310B04402AF506E7261DB34AE04CBA5

Function 00728B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00728B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00728B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00728B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00728BA4

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: da7dba4e4094627e586ada9bc22b24e548af10ef70bc34f4556080fd87238706
Instruction ID: d7e49a0580cde71865d21deba1925f3794c853d7b43d0a9d3d5202c620cb4be2
Opcode Fuzzy Hash: da7dba4e4094627e586ada9bc22b24e548af10ef70bc34f4556080fd87238706
Instruction Fuzzy Hash: E2112EB9901218FFEB11DF95CC85F9DBBB4FB48710F204095E900B7250DA716E11DB94

Function 0072D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0072D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0072D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0072D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0072D897

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4508c756f7ad1e2ce48dbb90430ffa722b67f708aef7ffc7b706455d7f8b8734
Instruction ID: 3a12c20efe7e10eea02ee9ae87a90f8835c012145e69a2c174fccaa19dce3d67
Opcode Fuzzy Hash: 4508c756f7ad1e2ce48dbb90430ffa722b67f708aef7ffc7b706455d7f8b8734
Instruction Fuzzy Hash: 0F116DB5605324EBE3308F50EC08F93BBBCEB00B10F108569EA56D6050D7F8E949EBA5

Function 00706FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00706FDB

Part of subcall function 007076C2: __fltout2.LIBCMT ref: 007076EB

__cftog_l.LIBCMT ref: 00707001
__cftoe_l.LIBCMT ref: 00707033

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 42ba637e32d8d76b3eaf294690261fe2c52d6bf71f0c478b37355b6ccc13fa4a
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 26014E7284414EFBCF1A5E84CC05CED3FA6BB18355F588615FA18980B1D23AE9B1EB81

Function 0075B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0075B2E4
ScreenToClient.USER32(?,?), ref: 0075B2FC
ScreenToClient.USER32(?,?), ref: 0075B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0075B33B

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 8fd6f07155ec163b8e4fb903223ccbf999a1b521d5133609a5e018300c52fbef
Instruction ID: 58d759873fbb4edaa483d0e605b226ae1041d1e12e52052f89485e00d571eb02
Opcode Fuzzy Hash: 8fd6f07155ec163b8e4fb903223ccbf999a1b521d5133609a5e018300c52fbef
Instruction Fuzzy Hash: 591144B9D00209EFDB41CFA9C8849EEBBF9FF08311F108166E914E3220D775AA558F54

Function 0075B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0075B644
_memset.LIBCMT ref: 0075B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00796F20,00796F64), ref: 0075B682
CloseHandle.KERNEL32 ref: 0075B694

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: a82e4861e0eb589fccc3652a9c539d1e2aaea791d13e5e0cefa5cabab5176bb9
Instruction ID: ce511dcd3489b7b2bbdbdcb0d0e44dd82e721f059732b9a10add38d3410ba549
Opcode Fuzzy Hash: a82e4861e0eb589fccc3652a9c539d1e2aaea791d13e5e0cefa5cabab5176bb9
Instruction Fuzzy Hash: A1F012B25407047BF7102765BC06FBB7A9EEB09795F008135FB08E51A2D7B95C118BAC

Function 00736BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00736BE6

Part of subcall function 007376C4: _memset.LIBCMT ref: 007376F9

_memmove.LIBCMT ref: 00736C09
_memset.LIBCMT ref: 00736C16
RtlLeaveCriticalSection.NTDLL(?), ref: 00736C26

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: b884ba243a3ad23909ea05b3ca586419dcbb111dad07902d089e7032f7c414cf
Instruction ID: deed07ad1f8001d33f844c77c9422b08aa6146bf8e29cdc177af938b04e2c11e
Opcode Fuzzy Hash: b884ba243a3ad23909ea05b3ca586419dcbb111dad07902d089e7032f7c414cf
Instruction Fuzzy Hash: 7FF0547A100204BBDF416F55DC85A8ABB2AFF45361F04C065FE095E227CB75E811CBB8

Function 006D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006D2231
SetTextColor.GDI32(?,000000FF), ref: 006D223B
SetBkMode.GDI32(?,00000001), ref: 006D2250
GetStockObject.GDI32(00000005), ref: 006D2258
GetWindowDC.USER32(?,00000000), ref: 0070BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0070BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0070BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0070BEC2
GetPixel.GDI32(00000000,?,?), ref: 0070BEE2
ReleaseDC.USER32(?,00000000), ref: 0070BEED

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: ef04117ff45e92dc81dfab16b377f7d80381a9365024b62256025a0a6d94357e
Instruction ID: eaffcb13615bd3b35e56d37c5fedb54b1b511920cf6e6f5c5b11c4671f0c0a7e
Opcode Fuzzy Hash: ef04117ff45e92dc81dfab16b377f7d80381a9365024b62256025a0a6d94357e
Instruction Fuzzy Hash: 52E03932504648EADB215F64EC0DBD83B11EB15332F00C366FA69980E187B64A90DB12

Function 00728712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0072871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,007282E6), ref: 00728722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007282E6), ref: 0072872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,007282E6), ref: 00728736

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 38be50b5fda35c585900c4e8aef1f068c4c598226695d58d8e7f2afcab4fe935
Instruction ID: 607835ea9e059f385e7bf2601194a7457e38ba57132f0d051333faa2de07bf03
Opcode Fuzzy Hash: 38be50b5fda35c585900c4e8aef1f068c4c598226695d58d8e7f2afcab4fe935
Instruction Fuzzy Hash: 66E04F766123219BD7605FB06D0CB9B3BA8EF60792F188828E245CA080DA6C84418755

Function 006D6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%v, xrefs: 006D624E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID:
String ID: %v
API String ID: 0-3047460978
Opcode ID: 5f1ea4fd5186830ead876d6446ced358ca7ff691f02761db796aa5a34f30e734
Instruction ID: 7b548d768ec8bc338a584033d158010f627f995c862de1b2013299fabb0ad83c
Opcode Fuzzy Hash: 5f1ea4fd5186830ead876d6446ced358ca7ff691f02761db796aa5a34f30e734
Instruction Fuzzy Hash: C6B17E71D001099ACF24EF98C4859FEB7B6EF48310F50816BF916A7391EB349E82CB95

Function 0073AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006EFC86: _wcscpy.LIBCMT ref: 006EFCA9

Part of subcall function 006D9837: __itow.LIBCMT ref: 006D9862
Part of subcall function 006D9837: __swprintf.LIBCMT ref: 006D98AC

__wcsnicmp.LIBCMT ref: 0073B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0073B0F6

Strings

LPT, xrefs: 0073B027

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 598113b87c2a160d8e037f4850cc08f1f25e4d33ee81e9f37394d9c74e3b11df
Instruction ID: 355a14be7aaf25f14ca6447a6281b65836421838c1fc18a8f7c158575137097b
Opcode Fuzzy Hash: 598113b87c2a160d8e037f4850cc08f1f25e4d33ee81e9f37394d9c74e3b11df
Instruction Fuzzy Hash: 60618375E00219EFDB18DF94C891EAEB7B5EF08710F10406AFA16AB392D774AE44CB54

Function 006E2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006E2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 006E2981

Strings

@, xrefs: 006E2975

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 641e67297e50108a4c7d9cd733a3b386f07bef42b8cba7ef2e2ef5a7b2c3ee6e
Instruction ID: 054f455f082009c4365bcabf3ca57c76184d825d353f7a3d1ff2302013edeb12
Opcode Fuzzy Hash: 641e67297e50108a4c7d9cd733a3b386f07bef42b8cba7ef2e2ef5a7b2c3ee6e
Instruction Fuzzy Hash: 165148718187449FD360EF10D886BAFBBF8FB85344F41885DF2D8811A1DB709569CB6A

Function 00739734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 006D4F0B: __fread_nolock.LIBCMT ref: 006D4F29

_wcscmp.LIBCMT ref: 00739824
_wcscmp.LIBCMT ref: 00739837

Strings

FILE, xrefs: 00739770

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: db6ecfe243dd73b8bc64c78d9c1d194d1c1ee6685fd1ca475bb3e7349cfaf236
Instruction ID: c97ca87ee154f1aa69edf09081208ca43bd86d1ccef091fce73112a984fb5706
Opcode Fuzzy Hash: db6ecfe243dd73b8bc64c78d9c1d194d1c1ee6685fd1ca475bb3e7349cfaf236
Instruction Fuzzy Hash: A041A771A00219BBEF209BA1CC45FEFB7BADF85710F00046AFA04E7291DA75AD048B65

Function 0074258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0074259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007425D4

Strings

|, xrefs: 007425A5

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 1c3cd8da29951a0c5a7dff332bd37ba0c1de091f560d9b809c36a89c64825828
Instruction ID: d3df832fc27689b1edb493ae53e7c7c42600dd733a77bab7a86fee3a6fd84f2c
Opcode Fuzzy Hash: 1c3cd8da29951a0c5a7dff332bd37ba0c1de091f560d9b809c36a89c64825828
Instruction Fuzzy Hash: 06313471C00119EBCF41AFA0CC89EEEBFB9FF08300F10006AF914A6262EB355916DB61

Function 00757A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00757B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00757B76

Strings

', xrefs: 00757ACA

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0fb4eb2cef33eab988540965ae445998fe33063cac3dc866288ea59964507d74
Instruction ID: 39a4c4331bf516c3c8152e9eee23e01cb74fc7c2a081d8e28bed2a033a5e3d91
Opcode Fuzzy Hash: 0fb4eb2cef33eab988540965ae445998fe33063cac3dc866288ea59964507d74
Instruction Fuzzy Hash: E8410874A0530A9FDB14CF69D981BDABBB5FB08301F10416AED04AB351D774AA55CF90

Function 00756A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00756B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00756B53

Strings

static, xrefs: 00756AB3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 09fa555e559862d57b09932f39eabb111138965b3d70d9a4bfdb2165cfbe1e3d
Instruction ID: ef337a24a0053dac6e991b112e4aaaee39f3818b472c0f3b72d5e3a6b043834d
Opcode Fuzzy Hash: 09fa555e559862d57b09932f39eabb111138965b3d70d9a4bfdb2165cfbe1e3d
Instruction Fuzzy Hash: 63319EB1200604AEDB109F64CC80BFB77A9FF48761F50861AFDA5D7190DBB8AC95CB64

Function 007328A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00732911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0073294C

Strings

0, xrefs: 0073290A

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 55b86736ffd57a660cf14a3a9e68273b1e2c50290faade19bf93eaf3c562155b
Instruction ID: 8946f66c350f0991494aa23e699be752c7663e471a02ca113bef872621bff81e
Opcode Fuzzy Hash: 55b86736ffd57a660cf14a3a9e68273b1e2c50290faade19bf93eaf3c562155b
Instruction Fuzzy Hash: 1E31E131A00309EFFB25CF48C885BAEBBB9EF05350F144029E981B61A3D778A942CB51

Function 007566D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00756761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0075676C

Strings

Combobox, xrefs: 0075672E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2c2b800a026052952c28baf9afa03009ad11a6217c63560a076cfc9ff09e984c
Instruction ID: 2bd3064757cc6de3b31b83ae49c7dcdbb96fabfffe81001b8bcba3fa3b3cf25d
Opcode Fuzzy Hash: 2c2b800a026052952c28baf9afa03009ad11a6217c63560a076cfc9ff09e984c
Instruction Fuzzy Hash: D611B2B5200208AFEF259F54CC80EFB376AEB48369F504629FD1497290D6B99C5587A0

Function 00756C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 006D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 006D1D73
Part of subcall function 006D1D35: GetStockObject.GDI32(00000011), ref: 006D1D87
Part of subcall function 006D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D1D91

GetWindowRect.USER32(00000000,?), ref: 00756C71
GetSysColor.USER32(00000012), ref: 00756C8B

Strings

static, xrefs: 00756C4E

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5d729a07f6c5ebc28f7c6c9bc574ecfd7ace3b275f233d39ec5dcca5a6e494e3
Instruction ID: 6a6c74c7573af736887e88dd7994942ed47e59ad918faec468fd3af29c7bb092
Opcode Fuzzy Hash: 5d729a07f6c5ebc28f7c6c9bc574ecfd7ace3b275f233d39ec5dcca5a6e494e3
Instruction Fuzzy Hash: C021F972510209AFDF04DFA8CC45AFA7BA9FB08315F004629FD95D3250E779E865DB60

Function 00756920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007569A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007569B1

Strings

edit, xrefs: 00756986

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 23c91739ecd82adb9ad73b25d0a825d5a7ab66dda236e85ed2b4497940ec5a00
Instruction ID: 5da43403528b982ea40f5d2b5ef83213eeb488ef1be25f966785865773d7d4e4
Opcode Fuzzy Hash: 23c91739ecd82adb9ad73b25d0a825d5a7ab66dda236e85ed2b4497940ec5a00
Instruction Fuzzy Hash: 8B118F71500208ABEF108E64DC44AEB37A9EF05376F904728FDA5971E0C7B9EC599B60

Function 007329AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00732A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00732A41

Strings

0, xrefs: 00732A18

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f63ad655a94dd043af67ec287a9a701007ff6a65a6ba61fc25c2bca6638de5d9
Instruction ID: ef6ee997f0e23448ac18856d3ba3988f022cbbff6a25beca2c4edd024561c99c
Opcode Fuzzy Hash: f63ad655a94dd043af67ec287a9a701007ff6a65a6ba61fc25c2bca6638de5d9
Instruction Fuzzy Hash: 7911B672901124ABEF31DF58DC44BAA77B8AB45310F24C022ED95E72A3D778AD07C795

Function 007421D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0074222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00742255

Strings

<local>, xrefs: 0074221D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: da7e7751fbc466da6a198cc52e863f8283121d4660a24e241c1a7a3b7c5bb567
Instruction ID: f6401c8c19c0cc0868a7c60b6f1731382843ea8d255bc3715f98112ad879e11c
Opcode Fuzzy Hash: da7e7751fbc466da6a198cc52e863f8283121d4660a24e241c1a7a3b7c5bb567
Instruction Fuzzy Hash: 09110270541225FBDB248F118C84FFBFBA8FF0A351F91822AFA0586001D3B859A2D6F0

Function 00728E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

Part of subcall function 0072AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0072AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00728E73

Strings

ComboBox, xrefs: 00728E12
ListBox, xrefs: 00728E3D

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 2f3bd0d0c33b26f3dd3b5b18b6f0bb9f448a5bb17eee03db09b60dd237301645
Instruction ID: bab4b9032ea62d054f1503234bc2bc40475a187589b4353bd512856384d441d8
Opcode Fuzzy Hash: 2f3bd0d0c33b26f3dd3b5b18b6f0bb9f448a5bb17eee03db09b60dd237301645
Instruction Fuzzy Hash: 8E01F5B1A42229AB8B54EBA4CC55CFE736AEF01320B10061AF872573E1EE395808C651

Function 00728CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

Part of subcall function 0072AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0072AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00728D6B

Strings

ComboBox, xrefs: 00728D0A
ListBox, xrefs: 00728D35

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4a48788333d52a6268c53fbb7d38e9ae473a006be33ad635713d4cd8fc3e026b
Instruction ID: ed2167f279462b229b05a8d3346d5f5ab4ab3964f4f1d3dce8469f7d16611418
Opcode Fuzzy Hash: 4a48788333d52a6268c53fbb7d38e9ae473a006be33ad635713d4cd8fc3e026b
Instruction Fuzzy Hash: 9801F7B1B41119BBDB14EBA0DD56EFF73A9DF15300F10001AB802672D1DE295E0CD676

Function 00728D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D7DE1: _memmove.LIBCMT ref: 006D7E22

Part of subcall function 0072AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0072AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00728DEE

Strings

ComboBox, xrefs: 00728D8F
ListBox, xrefs: 00728DBA

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3cb122687204ff1a3c57e7bdd86b017bc08bec4de973dda4c87b1aebf56b351f
Instruction ID: 39f6565f4cac0603169c48ab560ea519d4329114205e583fc50473048b981953
Opcode Fuzzy Hash: 3cb122687204ff1a3c57e7bdd86b017bc08bec4de973dda4c87b1aebf56b351f
Instruction Fuzzy Hash: B001F7B1B41119B7DB14E6A4D956EFE73A9DF15300F10401AB802A3292DE294E0CD276

Function 006F6B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 006F6B93
__calloc_crt.LIBCMT ref: 006F6BAC

Strings

@By, xrefs: 006F6BC3

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: __calloc_crt
String ID: @By
API String ID: 3494438863-1682813133
Opcode ID: f277f86c25ad44e0eb1091a2003b3e25c8f0a06bffa6ab5c66a43c6be1ca4f27
Instruction ID: e28b5f13051c658538f8953a06761ff2cb84c6e499ea58ee08e5d884e01a6032
Opcode Fuzzy Hash: f277f86c25ad44e0eb1091a2003b3e25c8f0a06bffa6ab5c66a43c6be1ca4f27
Instruction Fuzzy Hash: 85F068B124862A8BF7659F65FC51BB62796F711730B60442BF701CF290EB78885247D8

Function 00734F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00734F46
_wcscmp.LIBCMT ref: 00734F58

Strings

#32770, xrefs: 00734F52

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 6f439fc99513293dd9eecafa6906bfb487cf0d5179d4d00a1c7647b9628597ab
Instruction ID: 8f72811a5882ddaa15e41918aeb47072ca134aef9688f0f4f15fa143014c1209
Opcode Fuzzy Hash: 6f439fc99513293dd9eecafa6906bfb487cf0d5179d4d00a1c7647b9628597ab
Instruction Fuzzy Hash: 18E02272A002282AE320AA99EC09BA7F7ACEB85B20F01002BFD00D2041D964AA1187E4

Function 0070B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0070B314: _memset.LIBCMT ref: 0070B321

Part of subcall function 006F0940: InitializeCriticalSectionAndSpinCount.KERNEL32(00794158,00000000,00794144,0070B2F0,?,?,?,006D100A), ref: 006F0945

IsDebuggerPresent.KERNEL32(?,?,?,006D100A), ref: 0070B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006D100A), ref: 0070B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0070B2FE

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 85604f11870840b0917d432ad431b913261fb078966fdaccdc5647736ce87f0b
Instruction ID: 5799b5969a766ce0b5671cfe60a756edc6e190530900bbd3ef3dc8c22bac046b
Opcode Fuzzy Hash: 85604f11870840b0917d432ad431b913261fb078966fdaccdc5647736ce87f0b
Instruction Fuzzy Hash: 83E039B0600710CAEB209F28D808346BAE4FF00354F10CA6DE456C7782E7F89545CBA1

Function 00711935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00711775

Part of subcall function 0074BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0071195E,?), ref: 0074BFFE
Part of subcall function 0074BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0074C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0071196D

Strings

WIN_XPe, xrefs: 00711788

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: d5fb7b121b4051a6101a9007c61461cfc87e15506c6caafadb6a08a19669ed8d
Instruction ID: 5875cb344500b063689de2d593f4cd13375eb91f105c96287f9ac0947ca9880f
Opcode Fuzzy Hash: d5fb7b121b4051a6101a9007c61461cfc87e15506c6caafadb6a08a19669ed8d
Instruction Fuzzy Hash: 12F0ED7080014DDFDB15DBA5C988AECBBF8BB08301F940096E202A72E0D7799F85DF65

Function 006F9B79 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 006F9B94

Part of subcall function 006F9C0B: __mtinitlocknum.LIBCMT ref: 006F9C1D
Part of subcall function 006F9C0B: RtlEnterCriticalSection.NTDLL(00000000), ref: 006F9C36

__updatetlocinfoEx_nolock.LIBCMT ref: 006F9BA4

Part of subcall function 006F9100: ___addlocaleref.LIBCMT ref: 006F911C
Part of subcall function 006F9100: ___removelocaleref.LIBCMT ref: 006F9127
Part of subcall function 006F9100: ___freetlocinfo.LIBCMT ref: 006F913B

Strings

8x, xrefs: 006F9B8A, 006F9B9F, 006F9BAB

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8x
API String ID: 547918592-416859618
Opcode ID: a3b638f59437eaf54551ffc76f500c01d3addc977f82541df94e32191ea3c4a3
Instruction ID: f8a8a4284732ad8f04f239192fb6f894c455f40de5cedc0c60d4219fbee85bab
Opcode Fuzzy Hash: a3b638f59437eaf54551ffc76f500c01d3addc977f82541df94e32191ea3c4a3
Instruction Fuzzy Hash: 92E086F19C330CA9EB90FBA46907F692AA15B00731F20519EF255561D5CEB80400872F

Function 00755964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0075596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00755981

Part of subcall function 00735244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007352BC

Strings

Shell_TrayWnd, xrefs: 00755967

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c3c53cb74b0f7117c82af53c47fe4570b9a4b6964c28646ad6b1309a82756a36
Instruction ID: 2a049a8a38973727710901bcad853195e08370f174b3d886c992c284fd535180
Opcode Fuzzy Hash: c3c53cb74b0f7117c82af53c47fe4570b9a4b6964c28646ad6b1309a82756a36
Instruction Fuzzy Hash: FFD0C9753C4311B7E6A4BB709C0FFD76A14BB00B51F004869F349AB1D1D9E89810C658

Function 00755998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007559AE
PostMessageW.USER32(00000000), ref: 007559B5

Part of subcall function 00735244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007352BC

Strings

Shell_TrayWnd, xrefs: 007559A7

Memory Dump Source

Source File: 00000000.00000002.1686672306.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1686660031.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.0000000000784000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.000000000079D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686672306.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686792314.00000000007E7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1686804628.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_987656789009800.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 252fdbc77634718c17fe930b6b6082b6923dde7a4e1d50a472d39a981f8212e7
Instruction ID: 1792a526e2bad445ff86fbe1df36c36b82502c0e6d76a38be3e5bdfabbf15f20
Opcode Fuzzy Hash: 252fdbc77634718c17fe930b6b6082b6923dde7a4e1d50a472d39a981f8212e7
Instruction Fuzzy Hash: 8AD0C9713C0311BBE6A4BB709C0FFD76614BB04B51F004869F345AB1D1D9E8A810C658

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 987656789009800.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut4F42.tmp

C:\Users\user\AppData\Local\Temp\aut5899.tmp

C:\Users\user\AppData\Local\Temp\aut8C5B.tmp

C:\Users\user\AppData\Local\Temp\cerecloths

C:\Users\user\AppData\Local\interseminating\tapestrylike.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tapestrylike.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
987656789009800.exe

Function 006D3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 006D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Function 006D49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 006D4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00739155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 006D708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 006D3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 006D3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 006D301C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
registrywindowclipboardCOMMON

Function 006D3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Function 01204EF0 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre