Edit tour

Windows Analysis Report
SoftWare(1).exe

Overview

General Information

Sample name:	SoftWare(1).exe
Analysis ID:	1581505
MD5:	8e7a36f81e75c2d3867657fe3fe09206
SHA1:	64d91ff851907825620a24e77bb7c1ddf9e84c4d
SHA256:	06eee6980c796d8b091a20d06bc1d77bff77601622ac0cd9721dd1b4aefc0f33
Tags:	AutoITexeLummaStealersigneduser-ventoy
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Tries to resolve many domain names, but no domain seems valid

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SoftWare(1).exe (PID: 7356 cmdline: "C:\Users\user\Desktop\SoftWare(1).exe" MD5: 8E7A36F81E75C2D3867657FE3FE09206)

cmd.exe (PID: 7444 cmdline: "C:\Windows\System32\cmd.exe" /c move Representation Representation.cmd & Representation.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7524 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7532 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7568 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7576 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7612 cmdline: cmd /c md 250478 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7628 cmdline: extrac32 /Y /E Katrina MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 7644 cmdline: findstr /V "JIM" Accepting MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7660 cmdline: cmd /c copy /b ..\Marco + ..\Dodge + ..\Loops + ..\Conclude + ..\Hydraulic + ..\Concern m MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Epson.com (PID: 7676 cmdline: Epson.com m MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 7692 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["talkynicer.lat", "wordyfindy.lat", "enterwahsh.biz", "curverpluch.lat", "tentabatte.lat", "manyrestro.lat", "slipperyloo.lat", "bashfulacid.lat", "shapestickyr.lat"], "Build id": "HpOoIh--b701621bcd05"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Representation Representation.cmd & Representation.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7444, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 7576, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:35.008570+0100	2028371	3	Unknown Traffic	192.168.2.5	49752	104.102.49.254	443	TCP
2024-12-27T22:57:37.475591+0100	2028371	3	Unknown Traffic	192.168.2.5	49758	104.21.66.86	443	TCP
2024-12-27T22:57:38.838882+0100	2028371	3	Unknown Traffic	192.168.2.5	49764	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:38.254781+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49758	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:38.254781+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49758	104.21.66.86	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:33.072450+0100	2058480	1	Domain Observed Used for C2 Detected	192.168.2.5	61190	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:32.456891+0100	2058484	1	Domain Observed Used for C2 Detected	192.168.2.5	51301	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:31.612658+0100	2058492	1	Domain Observed Used for C2 Detected	192.168.2.5	52655	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:31.923517+0100	2058500	1	Domain Observed Used for C2 Detected	192.168.2.5	53398	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:31.291898+0100	2058502	1	Domain Observed Used for C2 Detected	192.168.2.5	51907	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:32.234745+0100	2058510	1	Domain Observed Used for C2 Detected	192.168.2.5	53759	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:32.765384+0100	2058512	1	Domain Observed Used for C2 Detected	192.168.2.5	52582	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:31.067723+0100	2058514	1	Domain Observed Used for C2 Detected	192.168.2.5	65470	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T22:57:35.771895+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49752	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://manyrestro.lat:443/api4	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com:443/apiE	Avira URL Cloud: Label: malware
Source: https://talkynicer.lat/api	Avira URL Cloud: Label: malware
Source: https://talkynicer.lat:443/api	Avira URL Cloud: Label: malware
Source: https://slipperyloo.lat:443/api	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com:443/api(D	Avira URL Cloud: Label: malware
Source: https://shapestickyr.lat:443/api	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/api=	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/pis	Avira URL Cloud: Label: malware
Source: https://wordyfindy.lat:443/apiv	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["talkynicer.lat", "wordyfindy.lat", "enterwahsh.biz", "curverpluch.lat", "tentabatte.lat", "manyrestro.lat", "slipperyloo.lat", "bashfulacid.lat", "shapestickyr.lat"], "Build id": "HpOoIh--b701621bcd05"}

Multi AV Scanner detection for submitted file

Source: SoftWare(1).exe

ReversingLabs: Detection: 23%

Sample uses string decryption to hide its real strings

Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: enterwahsh.biz
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: HpOoIh--b701621bcd05

Source: SoftWare(1).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49758 version: TLS 1.2

Source: SoftWare(1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FBDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00FBDC54
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FCA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00FCA087
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FCA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00FCA1E2
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FBE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	12_2_00FBE472
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FCA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_00FCA570
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FC66DC FindFirstFileW,FindNextFileW,FindClose,	12_2_00FC66DC
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F8C622 FindFirstFileExW,	12_2_00F8C622
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FC73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_00FC73D4
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FC7333 FindFirstFileW,FindClose,	12_2_00FC7333
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FBD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00FBD921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\250478\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\250478	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.5:51907 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.5:53398 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.5:52655 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.5:52582 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.5:51301 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.5:53759 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.5:61190 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.5:65470 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49752 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49758 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49758 -> 104.21.66.86:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: enterwahsh.biz
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: curverpluch.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: manyrestro.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: enterwahsh.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: talkynicer.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: DCNQHRSCEtLFmnzgofyjcgCPFn.DCNQHRSCEtLFmnzgofyjcgCPFn replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: slipperyloo.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tentabatte.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: shapestickyr.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bashfulacid.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wordyfindy.lat replaycode: Name error (3)

Source: Joe Sandbox View	IP Address: 104.21.66.86 104.21.66.86
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49752 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49764 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49758 -> 104.21.66.86:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FCD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

12_2_00FCD889

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=1027947316a0eccdb173bbe6; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35121Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 27 Dec 2024 21:57:35 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: DCNQHRSCEtLFmnzgofyjcgCPFn.DCNQHRSCEtLFmnzgofyjcgCPFn
Source: global traffic	DNS traffic detected: DNS query: enterwahsh.biz
Source: global traffic	DNS traffic detected: DNS query: wordyfindy.lat
Source: global traffic	DNS traffic detected: DNS query: slipperyloo.lat
Source: global traffic	DNS traffic detected: DNS query: manyrestro.lat
Source: global traffic	DNS traffic detected: DNS query: shapestickyr.lat
Source: global traffic	DNS traffic detected: DNS query: talkynicer.lat
Source: global traffic	DNS traffic detected: DNS query: curverpluch.lat
Source: global traffic	DNS traffic detected: DNS query: tentabatte.lat
Source: global traffic	DNS traffic detected: DNS query: bashfulacid.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, SoftWare(1).exe, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SoftWare(1).exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: SoftWare(1).exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, SoftWare(1).exe, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, SoftWare(1).exe, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SoftWare(1).exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, SoftWare(1).exe, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SoftWare(1).exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SoftWare(1).exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SoftWare(1).exe	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, SoftWare(1).exe, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SoftWare(1).exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: SoftWare(1).exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, SoftWare(1).exe, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SoftWare(1).exe	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Epson.com, 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmp, Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, Classifieds.9.dr, Epson.com.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: Epson.com, 0000000C.00000002.2468098452.0000000003903000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: Epson.com, 0000000C.00000002.2468098452.0000000003903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api=
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pik
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pis
Source: Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api(D
Source: Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/apiE
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://manyrestro.lat:443/api4
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shapestickyr.lat:443/api
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://slipperyloo.lat:443/api
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Epson.com, 0000000C.00000002.2468098452.0000000003903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Epson.com, 0000000C.00000002.2468098452.0000000003912000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://talkynicer.lat/api
Source: Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://talkynicer.lat:443/api
Source: Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tentabatte.lat:443/api
Source: Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wordyfindy.lat:443/apiv
Source: Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, Timer.9.dr, Epson.com.2.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Epson.com.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49758 version: TLS 1.2

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FCF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

12_2_00FCF7C7

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FCF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

12_2_00FCF55C

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FE9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

12_2_00FE9FD2

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00F6FFE0 CloseHandle,NtProtectVirtualMemory,

12_2_00F6FFE0

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FC4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

12_2_00FC4763

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FB1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

12_2_00FB1B4D

Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FBF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		12_2_00FBF20D

Source: C:\Users\user\Desktop\SoftWare(1).exe	File created: C:\Windows\PalmDiet	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	File created: C:\Windows\WebTi	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	File created: C:\Windows\BarsBoutique	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	File created: C:\Windows\CeramicD	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	File created: C:\Windows\TheseVery	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F78017	12_2_00F78017
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F5E1F0	12_2_00F5E1F0
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F6E144	12_2_00F6E144
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F722A2	12_2_00F722A2
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F522AD	12_2_00F522AD
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F8A26E	12_2_00F8A26E
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F6C624	12_2_00F6C624
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FDC8A4	12_2_00FDC8A4
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F8E87F	12_2_00F8E87F
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F86ADE	12_2_00F86ADE
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FC2A05	12_2_00FC2A05
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FB8BFF	12_2_00FB8BFF
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F6CD7A	12_2_00F6CD7A
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F7CE10	12_2_00F7CE10
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F87159	12_2_00F87159
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F59240	12_2_00F59240
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FE5311	12_2_00FE5311
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F596E0	12_2_00F596E0
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F71704	12_2_00F71704
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F71A76	12_2_00F71A76
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F77B8B	12_2_00F77B8B
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F59B60	12_2_00F59B60
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F77DBA	12_2_00F77DBA
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F71D20	12_2_00F71D20
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F71FE7	12_2_00F71FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\250478\Epson.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: String function: 00F6FD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: String function: 00F70DA0 appears 46 times

Source: SoftWare(1).exe

Static PE information: invalid certificate

Source: SoftWare(1).exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@24/22@12/2

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FC41FA GetLastError,FormatMessageW,

12_2_00FC41FA

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FB2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		12_2_00FB2010
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FB1A0B AdjustTokenPrivileges,CloseHandle,		12_2_00FB1A0B

Source: C:\Users\user\Desktop\SoftWare(1).exe

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FBDD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

12_2_00FBDD87

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FC3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

12_2_00FC3A0E

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03

Source: C:\Users\user\Desktop\SoftWare(1).exe

File created: C:\Users\user\AppData\Local\Temp\nsfF553.tmp

Jump to behavior

Source: SoftWare(1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\SoftWare(1).exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SoftWare(1).exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\SoftWare(1).exe

File read: C:\Users\user\Desktop\SoftWare(1).exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SoftWare(1).exe "C:\Users\user\Desktop\SoftWare(1).exe"
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Representation Representation.cmd & Representation.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 250478
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Katrina
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "JIM" Accepting
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Marco + ..\Dodge + ..\Loops + ..\Conclude + ..\Hydraulic + ..\Concern m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\250478\Epson.com Epson.com m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Representation Representation.cmd & Representation.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 250478	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Katrina	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "JIM" Accepting	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Marco + ..\Dodge + ..\Loops + ..\Conclude + ..\Hydraulic + ..\Concern m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\250478\Epson.com Epson.com m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SoftWare(1).exe

Static file information: File size 1229340 > 1048576

Source: SoftWare(1).exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: SoftWare(1).exe

Static PE information: real checksum: 0x1329c9 should be: 0x131d9f

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00F70DE6 push ecx; ret

12_2_00F70DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FE26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		12_2_00FE26DD
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F6FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		12_2_00F6FC7C

Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_12-104851

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

API coverage: 3.7 %

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com TID: 7996

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\SoftWare(1).exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FBDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00FBDC54
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FCA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00FCA087
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FCA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00FCA1E2
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FBE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	12_2_00FBE472
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FCA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_00FCA570
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FC66DC FindFirstFileW,FindNextFileW,FindClose,	12_2_00FC66DC
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F8C622 FindFirstFileExW,	12_2_00F8C622
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FC73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_00FC73D4
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FC7333 FindFirstFileW,FindClose,	12_2_00FC7333
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FBD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00FBD921

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00F55FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

12_2_00F55FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\250478\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\250478	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: Epson.com, 0000000C.00000002.2467784156.0000000001506000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FCF4FF BlockInput,

12_2_00FCF4FF

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00F5338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

12_2_00F5338B

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00F75058 mov eax, dword ptr fs:[00000030h]

12_2_00F75058

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FB20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

12_2_00FB20AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F82992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00F82992
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F70BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00F70BAF
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F70D45 SetUnhandledExceptionFilter,	12_2_00F70D45
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00F70F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00F70F91

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Epson.com, 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: Epson.com, 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: Epson.com, 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: Epson.com, 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: Epson.com, 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: Epson.com, 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: Epson.com, 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: Epson.com, 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: Epson.com, 0000000C.00000003.2379363712.0000000003AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: enterwahsh.biz

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

12_2_00FB1B4D

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00F5338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

12_2_00F5338B

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FBBBED SendInput,keybd_event,

12_2_00FBBBED

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FBECD0 mouse_event,

12_2_00FBECD0

Source: C:\Users\user\Desktop\SoftWare(1).exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Representation Representation.cmd & Representation.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 250478	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Katrina	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "JIM" Accepting	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Marco + ..\Dodge + ..\Loops + ..\Conclude + ..\Hydraulic + ..\Concern m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\250478\Epson.com Epson.com m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FB14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

12_2_00FB14AE

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FB1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

12_2_00FB1FB0

Source: Epson.com, 0000000C.00000003.2383733411.000000000403D000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000000.2067509917.0000000001013000.00000002.00000001.01000000.00000007.sdmp, Classifieds.9.dr, Epson.com.2.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Epson.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00F70A08 cpuid

12_2_00F70A08

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FAE5F4 GetLocalTime,

12_2_00FAE5F4

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00FAE652 GetUserNameW,

12_2_00FAE652

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Code function: 12_2_00F8BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

12_2_00F8BCD2

Source: C:\Users\user\Desktop\SoftWare(1).exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: Epson.com	Binary or memory string: WIN_81
Source: Epson.com	Binary or memory string: WIN_XP
Source: Epson.com.2.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Epson.com	Binary or memory string: WIN_XPe
Source: Epson.com	Binary or memory string: WIN_VISTA
Source: Epson.com	Binary or memory string: WIN_7
Source: Epson.com	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FD2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		12_2_00FD2263
Source: C:\Users\user\AppData\Local\Temp\250478\Epson.com	Code function: 12_2_00FD1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		12_2_00FD1C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	17 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SoftWare(1).exe	24%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\250478\Epson.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Pack	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Spiritual	0%	ReversingLabs

Source	Detection	Scanner	Label
https://manyrestro.lat:443/api4	100%	Avira URL Cloud	malware
https://lev-tolstoi.com:443/apiE	100%	Avira URL Cloud	malware
https://talkynicer.lat/api	100%	Avira URL Cloud	malware
https://talkynicer.lat:443/api	100%	Avira URL Cloud	malware
https://slipperyloo.lat:443/api	100%	Avira URL Cloud	malware
https://lev-tolstoi.com:443/api(D	100%	Avira URL Cloud	malware
enterwahsh.biz	0%	Avira URL Cloud	safe
https://shapestickyr.lat:443/api	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/api=	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/pis	100%	Avira URL Cloud	malware
https://wordyfindy.lat:443/apiv	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
lev-tolstoi.com	104.21.66.86	true	false	high
enterwahsh.biz	unknown	unknown	true	unknown
wordyfindy.lat	unknown	unknown	false	high
slipperyloo.lat	unknown	unknown	false	high
curverpluch.lat	unknown	unknown	false	high
DCNQHRSCEtLFmnzgofyjcgCPFn.DCNQHRSCEtLFmnzgofyjcgCPFn	unknown	unknown	true	unknown
tentabatte.lat	unknown	unknown	false	high
manyrestro.lat	unknown	unknown	false	high
bashfulacid.lat	unknown	unknown	false	high
shapestickyr.lat	unknown	unknown	false	high
talkynicer.lat	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
slipperyloo.lat	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
https://lev-tolstoi.com/api	false		high
enterwahsh.biz	true	Avira URL Cloud: safe	unknown
curverpluch.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
bashfulacid.lat	false		high
wordyfindy.lat	false		high
shapestickyr.lat	false		high
talkynicer.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, Timer.9.dr, Epson.com.2.dr	false		high
http://www.valvesoftware.com/legal.htm	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://talkynicer.lat/api	Epson.com, 0000000C.00000002.2468098452.0000000003912000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://manyrestro.lat:443/api4	Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steam.tv/	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/	Epson.com, 0000000C.00000002.2468098452.0000000003903000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/apiE	Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com:443/profiles/76561199724331900	Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Epson.com, 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmp, Epson.com, 0000000C.00000003.2383733411.000000000404B000.00000004.00000800.00020000.00000000.sdmp, Classifieds.9.dr, Epson.com.2.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	SoftWare(1).exe	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sketchfab.com	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shapestickyr.lat:443/api	Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/;	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://talkynicer.lat:443/api	Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://medal.tv	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://slipperyloo.lat:443/api	Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://lev-tolstoi.com:443/api(D	Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/workshop/	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/api=	Epson.com, 0000000C.00000002.2468098452.0000000003903000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://tentabatte.lat:443/api	Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://recaptcha.net	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	Epson.com, 0000000C.00000002.2468469849.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Epson.com, 0000000C.00000002.2467880406.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/pis	Epson.com, 0000000C.00000002.2468061244.0000000003870000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wordyfindy.lat:443/apiv	Epson.com, 0000000C.00000002.2467784156.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.66.86	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581505
Start date and time:	2024-12-27 22:56:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SoftWare(1).exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@24/22@12/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 76 Number of non-executed functions: 298
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: SoftWare(1).exe

Simulations

Behavior and APIs

Time	Type	Description
16:56:54	API Interceptor	1x Sleep call for process: SoftWare(1).exe modified
16:56:59	API Interceptor	10x Sleep call for process: Epson.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.66.86	MV ROCKET_PDA.exe	Get hash	malicious	FormBook	Browse	www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Leside-.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	GxX48twWHA.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ERTL09tA59.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
steamcommunity.com	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Leside-.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Setup.exe	Get hash	malicious	Unknown	Browse	104.121.10.34
	Setup.exe	Get hash	malicious	Unknown	Browse	23.55.153.106
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	T4qO1i2Jav.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	FXdg37pY22.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Leside-.exe	Get hash	malicious	LummaC	Browse	92.122.104.90
	Setup.exe	Get hash	malicious	Unknown	Browse	104.121.10.34
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	23.57.90.162
	grand-theft-auto-5-theme-1-installer_qb8W-j1.exe	Get hash	malicious	Unknown	Browse	95.100.135.104
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	104.73.204.126
	db0fa4b8db0333367e9bda3ab68b8042.spc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	104.120.124.62
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
CLOUDFLARENETUS	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	104.21.73.97
	NewSetup.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	iviewers.dll	Get hash	malicious	LummaC	Browse	104.21.60.24
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	launcher.exe	Get hash	malicious	LummaC	Browse	104.21.58.80
	Leside-.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.2.114
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.2.114

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	NewSetup.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 104.102.49.254
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 104.102.49.254
	iviewers.dll	Get hash	malicious	LummaC	Browse	104.21.66.86 104.102.49.254
	launcher.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 104.102.49.254
	Leside-.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 104.102.49.254
	search.hta	Get hash	malicious	Unknown	Browse	104.21.66.86 104.102.49.254
	SET_UP.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 104.102.49.254
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86 104.102.49.254
	@Setup.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 104.102.49.254
	Full_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86 104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\250478\Epson.com	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse
	installer.bat	Get hash	malicious	Vidar	Browse
	skript.bat	Get hash	malicious	Vidar	Browse
	din.exe	Get hash	malicious	Vidar	Browse
	yoda.exe	Get hash	malicious	Vidar	Browse
	lem.exe	Get hash	malicious	Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\250478\Epson.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: !Setup.exe, Detection: malicious, Browse Filename: ZTM2pfyhu3.exe, Detection: malicious, Browse Filename: JA7cOAGHym.exe, Detection: malicious, Browse Filename: appFile.exe, Detection: malicious, Browse Filename: FloydMounts.exe, Detection: malicious, Browse Filename: installer.bat, Detection: malicious, Browse Filename: skript.bat, Detection: malicious, Browse Filename: din.exe, Detection: malicious, Browse Filename: yoda.exe, Detection: malicious, Browse Filename: lem.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\250478\m

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	462109
Entropy (8bit):	7.999653390321464
Encrypted:	true
SSDEEP:	12288:I9AZ3Qaz5x/r5LqWb9yxxFZ6+iIdeSns2eu+XPh3q:I96z5xz5mK9oE+JDs2e3q
MD5:	D366D9562DCDB865FC4355307051CC87
SHA1:	BAA25076DAF2CC47AEDBEE12068DF7070F509907
SHA-256:	F98D8AB941A9AFF246D77FCD89861AF04F25350498610CA211EF366228B71ACD
SHA-512:	D049DCB589A81D088D1A2A6B52950A36A03209E9E8DB2A5EBC704423B20B6D0FB6336AB688591BCFC44614D07162089D1B919B2F0B6B333ED9554FF1C76ED41E
Malicious:	false
Preview:	(..r<.A1....u..6...?..2.A.<+...z...HG7q..).FG.{.Z..-4.^.\|0\|..0..qb[..USH"3.HH.7...-..F.%.......I...% 4lFD..Q..46D......+.5.!=.j.}V0.#...:...4<gw..v..,.e.P.bK..z..fi..12#N......Z.]"`.P..x..\|../y<h....D...............p{.^.R./.L...4r.=....u,2._[.Xo.1.\:......P.:......aU.g.12...^Is.n^.+...W...I........[lz.M%..?....f.......v@..&.u.......r.0?l.%[Zf....3P.........!....y....,..F......w...^.h.;Fu`...T.9;Cm.v...<4.6.7E....d.Q.h.3....V.{..\.;=.e.+^I.l).Z.h..Y.h(..,.........<%....B...@.+...X.49..fT.........^.E."...X...q...t.%./.!."439...1....O....@.v..`.s..;.Q/.#G.\.iDJ;.Mw_.v....N.....d..c......Y.E;.G.B...]@.yRs..../..n).....o.E.N.".....Q.2...t_..]<..,..F.L..F-..dZ...!..........R....)EE>[Gn........{..lr..-.....F.&.n..^..I@K.MK.o..;l.... 7.iq[.z...`..A..9.+'...]Y..Zf..`]F4p.'.4..z.!..Y.k\X.6i.....8?O.#.q...V..;..8g4K.Q......\.9.P.f+.....Xg.......8.(..a.l..HCh.Yx:."ep.?.C...."...Iw.....#....A%....k2..i...L......].X.r\Lr.....\.......N..c...

C:\Users\user\AppData\Local\Temp\Academy

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	6.617785423597807
Encrypted:	false
SSDEEP:	1536:7Ku2IwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcLSDC:7ccBiqXvpgF4qv+32eOyKODC
MD5:	6CC7AE84FBF098F87BFC6369B817AF45
SHA1:	23A60B85F403742C640FA7EE989B6713D4A61C8D
SHA-256:	A9EBDAF3706990C9396E76C38957E51DDBA2A9B09D1FFAC5C73B1C346159D417
SHA-512:	76B75C6F47E3AD34B8E3C9BB37591026A46E9574712B1F1D0F9937C33555ABDCB3240DB48BAF3E34E3DC246BB5DEB133408EF6FB10BAD20A5A07CB7669F1B321
Malicious:	false
Preview:	P.u.W....h.....u(.s..u..u.W.u.......8..t.WP.{..._^[].U...TSVW.}.3.W.u..]..u..]..........E......Y...;G...P....u..>csm........~.........~. ...t..~.!...t..~.".........9^........:...9X........,....p..$....E...@..E.........>csm.u*.~..u$.~. ...t..~.!...t..~."...u.9^............9X.tf......@..E.......u.V.X......YY..uD.}.9...y.....].G.h(.M..L...=............M.C....M.;.\|..H....U..U....U.E..M..}..M..>csm........~.........~. ...t..~.!...t..~.".....j...9_........u P.E.P.E.P......U.....E..E.U.;U........M.k...E.E...@..E.E.9.......;H........x..@..}..}..E.].........F..@.......U.E...M.E...~+.v..1.u..s........u,.E..M.H....E..M....U.E.E..@.E.;E.t0.E...u.E..u$.E...u .u..0.u.W.u..u..u.V.......,.U.M..E..B.U.;U...&...8].t.j.V....YY8].ue..%....=!...rW9_.u..G .....tH9] uC.G ............w.V.....YY..tU.$9_.v.8]........u$.u PWQR.u.V.w..... ....9X.ud_^[..j.V.9...YY.M......h\|.L..E.P.....j....p..b....M.H..E$..u..E.VP.9...W.u..u..P...W........P.....>....U... W.}..?....tTSV......]..x..tGj

C:\Users\user\AppData\Local\Temp\Accepting

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	2808
Entropy (8bit):	5.462913383328879
Encrypted:	false
SSDEEP:	48:x9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLVJcd2u+MAyKnFHbQ:bSEA5O5W+MfH5S1CqlVJcI6mlbQ
MD5:	1F2B675171ACD895686632A65E9E3DF5
SHA1:	A36FC0D6B128CC3ADEE842F73965625330AB0E8A
SHA-256:	48D2B664876DADBD3498EA6A1DF4D26EF4B11A3AEFA678F26C81D634773817FD
SHA-512:	30F32BB9A5C183DB234075C6A5FCDE95A869D1E04919D7875C15C5A218C6AA46C2F6AF5ED49807C20A239AB6B2A55FD40E9DE3399BA095DC4CC48D88F2B17AAD
Malicious:	false
Preview:	JIM........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.............................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Classifieds

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	3.7617771452671294
Encrypted:	false
SSDEEP:	768:v60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R/OWel3EYr8v:v6iTcPAsAhxjgarB/5el3EYr2
MD5:	82089ED22B3CAF8FE245113A15305822
SHA1:	AD39B56C76815FF9BDC8253FC397195858D73B4D
SHA-256:	52CD7E1BBB93F6FA37F9CA00C26EFA2233C0B8287D8A0505A366D423515CCAF7
SHA-512:	120D2686BACF434B921FEFF198303F4FB4C859D704EDC514D670C947CF29924EB1628B0D094DD867FE94C4CA49E82EDA74B6677224FFB7BA207B1E3F5A77777E
Malicious:	false
Preview:	c.Deseret.Devanagari.Duployan.Egyptian_Hieroglyphs.Elbasan.Ethiopic.Georgian.Glagolitic.Gothic.Grantha.Greek.Gujarati.Gurmukhi.Han.Hangul.Hanunoo.Hebrew.Hiragana.Imperial_Aramaic.Inherited.Inscriptional_Pahlavi.Inscriptional_Parthian.Javanese.Kaithi.Kannada.Katakana.Kayah_Li.Kharoshthi.Khmer.Khojki.Khudawadi.L.L&.Lao.Latin.Lepcha.Limbu.Linear_A.Linear_B.Lisu.Ll.Lm.Lo.Lt.Lu.Lycian.Lydian.M.Mahajani.Malayalam.Mandaic.Manichaean.Mc.Me.Meetei_Mayek.Mende_Kikakui.Meroitic_Cursive.Meroitic_Hieroglyphs.Miao.Mn.Modi.Mongolian.Mro.Myanmar.N.Nabataean.Nd.New_Tai_Lue.Nko.Nl.No.Ogham.Ol_Chiki.Old_Italic.Old_North_Arabian.Old_Permic.Old_Persian.Old_South_Arabian.Old_Turkic.Oriya.Osmanya.P.Pahawh_Hmong.Palmyrene.Pau_Cin_Hau.Pc.Pd.Pe.Pf.Phags_Pa.Phoenician.Pi.Po.Ps.Psalter_Pahlavi.Rejang.Runic.S.Samaritan.Saurashtra.Sc.Sharada.Shavian.Siddham.Sinhala.Sk.Sm.So.Sora_Sompeng.Sundanese.Syloti_Nagri.Syriac.Tagalog.Tagbanwa.Tai_Le.Tai_Tham.Tai_Viet.Takri.Tamil.Telugu.Thaana.Thai.Tibetan.Tifinagh.Tirhuta.Ug

C:\Users\user\AppData\Local\Temp\Concern

Download File

Process:	C:\Users\user\Desktop\SoftWare(1).exe
File Type:	data
Category:	dropped
Size (bytes):	60701
Entropy (8bit):	7.997145915162595
Encrypted:	true
SSDEEP:	1536:fTEZQScL2YdHXnVxWQQVJbCSf/Na++VjC5cZxjIJOxJ7rdNI:fAqjL2z7HCU/N5sCy37J7Ze
MD5:	9D1B19F75A6C3A6FA37E434554EC6FC3
SHA1:	57DAF72EC3C1B995CD372B1B91FEACA2DC91F4D2
SHA-256:	5910F5ECE030A23FA81146158EBD892E62E187EB755942FF44E2685660CCEDA3
SHA-512:	87BD3CE02B3CC31FAC2B1CA4096131B7B3A71F1D47C91CE3E3D9045BEEE534D78DB96B6A577A9CEA0D685C6AF9AF744F9C32EF0E1F508B83DF36435F36B12C39
Malicious:	false
Preview:	.>...#.%T....V3......I..&C.:.h....)F._M..\|.'...M.i...8....W]..U..x. ./.F;."..(..}ywF.qGK......v..WH/5..D.Q..j.X../.W.j.".i...^.@.u...\|.=...W8.u<..iDo...{;...1BgSl"tb..K,.....]...g......RG...J.....+:..)..?..=.,I.-.!..!...#............a...-G..@.@.cQ.T.....W...j....R...}...%o....S.......,.....k...L.....dg,..<..qm......JJ...~..V.......].....^....~<c0...G....N.{.}....4...!2K..2......+.~=n....E...~SG...(..W...&...a.&.<........DfN.pc....o5"U...."....T....N....'..@..s.6..>:..=...w:.SD..'..u...O)...`.5N........T1ZN\.M.#F.(Lf\|..~.?.h.@..l.a....;v........<..JK..$..y;6.4QN.1...f..L.....X. ..!.~.5IG.o.Nf..U.pk...+...RZ0...3.....O&]P.M~?Q.9.....O.,...+=z.'.......^..p.. .(v....}!...m.$..xS..C\|).p..k.R.F.d.Q.s...@4..Ov;...X\_..X.....P..6b.v.\|0pS/...B._....0cW;_..ks.5q.s7.F.....xu..-.5..b....+B....&E.4.........b5.../"..$.=3^\|...k..g..R.~.2\|..}W.H..Ziz.........S./A...K.&.dG........K.fif$.3;.cXO>.Dl..5...u{.T....p[.....6.....Ig....z...A.\...Gu&.h.A

C:\Users\user\AppData\Local\Temp\Conclude

Download File

Process:	C:\Users\user\Desktop\SoftWare(1).exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	7.997350147800307
Encrypted:	true
SSDEEP:	1536:HS+yOfAEwdoFWcfvkDjhTNEjnSUxbOvq3klC8sDGuCHZ/b0m+:y+AEwg+hiOvcklC84m1h+
MD5:	C4044C7AEEAE529CEAB3665A5180C124
SHA1:	55E303EECDEA51AA9E8E031FAB9C76E4A43BBDF4
SHA-256:	04D56F70F8F95027DDD846283DC288262B36FD7FA07C9D1C270C6F845EA5947C
SHA-512:	EFB8F52B7C01DC3E2344330907A26130EEFF0AD008AADD21798213A76596425AE578465EB60E46A4359E73D8D50CAC80AA23188E700B2EB9084598F4D1766B31
Malicious:	false
Preview:	.....`.R...k.$..R...,......L.t...L9.....[@H..<o....nAV.X.\| _. .9...I...........R.......3..d...N.Yt..c...F...i.\|`.......A...K.(.a...0.....Xm..@B.0.4P>.>.l.^......D:...@X....Dau.0...>:.._....X.l...f]V....)s..\.r....c.....&....!..f^c\|.I7X..f&.B.:..W.Cp].+....TC.yk..?.V.<u^.cm...M...W.i.!..]\I3.....a...voD7..$.Ln#.^.......6P...I.#...$..A..3...I;.....6..N2.ha.._..... s..{b..BA..>!.A@Mu..C.o.[..x.....G.e.xw..R...~..u.._1..!........a.5....Ke.9...yy....{......\..v......$...h:`..NN.(....~.u.X......C.P.........=\|i..4../.M....BZ(.T$....e..+...hn.~...2.....l......Z...B....U.\...s./..8..f.(..r@.........UT..\..3.1...0_E...u.bQ..;.&...C.W.O....z....^N.....OC-..$6D=D.i.o.^...S~.2'...e ...... .0..Ww...8.(.....r.T...X....S.....t:Xv.x.1[m....C>.h../...U..:..Qe5%.. 0.4.,5N1D...mR...5.:E...z........}..o......?..Cd.T..z...l*..._S......xU...../d@.j^.n.].M....S.-...IZ.Xc...+...A.........d..~Z..+W.x..qr=.-;....i.T.e..F7S.m.....^...R4.{..w.X...G.s......=:...S..

C:\Users\user\AppData\Local\Temp\Do

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	6.537002356356331
Encrypted:	false
SSDEEP:	1536:pRmLORuCYm9PrpmESvn+pqFqaynB6GMKY99z+ajU1Rjv18fRQLTh/h:TR8CThpmESv+AqVnBypIbv18mLtJ
MD5:	7BFF06CE1E7E127D537AC37713E91800
SHA1:	906EDD84EF8677793C81220941D7CBC20E2809B5
SHA-256:	6447A681E69C6B8FE06F813CDEEACFBD8A98AD1A056C24BE19217BB2E7B3067D
SHA-512:	4710BC485E5DEFC94ECCBC8E9E88A94B2127D68DD6F60A4070FC504F316782DF1A7BDDB419E64207DA2BF935625F6635F3C2C9DB1EFDAB4D966E519DCA07A76A
Malicious:	false
Preview:	.[....U..E.V.@..0.../...F..0....I...u..u....y....&..F.....3.^]...U..E.Vj...@..0.E.P.G....u..u....A....&..F......N......W.}.......8.u..H...t.Q........p.....I..............t.Q.J............_. .3.^]...U......<SVW.}.3.\$............G..H..i...O.....D$..D$..I..i...........L$..b_...L$(.Y_...G..p........N..D$(SSP.T$$.T.......D$(.L$.P.j...9\$.tM.L$...}....u@.t$..L$<.R...L$8..z....L$8......]......].t.........#..C........].....h...L$(....\...L$...\....tS.D$..D$....]..G..p.....-...E..~..@..0....-...N...j..t$..%x..YY..u.......#..C....._^3.[..]...U..QS.].VW.E...{..v..C..H..Ph.....u..E..C..0...o-...N....U....s...tC.v....T-...F..8.C..0...C-...u..F.W.0......u...........F......>.....6....-...F..8.C..p.....-...F.j.W.0....I..}............G......7.g....ul..0.I.=....u_.}..tY.C..p....,...F..0....I..C..0...,...F..8.C..p....,...F.j.W.0....I..}......O....G......7_^3.[....U......T.E.SVW.X.3..@..\$..\|$<.p....4,...N..T$@...D$@.A..D$D.A..D$H.A...D$L......!\|$.h`~L.......t$H.D$4Y...............

C:\Users\user\AppData\Local\Temp\Dodge

Download File

Process:	C:\Users\user\Desktop\SoftWare(1).exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	7.997279607135312
Encrypted:	true
SSDEEP:	1536:o1ep5Z9eIaFJbZMBLDc29mh7ZKG22ibL6HQI9Rro0MrAX:oABeIGPCQ8xNbLrMMAX
MD5:	27FA75FCBBEFA6E473268375773C3466
SHA1:	E920DB666F9663D6E3C4448488D44D6B4327B5BB
SHA-256:	2A31EFDB064CB9FBE7C079DF5854D7421CF744DA1244DD7173B9AD1B1DE1135D
SHA-512:	30CFBBCF9C95FDD75382AC37C1F970D4ED0E1F1DC8EA96C5B073416924718BA2FFF4C3D2D3BE4BE23D4A41AA6AB49456F114A3652E7CC60BD7CB2BEA6A9BBEF3
Malicious:	false
Preview:	o.....0.....1;....V....W..,\Zb.d.....U...V...4=X....q.`....h.c.1D..........S..I..sp.I..Ke.6...N..+r...y..O,.... ....k..hA.t`.... ....~...t....c.~+.6.e..j\|.j...xKQ...D=Me..s.C.\'.4....op.}.z.o....%.-Y.QY. ......k...\..A....z.,.7'~LXwi.......[_...n....8."........rkR.? .v>r........gY...gl...:...G(...s.5...[.i....E..9.."~.E1.R......%.r,..{.L..[.p..7.`.....7.'._/...}......e.D.......2r.Ug...XO..h...y0./R...........^.W....X3..~.ru!.M..8......J....is........Y.,..)uz!.....k.shw.]K.....R./..<lC..B.[0.n....8.g...O.kd..qz....S.?...u.D......N=...02..Jv.-~.......(......o.q.Z....='.5.d..?....,x.....hs 7K...C.Ia..bL.C.9...<.).W.......i..x3..r."....B.....{.-..&d8..}r!..4......A=...w....V..dWm....RE+.%.G..Z..+.j...?x..[..).........>..... ..:...=.#..#u......r..:..W......@.E.....D.s.....0....q.....&r...+.=......~.,2.9.wV..",..\..2.....4^yi....\|Tu.S3ci.Jm.r3..5.v..* 5X ...m..........$.K....;,#....f.:...o.cw...=,.`1gK...oj.(..'.//..._.k'...v<3...X.

C:\Users\user\AppData\Local\Temp\Grand

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	141312
Entropy (8bit):	6.419620114632187
Encrypted:	false
SSDEEP:	3072:kg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05m/:H5vPeDkjGgQaE/loUDtf0Q
MD5:	D988083A93547D995A66D13BD7EDA380
SHA1:	F752C91BF43F742199364237FD36C696F06FB11C
SHA-256:	1C9884FD44070215668FFB06AC9142508378F914D6CC5354AC8D148418B6D402
SHA-512:	25A994BC6A9C69A74D7CF4ECE7942D3B07554A72DF22CCFD196D064024E36DE4677E145D8C52CEC09DB480955F462D3A598A2A1FB3548A97498DF21FF69910E1
Malicious:	false
Preview:	3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....\|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np......NT....N$....N....h....V.C...YY..^...U..VW.}.........M...tF.E.S..t.;.....uH.^.....Q.........;...a...........h....V......E.YY..t.[j.j..7..X.I._^].....u.........M...t...6..V..j..N..V..F..4......F.YY.N.^.$...SVW..j._..l...............u.Nl.....N(...h....V.U...YY_..^[...U...u...(M......U...t...@)M.......y..u&...)M...u...M.........Qj..u...x.I.].....)M...U...u...(M..H.....@)M.......q.P.....j..u.j..u...x.I.]...U..M....t.W.}.........._]...V..4.I...(M.P..........t...@)M...j.....0.....^...U....SVW.}..E.P..7....I..E.l....E...p....E.PV..x.I..M.E.;.t...u.;.x...uw.s..5..I.......f#.j.f.E.X.s.....E...u.f......f#.j.X...f.M..E.;.\|..........}..t...\|...;.......;....}..t......._^[.....}....t.....x.....s.......U......(M.V.u.WV.......@)M.....8..........;u....

C:\Users\user\AppData\Local\Temp\Hydraulic

Download File

Process:	C:\Users\user\Desktop\SoftWare(1).exe
File Type:	data
Category:	dropped
Size (bytes):	95232
Entropy (8bit):	7.998455469644948
Encrypted:	true
SSDEEP:	1536:xNPjc5Tow2gtH6Yf2lF8ANod07eCXu3xrdApMY/mXcQwlVfTQXp5xcH9Q1S9:xW6w9d6Y+lF8A32yxScQgVfQ7+Q1S9
MD5:	80BF277798C224135E99FE386BACD1B2
SHA1:	8941E3B516A28BF542A9C56E5B7B900B49B66E3A
SHA-256:	7E13C4974D4D50CA994616811CBFDBBA287A6CBE2C8E4BFD8BFD7A0B545B7E91
SHA-512:	E8FAEBB31681299F06ABE6506B226045FFC28DF523773B07E20E945EE85A140542F4D365C2F0ED2C9C24F3E8227D89A2E89CA7FF84AE9B4774EB0451751A6CC3
Malicious:	false
Preview:	..72........U_Sg.9?.`t.1.Fwzj.........1{...?....s.I.KRaU...n...y..X..wq..dIo%.;.{.Hs.V...L...w&..3...G..F......]..46#v.'u.# K.w...Z..2y.X...].U66..H..kj...D..[.y..........N..W8 ....K....N......\|.h/..e8.\6.`..`2\|d^.X..9.\..X...>6H.B0.9..o.=.A...`........lCE...\)l.N..$...,..y5..8y.CB.`...kJFOgc9....WW..ZU..".;.1..5.}1Z.......WR.OJ......i.10F.sGWliK.f...21`..Ai..c.{0.....E9..../......-F.\.....-...r.{...G...HY..n..u)....U..>%.q.c...?.....Op..k{6kz.r.]:........Yq.u........."1}...L,4....~.G2[..Mkr?1.....}..I...I.'vi<q.\|......:.#...._^V@.QfR.V\].\.#5n...V./`&z..L..Pd....-.4..W.j.....,...W[bM..}....rC...5A.}.3..{...-.....n....}.%....Pn.BfWCx?..l....-\|..tM......ln~.}...M...AS.x!...9n6i.8.x\..O5..rNW.....".Y.....(j..&.m...[..Gg..^EqU.{..%..~d.\|..W9e....."...h..%.Q......r......j.V&....8b...sbE......../,...zx...0...g..2....x............8U.<.......a....cO.}>..zi..:.4.T_.0..d.rX...P...>..F&T..?..-.....6...'.....z........A..F....68..^!S.u.>.V7....L.........

C:\Users\user\AppData\Local\Temp\Katrina

Download File

Process:	C:\Users\user\Desktop\SoftWare(1).exe
File Type:	Microsoft Cabinet archive data, 488065 bytes, 11 files, at 0x2c +A "Classifieds" +A "Mileage", ID 7296, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488065
Entropy (8bit):	7.998450562768744
Encrypted:	true
SSDEEP:	12288:0UXlS9o4A79ZyzgFWlPL/P/SFytKmt+DidydArMiIPz:1VWTA790ze+jP/SAAPDidcAriPz
MD5:	E7C7000EC72D4B4AACB22123F14434E4
SHA1:	DCC3E9A8690C96BF360730FE551CEBDB6EABC6C1
SHA-256:	E3E6C6C89BBB99B2FFD8801CE20F29D3CF1FCDAADFB916C08C220BB86AFC81EC
SHA-512:	2B846A72B4D5EFAA0F819BBCBE0DA825D8FEB9A33CBE978428D394884DBFC749CA8C531E85FBF46A656FF9E705D63D4D4BB1342DCE7CC419948A760B69A4DFEB
Malicious:	false
Preview:	MSCF.....r......,.................../..................Y1. .Classifieds..<.........Y1. .Mileage......,.....Y1. .Accepting.c5...6.....Y1. .Timer.....[l.....Y1. .Visibility..,..[......Y1. .Pack..(..[0.....Y1. .Grand.....[X.....Y1. .Academy..(..[T.....Y1. .Do.....[\|.....Y1. .Spiritual.....[h.....Y1. .Man......,..CK.Z}.\.u?..l..(.6Q.2..b.^..8..avfgw...3k..2..y;.o..o.xw..H.-QiCZ.:.j,.5......HU.....EF!.4 Q.?hE.."..-..{.......s.=..{.=..s.o.5{.kz.O...i..e.].Y5:4.\.z..N[..4..n.G.v..1.kYN...MP.m4........5:^.@n.K4.?e..g...K-......9.w....k....A.v.t-..].m..\|...g6P..]..:..KF.6N[k..8.0.....J....d...0.{...t.X5Z..0-.uz-!j.M...%......@.... yV..f..I..v...i.._.@...M.6......uf....l.f..q..X(...6.(u.<_...7..5...gZ..c.2.1;..z.Z2..h.eb.W3}.g.6C@t.g,.>....e...q...X....,..5H.G.m..\..V..7iv.Y.f.6[.hW3-..).j.3l...Y...U.q..).n[#Q....O.V......A.^.. /.V.XnU..`........~5cAI.>..TjP..E..f....cB..{..C.....3.@k.L..Is}.R...5(.Z...k@.\...@7Xk.....V..B([..V..KTF...k`fP^.Z.c)E....Y.Y..}V^.b

C:\Users\user\AppData\Local\Temp\Loops

Download File

Process:	C:\Users\user\Desktop\SoftWare(1).exe
File Type:	data
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	7.997986286159027
Encrypted:	true
SSDEEP:	1536:GWNCt2C4YQrJ9PfZe4iK9xGLKPzZnvnQ47kz6jkaxaWdTDxrDq:3QtefxnxcKPdvxs6oGaG9Dq
MD5:	0C0FC9354C16999CA022F170E01215E5
SHA1:	8CBA4248AE1008360A23C425F0CADAE672B517C4
SHA-256:	07F726D222889DA9AE406BBD94EC9DC4B57680D032BAC0DD67AE82BAC20BE51B
SHA-512:	C4595FF9224E7D43B470C2FD6C29754A5344FACD7BB55508572FF836D23B942E5133348B89319A9501682E091B180C52D61116E519693F3739D68B863293341C
Malicious:	false
Preview:	.,A2.?.....'...W<.`.../......5..5WXf..U..:F7....o\|..f5........\|.g"..H.;8..._..y...Wp..g.6H...H].:....E..<...K....C.e..>..}.<..=.../...)..<.a.oC.ZL.nn.,_f....11.>...~..P.Hf."8...p.Zjld.".Uh....6ZBs.V2..G..Y...6.X...)...6#...../L..... +.#..(...,..mZ....O.!.\|.?...5+&.%.`b.AtX5.d...u#..........\.\...Od..d.......r..i(b..V...k.rb...bt.dZ..sq...,.W]..Y\|.0.u+..UR."G...&..=v...\...8...>.\N...6B..} .U..<....P.~D.\.R.".9;S.].<k...x.....U.(.j..P....\....#.V.........T@..bo`v.....[c..Ie.7..o.B.:.^KG0.........g.....b).v.'..r..J*.LW......0..W5+....a....X..y.=.8...QJ]m.50aIh..B..}...(.-.].BW.....lnkb.E.a..,J`.n.}...\|... &_..k.f+.xw...c\L..'B.j.^.,....F^2Nz.3j.+z.=[.....{.9...I.,...N.......a........sw.....D....D..Oo.C.1.".l..+#.T.n.........q.......G..vVZ..Ls.#.~.R....r.A.ms....>..FL..T.<..F...:..f8MQ......s8..D.v........l... .vz.2.........!..W..z0[....t..0>.....4..l.<...{....5 @l..<...Ps2b..0UL.G.m..H...."..1. ..~...m.v#L..q.m..{TU.;iz.i...Y6/-.u......V...m,.

C:\Users\user\AppData\Local\Temp\Man

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	68608
Entropy (8bit):	6.561605242223398
Encrypted:	false
SSDEEP:	1536:b8yDGVFE5gOHu1CwCMIBZwneAJu7QnswIPumV3BxZxu6/sPYcSyRXzW8/uC6Ls:b80PtCZEMnVIPPBxT/sZys
MD5:	3090C7F97B0837ABBFE8C27B6F07F341
SHA1:	C4357FEC90399EECD91AD5D9C6AE640FEFBD05A6
SHA-256:	85456FD9E55D7314D509F09494DF2A4D6E8D5F88A02196F3DAFD5145B1F13614
SHA-512:	B8A3662A19E0A89E433CBAE14B6CD68A6C6BD09BBA4CDF1EBC8AF45D6AAA0ADF43449C3787C3B33351AFC81076F4A1CE4EDA694916944949F6C2E5C69BCC5391
Malicious:	false
Preview:	:.t...t..^_.B.[.B.^_[.B.^_[.B.^_[.+I.....+I../...+I..V....T$..B..J.3.......L.......T$..B..J.3........L.......t.M......%....n.....1..V..(M....!.....^.)....KB...q3.........#M.............M......45M......t5M.......5M.......5M......5M......6M.......M.....G..H..k....E.........H..\|....D..t..@8.@......\|....D..t..@83.X..`....F..H..&........F............P.v.W......v...............u...(M.........L)M.......@)M..u........(..\....L)M.......M..i...j.j.j.RWj..E.....I..E...u.j..E.Pj..u.W....I.jP3.PPj.WP....I..E...u.j.P.E.P.u.W....I..E..M..=<.I...t(Qj.h.....u...H.I..~ .t..v ..E..F .M..E...t(Pj.h.....u...H.I..~$.t..v$..E..F$.M..E..}.....g.......#..\....vL.XP...g...j.j..u...X.I..}....w...<.I..g.......H.....%...WV..O........~8.t..v8....I..f8..~<........v<....I..f<.......~@........v@....I..f@.......vd....I..fd.......vh..<.I..fh......vD....I..fD......vP..<.I..fP......w ..<.I.......w$..<.I......3..~..=@)M.....8.u.B;.\|..L)M.........A..............]............j.^;...&..........

C:\Users\user\AppData\Local\Temp\Marco

Download File

Process:	C:\Users\user\Desktop\SoftWare(1).exe
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	7.9979284760365035
Encrypted:	true
SSDEEP:	1536:FKtTXB9x/JoFGD63foeClHsHfZsX6QXKd1ZSD6xxRh0Y7UfmKA/L3uZkEsn:IBDAG+3foLAfZsX6QaVhxxUYnjz33Jn
MD5:	14BC75DCD926FFC2C3EAF97BA5526E17
SHA1:	6A1C25944DD7E6736CB4E3587AC70DAA14DD8F22
SHA-256:	1632A5E4051F1BAE390D0A9143505A52462715EC77E670507CE1357A91DCC869
SHA-512:	A83BEC8A812871FA39A2D94A7C177DA2621FAF475CC4489C5A58DA9EF888FC835DE29B50EED06977297CC6A1F04886F3D367BBEBD923B25396218923F98D4DC4
Malicious:	false
Preview:	(..r<.A1....u..6...?..2.A.<+...z...HG7q..).FG.{.Z..-4.^.\|0\|..0..qb[..USH"3.HH.7...-..F.%.......I...% 4lFD..Q..46D......+.5.!=.j.}V0.#...:...4<gw..v..,.e.P.bK..z..fi..12#N......Z.]"`.P..x..\|../y<h....D...............p{.^.R./.L...4r.=....u,2._[.Xo.1.\:......P.:......aU.g.12...^Is.n^.+...W...I........[lz.M%..?....f.......v@..&.u.......r.0?l.%[Zf....3P.........!....y....,..F......w...^.h.;Fu`...T.9;Cm.v...<4.6.7E....d.Q.h.3....V.{..\.;=.e.+^I.l).Z.h..Y.h(..,.........<%....B...@.+...X.49..fT.........^.E."...X...q...t.%./.!."439...1....O....@.v..`.s..;.Q/.#G.\.iDJ;.Mw_.v....N.....d..c......Y.E;.G.B...]@.yRs..../..n).....o.E.N.".....Q.2...t_..]<..,..F.L..F-..dZ...!..........R....)EE>[Gn........{..lr..-.....F.&.n..^..I@K.MK.o..;l.... 7.iq[.z...`..A..9.+'...]Y..Zf..`]F4p.'.4..z.!..Y.k\X.6i.....8?O.#.q...V..;..8g4K.Q......\.9.P.f+.....Xg.......8.(..a.l..HCh.Yx:."ep.?.C...."...Iw.....#....A%....k2..i...L......].X.r\Lr.....\.......N..c...

C:\Users\user\AppData\Local\Temp\Mileage

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	146432
Entropy (8bit):	6.4530808223759255
Encrypted:	false
SSDEEP:	3072:/fhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTq8QLeAg0Fuzk:/fhnvO5bLezWWt/Dd314V14ZgP0JaAOQ
MD5:	29D811C2F833486A55C9D373AB30F75C
SHA1:	D83249E1EC71D291668958BC25E0D057E04252D1
SHA-256:	8C813756E0CB77E74A081505F40E3F256CE06CDF7742A1E5F3F4EEB7BB89C733
SHA-512:	60C772206686FF3D4ADEA0E5B2F14962C9BE9AFB0577EC8608394CEA51E7CB7CF96EF388D589551FF8172A767ADFCABCA96AD4ED89E054AD634C6AE99D626BEE
Malicious:	false
Preview:	.f9E.t.Q.M...-...M......M.h..I..^......M.;.t..0.7...E..U....E..@..D...M.f9H.u=.z..u....U.R...P...t`.E..P.u..u..b.....y.QQ...V........3.@...z..u....U.R...P...t#.E.....M.Q.M.Q.M.Q.M.QP...@.....y..u.h................U..}....G......@.f;E.t.f;E.t..u.M...,...t.M..V.....uY.E..8.....uG.E...P.....Y8].u6h.6M..M..-.....H..D1.8\1.t..@8.@......D1.8\1.t..@8.X........u.QRW...q.....M..,^...M...5...M..E...I......u...x..Y_^..[....U..QQVW.......w.t..v8.E......]...]...E....F......G....._^t..@8.@......U..S.].V..W..@.I..C..F...tMj.Z;.r...V.3..j.Z.........Q.[x..3..F.Y9~.v(j...x..Y.K.........N....G;~.r...3..~..~._..^[]...U..V..j(.f...f....w..Y.u............^]...U..V......K...5...v...w...E..Yt.j.V.w..YY..^]...U...........E..d$,.SVW.}...D$.....\$4.O.+.q.........N....D$h.A..D$l.A..D$p.A..L$.....D$t...O.....$.....+.....T$....;.tE.u....d\...&..F........@..\|....L..t..I8.A......\|....L..t..I8.A........D$x..$....P3..D$@@.I.!\|$H.D$l!\|$L...P.\|$H......uD.u.....[..!>.F........@..\|....L..t..I8.A......\|....

C:\Users\user\AppData\Local\Temp\Pack

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	142336
Entropy (8bit):	6.71403291701726
Encrypted:	false
SSDEEP:	3072:kTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBh:BHS3zcNPj0nEo3tb2j6AUkBh
MD5:	DCDA63A12F9B6D5A76A75DBC6E1DD400
SHA1:	CDB832AC1EBB49D61D8B401BD31FDF037A48A84E
SHA-256:	94E1F932DB010F9789983C38B61AFA679D08DA7F444DBE5827B0FF629594A6F4
SHA-512:	6E3005012ED0E1A568DB9013367C77DB926E8D08D32250E3BDAA4665FA4716CF9B256A7687A47709D9DE8305FD4A3B14AD00518CD00936F63A55D4E57A773A9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	.c.........................5M.j.P...p..L$.........5M.....5.5M.....!5.5M.3.........t .......\|$........t.98t.F;.r.\|$L;.....................P..v.........D$........T......;.t.R......D$..@...j.j.@P..........=a#M....x...j..............D....>....D$.....I..L$L.G..6.dv....j.j..A...@..L$T@P.V......@........D$...P......[.....`...........=.)M....r.....)M...)M..0.t$..A+....T5M.........K....~....d....F...P..u...D$.....M.......$....hH.K...$.....$.........$.........b~..j...$......3M.P..$....P......$........v...$.......h`.K...$.....$..........$......~..j...$......3M.P..$....P.h.....$.....O....t$...$.....v..D...h..K...$.....$..........$.....}..j...$......3M.P..$....P.......$.........D$....`....j.j..@.@P....Q.L$ .`...........$.............Q.........(M...M.....t$.....r...................3..............L$t.D$h.....D$T..I..D$..D$X.D$\.D$`............8C...t$t.L$ .D$(.....6. ....v....FX...v.....s....T$..J.Q.................z...D$........L$t....L$..P....f.x....&....F.....D$...f.y.3ty..

C:\Users\user\AppData\Local\Temp\Representation

Download File

Process:	C:\Users\user\Desktop\SoftWare(1).exe
File Type:	ASCII text, with very long lines (990), with CRLF line terminators
Category:	dropped
Size (bytes):	26997
Entropy (8bit):	5.093850281877817
Encrypted:	false
SSDEEP:	768:wQlRndoxJpxJP3sYaFrNVOGYrLgF4WdDy3Bv2Y:wqRndyJvN8YurNVoLgF4WdUZ
MD5:	40BAF121A5D54165FB1FF0D78F2A9756
SHA1:	03D58E5B52C834EEFE259212146C85569C8EA1D6
SHA-256:	56A066FA2823DEC314621F7C95C162723BAB1FE2416C292D10BADC91353EFF35
SHA-512:	98503116E8EFD077EBA0530D82167230606D3F1050B67D88D95E8086201919F491BA328C0CCFE8858DD34B75E5D54B2156F3F25277B305E5579994BA8F0DDEEB
Malicious:	false
Preview:	Set Year=o..OOConfidential-Prescribed-Recommendations-Annotation-Egg-Algorithm-Nightlife-Committed-..ubRetrieved-Administration-Killer-Tabs-Listprice-Effort-Variance-Denied-Weights-..YymMVitamins-Mi-Tested-Himself-Exhaust-Halloween-Km-Dicks-Proceeds-..XMPoultry-Ja-Edt-..lZaPermalink-..aTRCGoat-Railroad-Operation-Meets-Membership-Bo-Parish-Offshore-..KiDistance-Revenge-Seed-Pichunter-Moderators-Medication-..DAAToo-Laundry-Goal-Syndrome-Ensure-Modifications-..CmSSupervisors-Wheat-Narrative-Grace-Committed-Cookies-..SyAtm-Hawaiian-Beach-Educated-Subsidiaries-Experiments-Running-..Set Park=7..jNuJCloth-Move-Manga-Downloads-Muscle-Netherlands-Activity-Management-..tadWSalary-Rouge-Immediately-Resolve-Tech-Feat-..ENSluts-Detailed-Successful-Sam-Activists-Ladder-..GUFJAmendment-Bunny-Monitor-Hear-D-..SsLBee-Priced-..ZPZFirewall-Menu-Namespace-..Set Handheld=A..EqXIncreasingly-Advise-..gdKyLocked-Mike-Comparing-Disk-Subscriptions-O-Paris-Experienced-Vacuum-..dGxAppointed-..GNaBCoin-..bhHAAdmin

C:\Users\user\AppData\Local\Temp\Representation.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (990), with CRLF line terminators
Category:	dropped
Size (bytes):	26997
Entropy (8bit):	5.093850281877817
Encrypted:	false
SSDEEP:	768:wQlRndoxJpxJP3sYaFrNVOGYrLgF4WdDy3Bv2Y:wqRndyJvN8YurNVoLgF4WdUZ
MD5:	40BAF121A5D54165FB1FF0D78F2A9756
SHA1:	03D58E5B52C834EEFE259212146C85569C8EA1D6
SHA-256:	56A066FA2823DEC314621F7C95C162723BAB1FE2416C292D10BADC91353EFF35
SHA-512:	98503116E8EFD077EBA0530D82167230606D3F1050B67D88D95E8086201919F491BA328C0CCFE8858DD34B75E5D54B2156F3F25277B305E5579994BA8F0DDEEB
Malicious:	false
Preview:	Set Year=o..OOConfidential-Prescribed-Recommendations-Annotation-Egg-Algorithm-Nightlife-Committed-..ubRetrieved-Administration-Killer-Tabs-Listprice-Effort-Variance-Denied-Weights-..YymMVitamins-Mi-Tested-Himself-Exhaust-Halloween-Km-Dicks-Proceeds-..XMPoultry-Ja-Edt-..lZaPermalink-..aTRCGoat-Railroad-Operation-Meets-Membership-Bo-Parish-Offshore-..KiDistance-Revenge-Seed-Pichunter-Moderators-Medication-..DAAToo-Laundry-Goal-Syndrome-Ensure-Modifications-..CmSSupervisors-Wheat-Narrative-Grace-Committed-Cookies-..SyAtm-Hawaiian-Beach-Educated-Subsidiaries-Experiments-Running-..Set Park=7..jNuJCloth-Move-Manga-Downloads-Muscle-Netherlands-Activity-Management-..tadWSalary-Rouge-Immediately-Resolve-Tech-Feat-..ENSluts-Detailed-Successful-Sam-Activists-Ladder-..GUFJAmendment-Bunny-Monitor-Hear-D-..SsLBee-Priced-..ZPZFirewall-Menu-Namespace-..Set Handheld=A..EqXIncreasingly-Advise-..gdKyLocked-Mike-Comparing-Disk-Subscriptions-O-Paris-Experienced-Vacuum-..dGxAppointed-..GNaBCoin-..bhHAAdmin

C:\Users\user\AppData\Local\Temp\Spiritual

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	6.718975113840313
Encrypted:	false
SSDEEP:	1536:lSpZ+Sh+I+FrbCyI7P4Cxi8q0vQEcmFdn8:lSpQSAU4CE0Imb8
MD5:	614AAE2133A3887EBA07AD6C2FF85000
SHA1:	51B67FF90FE9D78512AB5F1611F6E735BC86BD81
SHA-256:	0CD0978300D395AE6F03DB8C14C98852361E1922A1C43A13D1E8908CC601ED76
SHA-512:	E95F83D5CB70380FEE49A653C4B5005269F70552502FD86C8F6EDA1FCFBD2A149D7F25FE50504CCE4AE99EE63AFD2B1C1085430B2D53A3B1D59C98F2EAC4ECCF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	.z..M.....E.Q...P.+..YY..t..E.E.3.j..].E.Y..3..].3.E.A.E.f.E..E.j..p..E.PQ.E.P.E.j.P.........u.8E.t..E...P....3.....E.#E..}..t..M...P.....M.3.[.m.....]..U..V.u....w0..u.F...f.....t V.f...Y..t.Vj..5.#M...p.I...t....s.........3.^]..U..Qj..u.QQ...u..u.P.\......j..m........]..U..Qj..u.QQ...u..u.P.0......j..i........]..U....SV.u...t..]...t..>.u..E...t.3.f..3.^[..].W.u..M......E......u..M...t....f..3.G.....E.P...P....YY..t@.}....~';_.\|%3.9E....P.u..w.Vj..w.....I..}..u.;_.r..~..t(....13.9E....3.P.u..E.GWVj..p.....I...u..7............}..t..M...P......_.1.....U..j..u..u..u.........]..U....S.].W.}...u...t..E...t.. .3..z.E...t....V......v....j.^.0......S.u..M..s....E.3.9.....u]f.E......f;.v6..t...t.WVS.........t...j*^.0.}..t..M.P......^_[..]..t...t_...E...t.........M..u.QVWSj..M.QV.p.....I....t.9u.u..E...t......0.I...zu...t...t.WVS.Y..........j"^.0......l.....U..j..u..u..u..u.........]..U..4.M.VW...\|\|.u.....j X+.....#.E.;.s...<2..;.t..9.t.A;.u.+.;...........+...

C:\Users\user\AppData\Local\Temp\Timer

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	79203
Entropy (8bit):	7.024302557408604
Encrypted:	false
SSDEEP:	1536:oWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:oWy4ZNoGmROL7F1G7ho2kOb
MD5:	731509D0001F79842322B93BD1407A42
SHA1:	F71DFBE4BFC58869C8C2FB26D6081A65C4FE8CEF
SHA-256:	FFF7062C429DB4BB1876EB748D4B362E6BF56FBB81552972024A3BC09E1E1A44
SHA-512:	56AB1787688B2991FE0F1928875455112158431170D544E7728E8194E247DFCBE8829EACC547601B61F64B36D86C0845D1029B00DBD055B4CBC46D0E1C20DB95
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................?.......................................................................................................................................................................................................................................................?..................................................................(... ...@........................................................}..............f...]......g.............m...^..............h...g..............t......f...a...........s......

C:\Users\user\AppData\Local\Temp\Visibility

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	5.432963830676052
Encrypted:	false
SSDEEP:	768:ZbOU7aI4kCD9vmPukxhSaAwuXc/mex/SGKAGWRqC:zimuzaAwusPdKaz
MD5:	ADD6E78F067A3E3C77B0A9089E871634
SHA1:	7004977CACE878377726630F4A7902FAACF13FBF
SHA-256:	E7C92175950B870370A0876FC459FD9F3EDB8720C3262B35A4B537676EA2C84B
SHA-512:	2257FB5E242EA8545780133E52ED723FCC96A217194D8D1D694EBF59B19A55172609DCF627836EBF7A5A49191FC8A2BA0389BD2BE34DCD56D4BD1202A8B7666E
Malicious:	false
Preview:	e.=...F``.?./...f.=..#.&..?.5SmT4.<.W.....?R.z...<. ..(.?....vY.<.....k.?p.Y....=..y....?.8.'...<.Ku.C..?j...<{.=.2.<.5.?....d.=.....x.?."a....=.@.ic..?.%.[.9.=.......?kR..F..<..6D.C.?..._.<.5..Z..?..k..=....3..?.+xi(.<..G.&..?..r.ly.=.:..3S.?z....j.<...[..?..'....<.;!....?.h.....=...<...?...:...<....sd.?....3..=..?....?{.!m.B.<.<>....?....2.=.....2.?cM.yoG.=.V..sw.?8K...$.<....}..?C..l...<......?.-...<.'...F.?....{.<..$.R..?..)B..<..#....?.......<...c...?? ..~..<....F].?...&...=..../..?94...E.<.?.T9..?9...).<.l?.e/.?.B6.!F.=.u0w.u.?.M...=..k`(..?.......<.4.=...?Kp.....=.G".zI.?$.}Tw5.<....[..?....b.<..K.a..?.aF.7..=.V.j...?.T...y.<.R..e.?M]-..e.<.$..[..?3....<.....?..QZo..=.n..<.?1-.I.x.<.f.....?.I..]..=...O...?...x...=..#.$..?.n.z...=..) .].?....h..<..'.7..?y]h....=..Yg...?..S.c..<.b}....?...$..=.;..@.?OD...).=....=e.?:Q.]D\.<.......?FnH.AY.<.."...?.)B.p..=.)R.Q..?..{...<..L..0.?.U...<..d.N{.?...c.1.=.f..k..?iO...).=...m...?.....R.=.l[..].?..$.i.=.w/.d

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.970596137437225
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SoftWare(1).exe
File size:	1'229'340 bytes
MD5:	8e7a36f81e75c2d3867657fe3fe09206
SHA1:	64d91ff851907825620a24e77bb7c1ddf9e84c4d
SHA256:	06eee6980c796d8b091a20d06bc1d77bff77601622ac0cd9721dd1b4aefc0f33
SHA512:	eae3d62b60bbd293cb1ddcda87b2d2ef8639ec798b1ec49aa8305151c59e7c6ed134745b5b5e800a79aaa77a1b248f00fb65633fa357b1a47aff125c5c0e84d2
SSDEEP:	24576:d6XGZx0sb6KhM79Z/Vie3jPHSzQKMrAPbsO1T3b+iEA9tl9Tz5xm5H:c2ZxNz+7v/VdzhKMHO1TZEiVxm5H
TLSH:	764523974DFE10B3EAA32FB8606416225F7AF202487D1445625AAF8C2D30705AF77B63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...^...B...8.....

File Icon


Icon Hash:	06ece084ca1ada0c

Static PE Info

General

Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	10/10/2023 03:35:44 18/12/2026 11:17:34
Subject Chain	CN=Vivaldi Technologies AS, O=Vivaldi Technologies AS, STREET=M\xf8lleparken 6, L=Oslo, S=Oslo, C=NO, OID.1.3.6.1.4.1.311.60.2.1.3=NO, SERIALNUMBER=912 309 975, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	8E075E67B57EDAB05DE2ED5632BA0C6F
Thumbprint SHA-1:	F7A524AD45E585F8B71E6204B2583714151A08EF
Thumbprint SHA-256:	94BACA5F849BD741FFF1A7F30B4480CBC4541321D3A543551AEA97B7D5DC72B1
Serial:	0E6194E2779D531F896950FF

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007FF9D08F990Bh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007FF9D08F95EDh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007FF9D08F95DBh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007FF9D08F6EDAh
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007FF9D08F92B1h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007FF9D08F6F63h
push 00000020h
pop ebx
cmp ax, bx
jne 00007FF9D08F6EDAh
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x2f0a6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x129394	0x2e88	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	419d4e1be1ac35a5db9c47f553b27cea	False	0.6566540948275862	data	6.499708590628113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	cca1ca3fbf99570f6de9b43ce767f368	False	0.3678977272727273	data	4.497932535153822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	77f0839f8ebea31040e462523e1c770e	False	0.279296875	data	1.8049406284608531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7f000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x100000	0x2f0a6	0x2f200	37e37df6e822b0fcb4c465ebff8bdb7a	False	0.9557308935676393	data	7.810026548464792	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x130000	0xfd6	0x1000	5b331f8bfda5f87ec3bf2f7f3fd47660	False	0.56787109375	data	5.307545916589835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x100268	0x28728	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States	0.976308609783186
RT_ICON	0x128990	0x4997	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.994426455756675
RT_ICON	0x12d328	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.4612932604735883
RT_ICON	0x12e450	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.598404255319149
RT_DIALOG	0x12e8b8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x12e9b8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x12ead4	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x12eb34	0x3e	data	English	United States	0.8225806451612904
RT_VERSION	0x12eb74	0x25c	data	English	United States	0.5198675496688742
RT_MANIFEST	0x12edd0	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T22:57:31.067723+0100	2058514	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)	1	192.168.2.5	65470	1.1.1.1	53	UDP
2024-12-27T22:57:31.291898+0100	2058502	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)	1	192.168.2.5	51907	1.1.1.1	53	UDP
2024-12-27T22:57:31.612658+0100	2058492	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)	1	192.168.2.5	52655	1.1.1.1	53	UDP
2024-12-27T22:57:31.923517+0100	2058500	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)	1	192.168.2.5	53398	1.1.1.1	53	UDP
2024-12-27T22:57:32.234745+0100	2058510	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)	1	192.168.2.5	53759	1.1.1.1	53	UDP
2024-12-27T22:57:32.456891+0100	2058484	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)	1	192.168.2.5	51301	1.1.1.1	53	UDP
2024-12-27T22:57:32.765384+0100	2058512	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)	1	192.168.2.5	52582	1.1.1.1	53	UDP
2024-12-27T22:57:33.072450+0100	2058480	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)	1	192.168.2.5	61190	1.1.1.1	53	UDP
2024-12-27T22:57:35.008570+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49752	104.102.49.254	443	TCP
2024-12-27T22:57:35.771895+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49752	104.102.49.254	443	TCP
2024-12-27T22:57:37.475591+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49758	104.21.66.86	443	TCP
2024-12-27T22:57:38.254781+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49758	104.21.66.86	443	TCP
2024-12-27T22:57:38.254781+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49758	104.21.66.86	443	TCP
2024-12-27T22:57:38.838882+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49764	104.21.66.86	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 22:57:33.623810053 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:33.623846054 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:33.623925924 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:33.625478029 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:33.625489950 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.008435965 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.008569956 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.012622118 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.012630939 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.013029099 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.056773901 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.099368095 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.771914959 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.771939039 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.771974087 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.771986961 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.771990061 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.772012949 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.772022009 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.772033930 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.772033930 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.772063971 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.970927954 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.970951080 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.970999002 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.971009016 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.971035957 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.971045017 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.986581087 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.986653090 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.986656904 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.986704111 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.988315105 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.988328934 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:35.988337994 CET	49752	443	192.168.2.5	104.102.49.254
Dec 27, 2024 22:57:35.988347054 CET	443	49752	104.102.49.254	192.168.2.5
Dec 27, 2024 22:57:36.212680101 CET	49758	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:36.212713003 CET	443	49758	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:36.212800026 CET	49758	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:36.213131905 CET	49758	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:36.213146925 CET	443	49758	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:37.475430012 CET	443	49758	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:37.475590944 CET	49758	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:37.477462053 CET	49758	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:37.477469921 CET	443	49758	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:37.477713108 CET	443	49758	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:37.479001045 CET	49758	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:37.479038000 CET	49758	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:37.479199886 CET	443	49758	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:38.254802942 CET	443	49758	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:38.254897118 CET	443	49758	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:38.254971981 CET	49758	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:38.255815983 CET	49758	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:38.255815983 CET	49758	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:38.255831957 CET	443	49758	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:38.255840063 CET	443	49758	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:38.260009050 CET	49764	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:38.260096073 CET	443	49764	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:38.260193110 CET	49764	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:38.260447979 CET	49764	443	192.168.2.5	104.21.66.86
Dec 27, 2024 22:57:38.260485888 CET	443	49764	104.21.66.86	192.168.2.5
Dec 27, 2024 22:57:38.838881969 CET	49764	443	192.168.2.5	104.21.66.86

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 22:56:59.993200064 CET	50690	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:00.230019093 CET	53	50690	1.1.1.1	192.168.2.5
Dec 27, 2024 22:57:30.839598894 CET	52420	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:31.063738108 CET	53	52420	1.1.1.1	192.168.2.5
Dec 27, 2024 22:57:31.067723036 CET	65470	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:31.288664103 CET	53	65470	1.1.1.1	192.168.2.5
Dec 27, 2024 22:57:31.291898012 CET	51907	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:31.608840942 CET	53	51907	1.1.1.1	192.168.2.5
Dec 27, 2024 22:57:31.612658024 CET	52655	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:31.921578884 CET	53	52655	1.1.1.1	192.168.2.5
Dec 27, 2024 22:57:31.923516989 CET	53398	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:32.230528116 CET	53	53398	1.1.1.1	192.168.2.5
Dec 27, 2024 22:57:32.234745026 CET	53759	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:32.453068972 CET	53	53759	1.1.1.1	192.168.2.5
Dec 27, 2024 22:57:32.456891060 CET	51301	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:32.762209892 CET	53	51301	1.1.1.1	192.168.2.5
Dec 27, 2024 22:57:32.765383959 CET	52582	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:33.069206953 CET	53	52582	1.1.1.1	192.168.2.5
Dec 27, 2024 22:57:33.072449923 CET	61190	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:33.469008923 CET	53	61190	1.1.1.1	192.168.2.5
Dec 27, 2024 22:57:33.472315073 CET	59885	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:33.609246969 CET	53	59885	1.1.1.1	192.168.2.5
Dec 27, 2024 22:57:35.990526915 CET	59034	53	192.168.2.5	1.1.1.1
Dec 27, 2024 22:57:36.211548090 CET	53	59034	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 22:56:59.993200064 CET	192.168.2.5	1.1.1.1	0xc9c0	Standard query (0)	DCNQHRSCEtLFmnzgofyjcgCPFn.DCNQHRSCEtLFmnzgofyjcgCPFn	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:30.839598894 CET	192.168.2.5	1.1.1.1	0xef6b	Standard query (0)	enterwahsh.biz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:31.067723036 CET	192.168.2.5	1.1.1.1	0xa427	Standard query (0)	wordyfindy.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:31.291898012 CET	192.168.2.5	1.1.1.1	0x495d	Standard query (0)	slipperyloo.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:31.612658024 CET	192.168.2.5	1.1.1.1	0x451a	Standard query (0)	manyrestro.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:31.923516989 CET	192.168.2.5	1.1.1.1	0x9590	Standard query (0)	shapestickyr.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:32.234745026 CET	192.168.2.5	1.1.1.1	0xc6ba	Standard query (0)	talkynicer.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:32.456891060 CET	192.168.2.5	1.1.1.1	0xe54	Standard query (0)	curverpluch.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:32.765383959 CET	192.168.2.5	1.1.1.1	0xb11b	Standard query (0)	tentabatte.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:33.072449923 CET	192.168.2.5	1.1.1.1	0x1f44	Standard query (0)	bashfulacid.lat	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:33.472315073 CET	192.168.2.5	1.1.1.1	0x3110	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:35.990526915 CET	192.168.2.5	1.1.1.1	0x96ad	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 22:57:00.230019093 CET	1.1.1.1	192.168.2.5	0xc9c0	Name error (3)	DCNQHRSCEtLFmnzgofyjcgCPFn.DCNQHRSCEtLFmnzgofyjcgCPFn	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:31.063738108 CET	1.1.1.1	192.168.2.5	0xef6b	Name error (3)	enterwahsh.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:31.288664103 CET	1.1.1.1	192.168.2.5	0xa427	Name error (3)	wordyfindy.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:31.608840942 CET	1.1.1.1	192.168.2.5	0x495d	Name error (3)	slipperyloo.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:31.921578884 CET	1.1.1.1	192.168.2.5	0x451a	Name error (3)	manyrestro.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:32.230528116 CET	1.1.1.1	192.168.2.5	0x9590	Name error (3)	shapestickyr.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:32.453068972 CET	1.1.1.1	192.168.2.5	0xc6ba	Name error (3)	talkynicer.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:32.762209892 CET	1.1.1.1	192.168.2.5	0xe54	Name error (3)	curverpluch.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:33.069206953 CET	1.1.1.1	192.168.2.5	0xb11b	Name error (3)	tentabatte.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:33.469008923 CET	1.1.1.1	192.168.2.5	0x1f44	Name error (3)	bashfulacid.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:33.609246969 CET	1.1.1.1	192.168.2.5	0x3110	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:36.211548090 CET	1.1.1.1	192.168.2.5	0x96ad	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:57:36.211548090 CET	1.1.1.1	192.168.2.5	0x96ad	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49752	104.102.49.254	443	7676	C:\Users\user\AppData\Local\Temp\250478\Epson.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:57:35 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-27 21:57:35 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 27 Dec 2024 21:57:35 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=1027947316a0eccdb173bbe6; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-27 21:57:35 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-27 21:57:35 UTC	16384	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-27 21:57:35 UTC	3768	IN	Data Raw: 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 22 Data Ascii: </div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_name"
2024-12-27 21:57:35 UTC	490	IN	Data Raw: 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 74 Data Ascii: r Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div class="bt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49758	104.21.66.86	443	7676	C:\Users\user\AppData\Local\Temp\250478\Epson.com

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:57:37 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-27 21:57:37 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 21:57:38 UTC	1127	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 21:57:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4l86uj82m7chvorcbhhp4hu9tt; expires=Tue, 22 Apr 2025 15:44:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3OA%2BsGbgheS%2FzxJPuBBu6yi3yRPOXbqxPHIk6gMQxx%2FZiYDC45f24fe3cjo5jv5ql9SpSbwUp0UgyFnsPD2sKk7zAR3kQBxnb%2BnnfbwjL6bh3YtrV%2FcnhwR8RQytnnGBQpU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8c913efa5a8c2f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1822&min_rtt=1814&rtt_var=697&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1551540&cwnd=228&unsent_bytes=0&cid=cb758b9c0f6b250c&ts=790&x=0"
2024-12-27 21:57:38 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 21:57:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:56:53
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\SoftWare(1).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SoftWare(1).exe"
Imagebase:	0x400000
File size:	1'229'340 bytes
MD5 hash:	8E7A36F81E75C2D3867657FE3FE09206
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:56:54
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Representation Representation.cmd & Representation.cmd
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:56:54
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:56:56
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x730000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:56:56
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x3d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:56:57
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x730000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:56:57
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x3d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:56:57
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 250478
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:56:57
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Katrina
Imagebase:	0xd30000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:56:58
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "JIM" Accepting
Imagebase:	0x3d0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:56:58
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Marco + ..\Dodge + ..\Loops + ..\Conclude + ..\Hydraulic + ..\Concern m
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:56:58
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\250478\Epson.com
Wow64 process (32bit):	true
Commandline:	Epson.com m
Imagebase:	0xf50000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:56:58
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x5b0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	26

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426D79,759223A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

New install of "%s" to "%s", xrefs: 004051AE
{, xrefs: 0040537E

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

/D=, xrefs: 004039D2
NCRC, xrefs: 004039A8
~nsu.tmp, xrefs: 00403B23
\Temp, xrefs: 00403A47
Error launching installer, xrefs: 00403AA9
SeShutdownPrivilege, xrefs: 00403C42
_?=, xrefs: 00403A90
NSIS Error, xrefs: 0040390E

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename on reboot: %s, xrefs: 00401943
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Sleep(%d), xrefs: 0040169D
SetFileAttributes failed., xrefs: 004017A1
BringToFront, xrefs: 004016BD
Jump: %d, xrefs: 00401602
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
detailprint: %s, xrefs: 00401679
CreateDirectory: "%s" created, xrefs: 00401849
Rename: %s, xrefs: 004018F8
Aborting: "%s", xrefs: 0040161D
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Call: %d, xrefs: 0040165A
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
CreateDirectory: "%s" (%d), xrefs: 004017BF
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Rename failed: %s, xrefs: 0040194B

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

.DEFAULT\Control Panel\International, xrefs: 004059C5
RichEdit, xrefs: 00405BF0
F, xrefs: 00405A22
RichEdit20A, xrefs: 00405BE2, 00405BE7
RichEd20, xrefs: 00405BC9
"F, xrefs: 00405A4B
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
_Nb, xrefs: 00405AFD
RichEd32, xrefs: 00405BD4
.exe, xrefs: 00405A69
@jG, xrefs: 00405AF2

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,LikedShortcutsGives,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,LikedShortcutsGives,LikedShortcutsGives,00000000,00000000,LikedShortcutsGives,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426D79,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426D79,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426D79,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

LikedShortcutsGives, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user cancel, xrefs: 00401B93
File: error creating "%s", xrefs: 00401AF0
File: error, user retry, xrefs: 00401B40
File: wrote %d to "%s", xrefs: 00401BD0
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user abort, xrefs: 00401B53

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$LikedShortcutsGives
API String ID: 4286501637-3644761111
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 0040337F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00426D79,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

(]C, xrefs: 004033FD
... %d%%, xrefs: 004034C8
y-B, xrefs: 00403458, 0040346A
ymB, xrefs: 0040346F, 0040348A, 00403513
pAB, xrefs: 004033AB

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB$y-B$ymB
API String ID: 651206458-981595158
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Inst, xrefs: 00403698
Error launching installer, xrefs: 00403603
soft, xrefs: 004036A1
Null, xrefs: 004036AA

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,00426D79,759223A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,00426D79,759223A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426D79,759223A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426D79,759223A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(00785918), ref: 00402387

Strings

LikedShortcutsGives, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$LikedShortcutsGives$Pop: stack empty
API String ID: 1459762280-1698058190
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(00785918), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

LikedShortcutsGives, xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$LikedShortcutsGives$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-3062818838
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426D79,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426D79,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426D79,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

N, xrefs: 00404C32
, xrefs: 00404F65
@, xrefs: 00404BBC
M, xrefs: 00404B6F

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
Delete: DeleteFile failed("%s"), xrefs: 00406E29
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
\*.*, xrefs: 00406D2F
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
ptF, xrefs: 00406D1A
Delete: DeleteFile("%s"), xrefs: 00406DE8
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426D79,759223A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

A, xrefs: 00404662
F, xrefs: 004046A0

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

name, xrefs: 00406FEB
%s: failed opening file "%s", xrefs: 00406F38
GetTTFNameString, xrefs: 00406F33

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426D79,759223A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00426D79,759223A0,00000000), ref: 00406A73

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
F, xrefs: 00406A7F
F, xrefs: 00406858
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Kernel32.DLL, xrefs: 004065C7
Module32FirstW, xrefs: 004065FF
GetModuleBaseNameW, xrefs: 004064C0
PSAPI.DLL, xrefs: 00406490
EnumProcessModules, xrefs: 004064B6
Unknown, xrefs: 00406528
CreateToolhelp32Snapshot, xrefs: 004065E1
Module32NextW, xrefs: 0040660A
EnumProcesses, xrefs: 004064AE
Process32FirstW, xrefs: 004065E9
Process32NextW, xrefs: 004065F4

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

N, xrefs: 00404298
F, xrefs: 004042D3
open, xrefs: 0040430B

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

^F, xrefs: 00406ACF
%s=%s, xrefs: 00406B6F
[Rename], xrefs: 00406BF4, 00406C03
NUL, xrefs: 00406ACA
plF, xrefs: 00406B54

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

@bG, xrefs: 00406162
RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426D79,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426D79,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426D79,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
`G, xrefs: 0040246E

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426D79,759223A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426D79,759223A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426D79,759223A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(0003A800,00000064,0012C21C), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Section: "%s", xrefs: 004050A5
Skipping section: "%s", xrefs: 004050E1

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426D79,759223A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.2029818383.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029797278.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029834725.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029851088.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2029951500.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SoftWare(1).jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: Epson.comPID: 7676, Parent PID: 7444COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	47

Executed Functions

Function 00F55FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F55FF7

Part of subcall function 00F58577: _wcslen.LIBCMT ref: 00F5858A

GetCurrentProcess.KERNEL32(?,00FEDC2C,00000000,?,?), ref: 00F56123
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F5612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F56155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F56167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00F56175
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F5617C
GetSystemInfo.KERNEL32(?,?,?), ref: 00F561A1

Strings

|O, xrefs: 00F950F7
kernel32.dll, xrefs: 00F56150
GetNativeSystemInfo, xrefs: 00F56161

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 3fcc15875896a11494e495bb0236e6d08cf8db0c5087ecec5066398a044d2476
Instruction ID: 3a597c1921c574490342cfaa6aa37d34f2f4f9185762a86973bca93c0fb80701
Opcode Fuzzy Hash: 3fcc15875896a11494e495bb0236e6d08cf8db0c5087ecec5066398a044d2476
Instruction Fuzzy Hash: ECA1B63290A6C4CFDB32CFE874412A53F946B26B15B78C89AD5C1A721AC23F4549EB31

Function 00F5338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00F53368,?), ref: 00F533BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00F53368,?), ref: 00F533CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,01022418,01022400,?,?,?,?,?,?,00F53368,?), ref: 00F5343A

Part of subcall function 00F58577: _wcslen.LIBCMT ref: 00F5858A

Part of subcall function 00F5425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F53462,01022418,?,?,?,?,?,?,?,00F53368,?), ref: 00F542A0

SetCurrentDirectoryW.KERNEL32(?,00000001,01022418,?,?,?,?,?,?,?,00F53368,?), ref: 00F534BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00F93CB0
SetCurrentDirectoryW.KERNEL32(?,01022418,?,?,?,?,?,?,?,00F53368,?), ref: 00F93CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,010131F4,01022418,?,?,?,?,?,?,?,00F53368), ref: 00F93D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F93D81

Part of subcall function 00F534D3: GetSysColorBrush.USER32(0000000F), ref: 00F534DE
Part of subcall function 00F534D3: LoadCursorW.USER32(00000000,00007F00), ref: 00F534ED
Part of subcall function 00F534D3: LoadIconW.USER32(00000063), ref: 00F53503
Part of subcall function 00F534D3: LoadIconW.USER32(000000A4), ref: 00F53515
Part of subcall function 00F534D3: LoadIconW.USER32(000000A2), ref: 00F53527
Part of subcall function 00F534D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F5353F
Part of subcall function 00F534D3: RegisterClassExW.USER32(?), ref: 00F53590

Part of subcall function 00F535B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F535E1
Part of subcall function 00F535B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F53602
Part of subcall function 00F535B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00F53368,?), ref: 00F53616
Part of subcall function 00F535B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00F53368,?), ref: 00F5361F

Part of subcall function 00F5396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F53A3C

Strings

AutoIt, xrefs: 00F93CA5
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00F93CAA
runas, xrefs: 00F93D75

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: 4357ea03bde0851e7d513df4b970f7e962e0a22d13cbe4418bd8c2ef81446e05
Instruction ID: 716e465829a86cf760660965cc8fe828373c19b60c39bc4bbfa3bc82eeaf1d87
Opcode Fuzzy Hash: 4357ea03bde0851e7d513df4b970f7e962e0a22d13cbe4418bd8c2ef81446e05
Instruction Fuzzy Hash: F3512631508344AEDB21EFA4DC41DAE7BB8AB84751F40041DFAC19A152DF3D9A4DF722

Function 00FBDC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F55851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F555D1,?,?,00F94B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F55871

Part of subcall function 00FBEAB0: GetFileAttributesW.KERNEL32(?,00FBD840), ref: 00FBEAB1

FindFirstFileW.KERNEL32(?,?), ref: 00FBDCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FBDD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00FBDD2C
FindClose.KERNEL32(00000000), ref: 00FBDD43
FindClose.KERNEL32(00000000), ref: 00FBDD4C

Strings

\*.*, xrefs: 00FBDC9D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 241b656dbee1a851d933b1b2993df8086fd14f30b834d725a887747e17565a9e
Instruction ID: 8a3d5516087cf6076f38f128da99306775fdd1823eb6d53c4afd7c878e033f10
Opcode Fuzzy Hash: 241b656dbee1a851d933b1b2993df8086fd14f30b834d725a887747e17565a9e
Instruction Fuzzy Hash: 3B315C31408385AFC300EB60DC919EFB7E8BE96311F404A5DFAD596191EB25DA0DEB63

Function 00FBDD87 Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FBDDAC
Process32FirstW.KERNEL32(00000000,?), ref: 00FBDDBA
Process32NextW.KERNEL32(00000000,?), ref: 00FBDDDA
CloseHandle.KERNEL32(00000000), ref: 00FBDE87

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f1f77e11a23ad27090daa6c7bc05817925682d79d676d9f2b3e478e6b0c70d9a
Instruction ID: db72beef20917c406ec3f2f400d322ef9b6837f100e4a7b3239e1751ad2a3b3f
Opcode Fuzzy Hash: f1f77e11a23ad27090daa6c7bc05817925682d79d676d9f2b3e478e6b0c70d9a
Instruction Fuzzy Hash: B83171711083019FD310EF50CC85AAFBBE8AF99350F44092DF985871A1EB75D949EB93

Function 00F6FFE0 Relevance: 3.1, APIs: 2, Instructions: 94nativeCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00F7007D
NtProtectVirtualMemory.NTDLL ref: 00F7008F

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CloseHandleMemoryProtectVirtual
String ID:
API String ID: 2407445808-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 94adad4c27650e45b597d11849c2f3a502268a4cc503a64cce4da7acb1457ef4
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: DE31C771A00105DBC718CF58D484B69FBA5FF49320B24C6A6E409CB252DB31EDC1EBC2

Function 00F5EE56 Relevance: 21.6, APIs: 14, Instructions: 613windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F5EF07
timeGetTime.WINMM ref: 00F5F107
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F5F228
TranslateMessage.USER32(?), ref: 00F5F27B
DispatchMessageW.USER32(?), ref: 00F5F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F5F29F
Sleep.KERNEL32(0000000A), ref: 00F5F2B1

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 39d0bdba34f5f5e4eefc3308b9f91e7e6df0465756a849fac5ec657413dacc8f
Instruction ID: cd5db913e40dea0e30ffcc07b3a7c05255dc4e77d24277cff87c69018b00afa2
Opcode Fuzzy Hash: 39d0bdba34f5f5e4eefc3308b9f91e7e6df0465756a849fac5ec657413dacc8f
Instruction Fuzzy Hash: 8F3202B0A04341EFD728CF24C884B6AB7E4BF82315F14856DFA558B291C775E94CEB92

Function 00F53624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F53657
RegisterClassExW.USER32(00000030), ref: 00F53681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F53692
InitCommonControlsEx.COMCTL32(?), ref: 00F536AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F536BF
LoadIconW.USER32(000000A9), ref: 00F536D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F536E4

Strings

AutoIt v3 GUI, xrefs: 00F53673
TaskbarCreated, xrefs: 00F53687
0, xrefs: 00F53639
+, xrefs: 00F53640

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b214462f9912db2b1bb8ea0b3484e02f755ff463279046047c1c0bc83d5c796f
Instruction ID: d2a7ad16d35f65129f6b400818a7baa4645c385e7fb52e2b782510ce28f6239c
Opcode Fuzzy Hash: b214462f9912db2b1bb8ea0b3484e02f755ff463279046047c1c0bc83d5c796f
Instruction Fuzzy Hash: 4E214AB1D02348AFDB20DFD4E889BDDBBB4FB09710F10411AF651AA294D7B54140DF91

Function 00F909DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F9071A: CreateFileW.KERNEL32(00000000,00000000,?,00F90A84,?,?,00000000,?,00F90A84,00000000,0000000C), ref: 00F90737

GetLastError.KERNEL32 ref: 00F90AEF
__dosmaperr.LIBCMT ref: 00F90AF6
GetFileType.KERNEL32(00000000), ref: 00F90B02
GetLastError.KERNEL32 ref: 00F90B0C
__dosmaperr.LIBCMT ref: 00F90B15
CloseHandle.KERNEL32(00000000), ref: 00F90B35
CloseHandle.KERNEL32(?), ref: 00F90C7F
GetLastError.KERNEL32 ref: 00F90CB1
__dosmaperr.LIBCMT ref: 00F90CB8

Strings

H, xrefs: 00F90C3D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 018fc8b7f2aa94979fe029399c68761ad2f4669ceea7b002ccd2477b53000c15
Instruction ID: 2fda26543ca6a9344ae09f8c2455ac531eb0c775ee1be58f9994f126154d5b77
Opcode Fuzzy Hash: 018fc8b7f2aa94979fe029399c68761ad2f4669ceea7b002ccd2477b53000c15
Instruction Fuzzy Hash: C4A13832A001489FEF29EF68DC52BAD7BA1EB06324F140159F815DF2D1DB399D12EB52

Function 00F552A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F55594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00F94B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00F555B2

Part of subcall function 00F55238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F5525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F553C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F94BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F94C3E
RegCloseKey.ADVAPI32(?), ref: 00F94C80
_wcslen.LIBCMT ref: 00F94CE7
_wcslen.LIBCMT ref: 00F94CF6

Strings

\Include\, xrefs: 00F55381
Include, xrefs: 00F94BF4, 00F94C35
Software\AutoIt v3\AutoIt, xrefs: 00F553BA
\, xrefs: 00F94CFC

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 872c10074ed75f1e76d100e6a754c346b7b8bb6e96f08f23fc39395bc2fac485
Instruction ID: 0481858fa9d919edcbd1a63716760db66ea446fe94ddce28d5c55327c70dd29b
Opcode Fuzzy Hash: 872c10074ed75f1e76d100e6a754c346b7b8bb6e96f08f23fc39395bc2fac485
Instruction Fuzzy Hash: 3171EF715043019EC324DF65DC8199BBBE8FF98350F90842EF584CB264EF7AAA09DB52

Function 00F534D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F534DE
LoadCursorW.USER32(00000000,00007F00), ref: 00F534ED
LoadIconW.USER32(00000063), ref: 00F53503
LoadIconW.USER32(000000A4), ref: 00F53515
LoadIconW.USER32(000000A2), ref: 00F53527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F5353F
RegisterClassExW.USER32(?), ref: 00F53590

Part of subcall function 00F53624: GetSysColorBrush.USER32(0000000F), ref: 00F53657
Part of subcall function 00F53624: RegisterClassExW.USER32(00000030), ref: 00F53681
Part of subcall function 00F53624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F53692
Part of subcall function 00F53624: InitCommonControlsEx.COMCTL32(?), ref: 00F536AF
Part of subcall function 00F53624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F536BF
Part of subcall function 00F53624: LoadIconW.USER32(000000A9), ref: 00F536D5
Part of subcall function 00F53624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F536E4

Strings

0, xrefs: 00F5355F
AutoIt v3, xrefs: 00F5357F
#, xrefs: 00F53566

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 7110a9661aa28b3231104ac2ba36c5e6c579e1a35ff31a16e1f2ebd94d2aa771
Instruction ID: 15d39bdcef099bdece21744643e3a08727d03d7a39cedd0a276e9622eccec5ba
Opcode Fuzzy Hash: 7110a9661aa28b3231104ac2ba36c5e6c579e1a35ff31a16e1f2ebd94d2aa771
Instruction Fuzzy Hash: 91214C70D00358ABDB309FE5EC85AA9BFB4FB4CB50F60801AFA44A6294C3BA0554DF90

Function 00FD0FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00FD1019
inet_addr.WSOCK32(?), ref: 00FD1079
gethostbyname.WS2_32(?), ref: 00FD1085
IcmpCreateFile.IPHLPAPI ref: 00FD1093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FD1123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FD1142
IcmpCloseHandle.IPHLPAPI(?), ref: 00FD1216
WSACleanup.WSOCK32 ref: 00FD121C

Strings

Ping, xrefs: 00FD10D3

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e8aaaf25b5c69fa5c0272574cbfffb3009bf369345fe94fc45fa81bd416508e1
Instruction ID: e0a73c075c5d216aca703913009330f18bba334aca28d913568ff5bbbe8d3493
Opcode Fuzzy Hash: e8aaaf25b5c69fa5c0272574cbfffb3009bf369345fe94fc45fa81bd416508e1
Instruction Fuzzy Hash: 33919231A04241AFD720DF15C888B16BBE6BF44328F18859AF5698F7A2C735ED45DB81

Function 00F5370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F53709,?,?), ref: 00F53777
KillTimer.USER32(?,00000001,?,?,?,?,?,00F53709,?,?), ref: 00F537A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F537C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F53709,?,?), ref: 00F537D1
CreatePopupMenu.USER32 ref: 00F537E5
PostQuitMessage.USER32(00000000), ref: 00F53806

Strings

TaskbarCreated, xrefs: 00F537CC

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 170911d4ffccae4f4699f2e076c961ccb5574ba9bc810264d7e5ee2b669df0b9
Instruction ID: f37bd462340378b6d984965b480973d6567c13e32455f2bf0c984c53037656d0
Opcode Fuzzy Hash: 170911d4ffccae4f4699f2e076c961ccb5574ba9bc810264d7e5ee2b669df0b9
Instruction Fuzzy Hash: EC4125F2E08154BBDF242F6CEC99B793A69F708392F104116FF4189181DA799B0CB762

Function 00F890C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5cccc43d88e4e28ccc054bd277edea7f2014a362ffa30f44c2ac84e0a1e5e00
Instruction ID: 8f24d7d868ba4bfd0c0dc33ff08a02a31674492f9713058fd030638e52184f31
Opcode Fuzzy Hash: b5cccc43d88e4e28ccc054bd277edea7f2014a362ffa30f44c2ac84e0a1e5e00
Instruction Fuzzy Hash: 10C1E171E08249AFCF11EFE8DC45BFDBBB4AF09310F184059E454AB292C7B59942EB61

Function 00F6AC3E Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

i, xrefs: 00F6B0A3
d10m0, xrefs: 00F6ACF0
d1b, xrefs: 00F6AD55, 00F6AE8E
d1r0,2, xrefs: 00F6ACA9
d5m0, xrefs: 00F6AE75
d0b, xrefs: 00F6AC96, 00F6AD10, 00F6AEA7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: 065c596ec5a6df415f50415eafb55a8dff42b7a79e7c9d415ab01e3c1f901867
Instruction ID: 79ea0ad4d35d775812c6323aaa935f3d5e4845292fb4df7cd0133591c52f8608
Opcode Fuzzy Hash: 065c596ec5a6df415f50415eafb55a8dff42b7a79e7c9d415ab01e3c1f901867
Instruction Fuzzy Hash: 24627DB0508381DFC324DF15C494A9ABBE0FF89354F14895EE8898B352DB75D94AEF82

Function 00F535B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F535E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F53602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F53368,?), ref: 00F53616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F53368,?), ref: 00F5361F

Strings

edit, xrefs: 00F535FC
AutoIt v3, xrefs: 00F535D9, 00F535DE, 00F535DF

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ffdb79b38c8d2ee98efb731fc6a7ce2626a1d30e48e1d4a7fa00729f1e6302e4
Instruction ID: a5a765bc0f3b2a994129d4fb480293c9bc93296b716e3b9135fe1310d0349f5f
Opcode Fuzzy Hash: ffdb79b38c8d2ee98efb731fc6a7ce2626a1d30e48e1d4a7fa00729f1e6302e4
Instruction Fuzzy Hash: 75F05E706002D47AE7310B536C48E373EBDD7CBF10F20402EF904AB154C26A0851EBB1

Function 00F561A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F95287

Part of subcall function 00F58577: _wcslen.LIBCMT ref: 00F5858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F56299

Strings

AutoIt - , xrefs: 00F5620D
Line %d: , xrefs: 00F95305

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 4622e1f94b1fd7416eac809e73143e38b0c0a156fceee027acfdadb50071e2b4
Instruction ID: 571906e5d04ed20469dd3b9d8aeefe4880238767b09ee72d5bbe8be133e57862
Opcode Fuzzy Hash: 4622e1f94b1fd7416eac809e73143e38b0c0a156fceee027acfdadb50071e2b4
Instruction Fuzzy Hash: 2D41D371408304AAC721EB60DC45AEF77ECAF84721F50461EFA9983091EF79964DEB92

Function 00F558CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F558BE,SwapMouseButtons,00000004,?), ref: 00F558EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F558BE,SwapMouseButtons,00000004,?), ref: 00F55910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00F558BE,SwapMouseButtons,00000004,?), ref: 00F55932

Strings

Control Panel\Mouse, xrefs: 00F558ED

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b1196ae2d364d38f2ddd6d69b97459538f98c95eb136730b155c0a16c1bcaa6c
Instruction ID: 7b2bf1a2cce06ccd565eca270cac433956711b5aa4432567ac7db2ac999c3814
Opcode Fuzzy Hash: b1196ae2d364d38f2ddd6d69b97459538f98c95eb136730b155c0a16c1bcaa6c
Instruction Fuzzy Hash: 26115A76510618FFDB218F64CC80AEE7BBCEF40B61B104459EA01E7210E2359E45E760

Function 00F5F6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00FA48C6

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: bd61f99c9d4ca447dbdf9d5926656d50f7df5691c2adc0ba67d419b892fbdc22
Instruction ID: 8bb04211dfc54e295eb84327d3f9f2cce825ad0a9cd8601de50c335201c980c5
Opcode Fuzzy Hash: bd61f99c9d4ca447dbdf9d5926656d50f7df5691c2adc0ba67d419b892fbdc22
Instruction Fuzzy Hash: F6C2AD71E00205DFCB24CF58C880BADB7F1BF49311F2481A9EA45AB391D779AD49EB91

Function 00F60340 Relevance: 5.7, APIs: 3, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F615F2

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 74300eb13e170e3ed0861e19f963a04ce398dab29be409d354da473e379f4ea0
Instruction ID: 60751d661311ce423618a9527aa08777208298c4d5e57d8f31ccd6554dce8c64
Opcode Fuzzy Hash: 74300eb13e170e3ed0861e19f963a04ce398dab29be409d354da473e379f4ea0
Instruction Fuzzy Hash: 5FB27C75A08341CFC724CF14C480B2AB7E1BF99314F28895DE98A8B351DB75ED45EB92

Function 00F7014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F709D8

Part of subcall function 00F73614: RaiseException.KERNEL32(?,?,?,00F709FA,?,00000000,?,?,?,?,?,?,00F709FA,00000000,01019758,00000000), ref: 00F73674

__CxxThrowException@8.LIBVCRUNTIME ref: 00F709F5

Strings

Unknown exception, xrefs: 00F70A02

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 12b3d57c39c935627520169bbb6f71d6f965cd83210a0a69a8d37616e7cbb4e5
Instruction ID: 0c094334fcb1c98323bd6e19303a60df535cea40b4f671fe58ddfbe9182dd39b
Opcode Fuzzy Hash: 12b3d57c39c935627520169bbb6f71d6f965cd83210a0a69a8d37616e7cbb4e5
Instruction Fuzzy Hash: 81F0F43080020DF68B00BAA4EC029AE777C5F00320B90C027BA1C962A3FF74E615E582

Function 00FD89B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00FD8D52
TerminateProcess.KERNEL32(00000000), ref: 00FD8D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00FD8F3A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 93b6b9c58c74df0a9df1e32ff94ebc6fad33f5346736e9500f2af0f91885a380
Instruction ID: 5aee5d2a5e3e24ff3c6b320f3127882621b2e22132dcd684a6950f2266c295e7
Opcode Fuzzy Hash: 93b6b9c58c74df0a9df1e32ff94ebc6fad33f5346736e9500f2af0f91885a380
Instruction Fuzzy Hash: B7126D71A08341DFC714DF24C484B5ABBE6FF84364F08895EE8898B352CB75E946DB92

Function 00FD9AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FD9B87
_strcat.LIBCMT ref: 00FD9BC6
_wcslen.LIBCMT ref: 00FD9C14

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: ccb891eccab9ecd1a502423fe1153cfe437eb6c84fdbb0d3a9e7619db9a89438
Instruction ID: c2c02166457455007e6b746d4232c169937769d6212f5b0585970b58fe9d6d01
Opcode Fuzzy Hash: ccb891eccab9ecd1a502423fe1153cfe437eb6c84fdbb0d3a9e7619db9a89438
Instruction Fuzzy Hash: C3A17C31604205DFCB18DF58C8D1969BBB2FF45314B2484AEE84A8F392CB75ED42EB80

Function 00F52793 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F532AF
Part of subcall function 00F5327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F532B7
Part of subcall function 00F5327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F532C2
Part of subcall function 00F5327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F532CD
Part of subcall function 00F5327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F532D5
Part of subcall function 00F5327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F532DD

Part of subcall function 00F53205: RegisterWindowMessageW.USER32(00000004,?,00F52964), ref: 00F5325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F52A0A
OleInitialize.OLE32 ref: 00F52A28
CloseHandle.KERNEL32(00000000,00000000), ref: 00F93A0D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: b1cbea631053896c2d1f34f672e3795c1c09e83acea628ad495e514579b5b276
Instruction ID: 3d79721d84c3f0e2e40947de0b0b1dd9cad126c6ab7ecf16611361551c5bd29b
Opcode Fuzzy Hash: b1cbea631053896c2d1f34f672e3795c1c09e83acea628ad495e514579b5b276
Instruction Fuzzy Hash: 2071B2B0901260CFC3B8DFF9E9656153AF0BB483053A0822AE58AC735AEB7E4545EF54

Function 00F6FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F561A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F56299

KillTimer.USER32(?,00000001,?,?), ref: 00F6FD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F6FD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FAFE33

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: fb2351d8f8b26315f18981a5f63cce0ad326ee3822ab2657ae633cd6f235af9c
Instruction ID: 00b39b111ab684864eb17751d584dff852df70372e73dda173675988ca168feb
Opcode Fuzzy Hash: fb2351d8f8b26315f18981a5f63cce0ad326ee3822ab2657ae633cd6f235af9c
Instruction Fuzzy Hash: 223198B1904344AFDB32CF64D895BE6BBECAF13314F10449ED5DA9B141C3741A89DB51

Function 00F88A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00F8894C,?,01019CE8,0000000C), ref: 00F88A84
GetLastError.KERNEL32(?,00F8894C,?,01019CE8,0000000C), ref: 00F88A8E
__dosmaperr.LIBCMT ref: 00F88AB9

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: acd8edc88ba617e9d5a40325cfa7615108a025e4837fddd6d86eee844710b189
Instruction ID: f1abc02d7ddec21e90afd91a55008a5bd38cece61b76be0df021d163809089e6
Opcode Fuzzy Hash: acd8edc88ba617e9d5a40325cfa7615108a025e4837fddd6d86eee844710b189
Instruction Fuzzy Hash: 40014832A051647BC6287674AC86BFE37494B81BB8FA5011AF8248B1C2DF3C98827380

Function 00F8970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00F897BA,FF8BC369,00000000,00000002,00000000), ref: 00F89744
GetLastError.KERNEL32(?,00F897BA,FF8BC369,00000000,00000002,00000000,?,00F85ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00F76F41), ref: 00F8974E
__dosmaperr.LIBCMT ref: 00F89755

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 797828f0d81612b9c90cbb01c0cd11082ee7658f27eeb89e229451ff5c929892
Instruction ID: 70ac574b5dca299dac298f7532c9149d73420647acd81a586a18d8e39ab0af98
Opcode Fuzzy Hash: 797828f0d81612b9c90cbb01c0cd11082ee7658f27eeb89e229451ff5c929892
Instruction Fuzzy Hash: 34014C33A24118AFCB15AF99DC45CFE7B29DB85330B280219F8159B190EA71DD41BB90

Function 00F5F238 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00F5F27B
DispatchMessageW.USER32(?), ref: 00F5F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F5F29F
Sleep.KERNEL32(0000000A), ref: 00F5F2B1
TranslateAcceleratorW.USER32(?,?,?), ref: 00FA32D8

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 8ce2611d31fcc30ddc3d4733b4f584ad11b2c60f99870a1d33a07a80c7fd8a36
Instruction ID: baba2ae6fcf73bbc41e026ca1c7044ee2324f6249c5790cb18a790de57237ce5
Opcode Fuzzy Hash: 8ce2611d31fcc30ddc3d4733b4f584ad11b2c60f99870a1d33a07a80c7fd8a36
Instruction Fuzzy Hash: F8F05E716043889BE7348BA0CC89FDA73ACAB45311F104928F649870C0DB749588AB26

Function 00F62B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F63006

Strings

CALL, xrefs: 00F62FD6

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 9fe171b1457619ab9c196750db026513a109980db683bd9b5a889c08d39c9ba7
Instruction ID: 81cf197efefa4883cfc17e85b2a7fec7131a7239b5ebf40bf3e2b7bc1fbcf2ae
Opcode Fuzzy Hash: 9fe171b1457619ab9c196750db026513a109980db683bd9b5a889c08d39c9ba7
Instruction Fuzzy Hash: 6A228AB1A08701DFC714DF24C880B2ABBF1BF95324F14895DF4898B2A1D776E945EB92

Function 00F61990 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63678f39d6d4e1d9235bb57ebd8cd7cd72c47b57b1245febbc8084cfbdf3bfb
Instruction ID: bbb1e5b72a88f6d00a103dd6ca92b8359b0a2188b485ae172c91cf2348bdcf1c
Opcode Fuzzy Hash: f63678f39d6d4e1d9235bb57ebd8cd7cd72c47b57b1245febbc8084cfbdf3bfb
Instruction Fuzzy Hash: 7232DD71A00205DFCB24DF54CC81BAEB3B4FF06364F188519E915EB2A1EB79AD44EB91

Function 00F53A95 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F9413B

Part of subcall function 00F55851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F555D1,?,?,00F94B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F55871

Part of subcall function 00F53A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00F53A76

Strings

X, xrefs: 00F94109

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 96d9d6b95947c4718a211f2eff8e3c93bb00c299abd7fc23d19b3024467637d0
Instruction ID: ed6348bf18939751d2e8afa74a83904d8c2b84b53a9aa4e48f54171e713c4933
Opcode Fuzzy Hash: 96d9d6b95947c4718a211f2eff8e3c93bb00c299abd7fc23d19b3024467637d0
Instruction Fuzzy Hash: 4B21A171A002589BDF119F98CC05BEE7BFCAF49311F008019E945A7241DBBC9A8D9FA1

Function 00F5396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F53A3C

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a3cd46b1ec8836ec0fe6812fb6fab85be89797a5b3ee9799b5035e51d5ac9a60
Instruction ID: ebcf382bbf5befae0688e379821f669c19c6af80aebdc4f6ecfc89b1f9a70acb
Opcode Fuzzy Hash: a3cd46b1ec8836ec0fe6812fb6fab85be89797a5b3ee9799b5035e51d5ac9a60
Instruction Fuzzy Hash: 3831B1B15047009FE331DF68D884B97BBE8FB48719F10092EEAD987240E775A948DB52

Function 00F5331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F5333D

Part of subcall function 00F532E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F532FB
Part of subcall function 00F532E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F53312

Part of subcall function 00F5338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00F53368,?), ref: 00F533BB
Part of subcall function 00F5338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00F53368,?), ref: 00F533CE
Part of subcall function 00F5338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,01022418,01022400,?,?,?,?,?,?,00F53368,?), ref: 00F5343A
Part of subcall function 00F5338B: SetCurrentDirectoryW.KERNEL32(?,00000001,01022418,?,?,?,?,?,?,?,00F53368,?), ref: 00F534BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00F53377

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 23be29f769cbdc1241159b43b5fddbefc041da6a3b5094d95e005c3c51193441
Instruction ID: 09218e6738b76e720e4d6c119f1b7055d74345ba2d32f7c7630c7e4a7cdfc4dd
Opcode Fuzzy Hash: 23be29f769cbdc1241159b43b5fddbefc041da6a3b5094d95e005c3c51193441
Instruction Fuzzy Hash: 97F0B4315047449FD3306FA4EC0AB247790A70474AF608816FA48490D6CBBF8064AB00

Function 00F5CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F5CEEE

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 16ba91f13d4220adbed632b0b85cd5e813742f9768bb1c4d35f1c5548476bddd
Instruction ID: d62b21f91cec870c0801d3ab60c4998360a9282896e3f854e12e5a587979da97
Opcode Fuzzy Hash: 16ba91f13d4220adbed632b0b85cd5e813742f9768bb1c4d35f1c5548476bddd
Instruction Fuzzy Hash: D832C075E002059FCB20CF54C884BBABBB5FF49325F198059EE56AB351C738AD49EB90

Function 00FD7AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 58ab015fd2101854f141fb82db9d1249d28ce07b3a59cce88aa0aaeeb866056a
Instruction ID: 3d8197ffeab81e951dd367a1a90fe1e14c303e3de2f9bad64be72ca0ffb9d9c1
Opcode Fuzzy Hash: 58ab015fd2101854f141fb82db9d1249d28ce07b3a59cce88aa0aaeeb866056a
Instruction Fuzzy Hash: 52D16C35E0420ADFCB14EF98C8819ADBBB6FF48320F14415AE915AB391EB35AD45DB90

Function 00F7F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509697d1fde31f37b915edcf22effcce9687fa97ebd8d58a7408ccc1a2262c7b
Instruction ID: 87b9a31d91ff504377568fa97862ffee3f008a95841b026689f12d72c80be754
Opcode Fuzzy Hash: 509697d1fde31f37b915edcf22effcce9687fa97ebd8d58a7408ccc1a2262c7b
Instruction Fuzzy Hash: DB51D635E04104AFDB10DF68CC40BA97BA1EF85364F19C1AAE81C9B392D771ED46DB52

Function 00FBFCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FBFCCE

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 6200881e0441d56bbedab1b2ead44e5c28b0c55813461f5577751a05a21d19e4
Instruction ID: cfc9509fbb9dec8f6ab81ce1557358984604fbdc83476a252aa74bae5b3e7e06
Opcode Fuzzy Hash: 6200881e0441d56bbedab1b2ead44e5c28b0c55813461f5577751a05a21d19e4
Instruction Fuzzy Hash: 7E4195B6900209AFCB11DF69CC819EEB7B8EF58324B10853EE916D7251EB70DA49DB50

Function 00F56679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F5668B,?,?,00F562FA,?,00000001,?,?,00000000), ref: 00F5664A
Part of subcall function 00F5663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F5665C
Part of subcall function 00F5663E: FreeLibrary.KERNEL32(00000000,?,?,00F5668B,?,?,00F562FA,?,00000001,?,?,00000000), ref: 00F5666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00F562FA,?,00000001,?,?,00000000), ref: 00F566AB

Part of subcall function 00F56607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F95657,?,?,00F562FA,?,00000001,?,?,00000000), ref: 00F56610
Part of subcall function 00F56607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F56622
Part of subcall function 00F56607: FreeLibrary.KERNEL32(00000000,?,?,00F95657,?,?,00F562FA,?,00000001,?,?,00000000), ref: 00F56635

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 0a655f90a99255dc99ff46309921a40a67e5017953ad418bbd06ad891461425b
Instruction ID: a468f552b85312a339724b5b1eb107c0e4827cfac739eeda7133459494ae5f8c
Opcode Fuzzy Hash: 0a655f90a99255dc99ff46309921a40a67e5017953ad418bbd06ad891461425b
Instruction Fuzzy Hash: 10112B32600205AACF10AF24CC02BAD7BA19F40716F50442DFA62EF0C1DE79DE09F751

Function 00F88782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00F887C0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: c5c53604bf924304d9e099f1847840e6f8b25e495eed35a7c9130f85faf8672c
Instruction ID: 82e25ac4d6775bd8b89695968533b880f5b812dcd93b25d823b3bb4d7c027f56
Opcode Fuzzy Hash: c5c53604bf924304d9e099f1847840e6f8b25e495eed35a7c9130f85faf8672c
Instruction Fuzzy Hash: B3115A7290410AAFCF15DF58E9419DE7BF4EF48350F104069F808AB301DA31EA12DB64

Function 00F7E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: 1859ba8a262e4a53ae8af4f72434dd0be7f50dd7fd0e0fda0a8ecd97c1ced0fb
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: 22F0F93350162067D6313A269C05BAA36688F46370F108767F629971D1EA78E802A793

Function 00FCF94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00FCF987

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: ecbc04913c0cf754846424dcf7d12c2fd958b46290f5d8f5fc5b5d1133990955
Instruction ID: 78e155b8987aa3467cb25491f3938468a4e6e17fa13ad60b7ff468bbf75e1ebc
Opcode Fuzzy Hash: ecbc04913c0cf754846424dcf7d12c2fd958b46290f5d8f5fc5b5d1133990955
Instruction Fuzzy Hash: 4DF0A472600105BFCB01EBA5CC46E9FB7B8EF49720F004055F5099B261DE74ED45D761

Function 00F83B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00F76A79,?,0000015D,?,?,?,?,00F785B0,000000FF,00000000,?,?), ref: 00F83BC5

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ede19c246959c2ef4a4cdc2071be0a1f295f9bd062b3562e88d4df6c6084f984
Instruction ID: b256b2ba2393b30f2c448f4f514d8277fb4f2802149ede8e31c5de8f43ab5985
Opcode Fuzzy Hash: ede19c246959c2ef4a4cdc2071be0a1f295f9bd062b3562e88d4df6c6084f984
Instruction Fuzzy Hash: C4E0E57160162066DA303672AC01BDA3648AF81FB0F144521EC08964B1DB74CE00B3A2

Function 00F566E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86be1a72cc9ec4ebffd9332ce5adc3dd703da11a9dcbf687838d1371972d384
Instruction ID: d313470eef4326028d080c58ecb82136e12fc4bf32f6c7b49035d2bd75ff4369
Opcode Fuzzy Hash: a86be1a72cc9ec4ebffd9332ce5adc3dd703da11a9dcbf687838d1371972d384
Instruction Fuzzy Hash: 60F03072505741CFDB349F64E8A0816BBF4BF1432A354897EE6E6CB610C7359844EF50

Function 00FA6AD5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00FA6AE0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8e5692f6f06ba8ff2982566050ef67a7c6e7726e05cd3824fa5fd66a2cb6d7f6
Instruction ID: e9e21d7a66263ff8bfe5645d4e202f920777ec719e671e6d8a44e1584b22bd88
Opcode Fuzzy Hash: 8e5692f6f06ba8ff2982566050ef67a7c6e7726e05cd3824fa5fd66a2cb6d7f6
Instruction Fuzzy Hash: BEF0E5B2B04204AAD7208B7498097A1F7E8BB11365F18851ED4D5C3181C7B65494BB62

Function 00F5684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00F56868

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 85409dafb410b3b47bebf98018b09971cca8094bc07f6942945a42d111c4ba24
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 16F0D47650020DFBDF05DF90C941E9E7B79FB18318F208489F9159A151C336EA21ABA2

Function 00F53907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F53963

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e43127d5d3784f088e922538a2a158145435217f23dea73eac35e3c5e881c5e9
Instruction ID: e10a830001b2c004d002ea1e7fa3efeb635ab73c7b45985658308c129eda00e7
Opcode Fuzzy Hash: e43127d5d3784f088e922538a2a158145435217f23dea73eac35e3c5e881c5e9
Instruction Fuzzy Hash: 84F0A7709003189FE772DF64DC457957BBCA701708F1040A5E68896185D7754788CF42

Function 00F53A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00F53A76

Part of subcall function 00F58577: _wcslen.LIBCMT ref: 00F5858A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 923bb0027c3fb7c14988e49087370039c5b94c33a02dcae1acd3e8db330a9e19
Instruction ID: 4442a0f1432c33bb0ea4c4c3c9e2ebe5e0ce34a33295ab6b698dd2ad72d2fdb0
Opcode Fuzzy Hash: 923bb0027c3fb7c14988e49087370039c5b94c33a02dcae1acd3e8db330a9e19
Instruction Fuzzy Hash: F8E0CD7290012457DB1093589C05FDA77DDDFC87E0F044071FD05D7254DD64DD84D590

Function 00F9071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00F90A84,?,?,00000000,?,00F90A84,00000000,0000000C), ref: 00F90737

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 05e304e2aa41afdb08b7a684b04ad276096e6f41ea3f1f0f5244bdb75dae3e9b
Instruction ID: 24375731038bc12daeca954b0d93773ae2fcfc5db22328956f5e2ef5fb001ed3
Opcode Fuzzy Hash: 05e304e2aa41afdb08b7a684b04ad276096e6f41ea3f1f0f5244bdb75dae3e9b
Instruction Fuzzy Hash: C6D06C3200014DBFDF028F84DD46EDA3BAAFB48714F014000BE1856020C736E821AB91

Function 00FBEAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FBD840), ref: 00FBEAB1

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8251b42218499ac3fd5386dfe954de7bdd1a86e743c919049139557ad2149f41
Instruction ID: 8050eba42503261060f991e951212bc330522f1bf646f6221b91aee1f7ec4439
Opcode Fuzzy Hash: 8251b42218499ac3fd5386dfe954de7bdd1a86e743c919049139557ad2149f41
Instruction Fuzzy Hash: 45B0922484860005AD282A395E499D9330E78423B67DC1BC0E47989AE1C33D880FBD50

Function 00FC664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FBDC54: FindFirstFileW.KERNEL32(?,?), ref: 00FBDCCB
Part of subcall function 00FBDC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 00FBDD1B
Part of subcall function 00FBDC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00FBDD2C
Part of subcall function 00FBDC54: FindClose.KERNEL32(00000000), ref: 00FBDD43

GetLastError.KERNEL32 ref: 00FC666E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: d5d93dc3c615a12245d2b5fece8e89fd3c25a066664883a57e0f4631b48ba760
Instruction ID: 85fece53d293ae02756ef895f4116abaf11441c10b4c949a9da2d39f37ef2827
Opcode Fuzzy Hash: d5d93dc3c615a12245d2b5fece8e89fd3c25a066664883a57e0f4631b48ba760
Instruction Fuzzy Hash: B0F082356102049FC714EF59D846B6EB7E5AF84361F048409FD099B352CB74BC05DB91

Non-executed Functions

Function 00F6FC7C Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F6FC86
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FAFCB8
IsIconic.USER32(00000000), ref: 00FAFCC1
ShowWindow.USER32(00000000,00000009), ref: 00FAFCCE
SetForegroundWindow.USER32(00000000), ref: 00FAFCD8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FAFCEE
GetCurrentThreadId.KERNEL32 ref: 00FAFCF5
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FAFD01
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FAFD12
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FAFD1A
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00FAFD22
SetForegroundWindow.USER32(00000000), ref: 00FAFD25
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FAFD3A
keybd_event.USER32(00000012,00000000), ref: 00FAFD45
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FAFD4F
keybd_event.USER32(00000012,00000000), ref: 00FAFD54
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FAFD5D
keybd_event.USER32(00000012,00000000), ref: 00FAFD62
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FAFD6C
keybd_event.USER32(00000012,00000000), ref: 00FAFD71
SetForegroundWindow.USER32(00000000), ref: 00FAFD74
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00FAFD9B

Strings

Shell_TrayWnd, xrefs: 00FAFCB3

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b887f2b000f335c1bf0d3b555c87cd68ca159556e075b7adb6e504f796a57fc7
Instruction ID: fb3881f1fdbbbfe7ab6a770c333a73ab239d32350c8e272449ce691acd780cd6
Opcode Fuzzy Hash: b887f2b000f335c1bf0d3b555c87cd68ca159556e075b7adb6e504f796a57fc7
Instruction Fuzzy Hash: 0B3163B1A4035C7EEB216BA55C89F7F7E6CEB44B60F140065FA01EE1D1D6B15D00BAA0

Function 00FB1B4D Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00FB2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FB205A
Part of subcall function 00FB2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FB2087
Part of subcall function 00FB2010: GetLastError.KERNEL32 ref: 00FB2097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00FB1BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00FB1BF4
CloseHandle.KERNEL32(?), ref: 00FB1C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FB1C1D
GetProcessWindowStation.USER32 ref: 00FB1C36
SetProcessWindowStation.USER32(00000000), ref: 00FB1C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FB1C5C

Part of subcall function 00FB1A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FB1B48), ref: 00FB1A20
Part of subcall function 00FB1A0B: CloseHandle.KERNEL32(?,?,00FB1B48), ref: 00FB1A35

Strings

default, xrefs: 00FB1C57
, xrefs: 00FB1BA6
winsta0, xrefs: 00FB1C18

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 2b17c8c917ad6a0f292b27fa022ee36eef32cd8c1df63ae1f3f0c23b9426ce76
Instruction ID: 0cb7d649db021daa4ab45cb3eb7bed66b3d8dea5413dc236a2fd7128f8efd68b
Opcode Fuzzy Hash: 2b17c8c917ad6a0f292b27fa022ee36eef32cd8c1df63ae1f3f0c23b9426ce76
Instruction Fuzzy Hash: F281AB71900248AFDF219FA5DC99FEE7BB8FF08310F544129F914AA1A0D7758A45EF60

Function 00FB14AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FB1A60
Part of subcall function 00FB1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FB14E7,?,?,?), ref: 00FB1A6C
Part of subcall function 00FB1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FB14E7,?,?,?), ref: 00FB1A7B
Part of subcall function 00FB1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FB14E7,?,?,?), ref: 00FB1A82
Part of subcall function 00FB1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FB1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FB1518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FB154C
GetLengthSid.ADVAPI32(?), ref: 00FB1563
GetAce.ADVAPI32(?,00000000,?), ref: 00FB159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FB15B9
GetLengthSid.ADVAPI32(?), ref: 00FB15D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FB15D8
HeapAlloc.KERNEL32(00000000), ref: 00FB15DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FB1600
CopySid.ADVAPI32(00000000), ref: 00FB1607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FB1636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FB1658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FB166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB1691
HeapFree.KERNEL32(00000000), ref: 00FB1698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB16A1
HeapFree.KERNEL32(00000000), ref: 00FB16A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB16B1
HeapFree.KERNEL32(00000000), ref: 00FB16B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00FB16C4
HeapFree.KERNEL32(00000000), ref: 00FB16CB

Part of subcall function 00FB1ADF: GetProcessHeap.KERNEL32(00000008,00FB14FD,?,00000000,?,00FB14FD,?), ref: 00FB1AED
Part of subcall function 00FB1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FB14FD,?), ref: 00FB1AF4
Part of subcall function 00FB1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FB14FD,?), ref: 00FB1B03

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0a9c00b763a0b61e6f97432ffdcade75bf178d083ee5df9be9658f549a252bf0
Instruction ID: 8278747b74f1ba8de1c1cde735a4825af5d3753c0a376502eadfa84785d128b3
Opcode Fuzzy Hash: 0a9c00b763a0b61e6f97432ffdcade75bf178d083ee5df9be9658f549a252bf0
Instruction Fuzzy Hash: FC7188B2D01209ABDF10DFA6DC98FEEBBB9BF04310F484515E915EA190D7359A05EFA0

Function 00FCF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00FEDCD0), ref: 00FCF586
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FCF594
GetClipboardData.USER32(0000000D), ref: 00FCF5A0
CloseClipboard.USER32 ref: 00FCF5AC
GlobalLock.KERNEL32(00000000), ref: 00FCF5E4
CloseClipboard.USER32 ref: 00FCF5EE
GlobalUnlock.KERNEL32(00000000), ref: 00FCF619
IsClipboardFormatAvailable.USER32(00000001), ref: 00FCF626
GetClipboardData.USER32(00000001), ref: 00FCF62E
GlobalLock.KERNEL32(00000000), ref: 00FCF63F
GlobalUnlock.KERNEL32(00000000), ref: 00FCF67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 00FCF695
GetClipboardData.USER32(0000000F), ref: 00FCF6A1
GlobalLock.KERNEL32(00000000), ref: 00FCF6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FCF6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FCF6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FCF72F
GlobalUnlock.KERNEL32(00000000), ref: 00FCF750
CountClipboardFormats.USER32 ref: 00FCF771
CloseClipboard.USER32 ref: 00FCF7B6

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: ae90d51bdfcd22bd9d6ed5a2ddb89d814918f02a94f2624bf42663c5bafc8be3
Instruction ID: dd1b7b5adcb8995124f4bc35406b16bbd23f82d1648fb772bfe360f57d00aad0
Opcode Fuzzy Hash: ae90d51bdfcd22bd9d6ed5a2ddb89d814918f02a94f2624bf42663c5bafc8be3
Instruction Fuzzy Hash: FA610331200346AFC300EF20DD86F2ABBA5AF84714F14446CF946CB2A2DB31DD49EB62

Function 00FC73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FC7403
FindClose.KERNEL32(00000000), ref: 00FC7457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FC7493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FC74BA

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 00FC74F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FC7524

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FC75AF
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00FC7577
%4d, xrefs: 00FC75F6
%02d, xrefs: 00FC7645, 00FC764F, 00FC769F, 00FC76EF, 00FC773F, 00FC778F
%03d, xrefs: 00FC77E7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 8bbf10d2a1b1bcca0919fe13fd1bb7c373e9a20fcd8c615dfa50227a958f0d20
Instruction ID: 5b322387719b8c19d4d9227e1505d7247fba07b16e0b3d5da94eaf0a8aa203fa
Opcode Fuzzy Hash: 8bbf10d2a1b1bcca0919fe13fd1bb7c373e9a20fcd8c615dfa50227a958f0d20
Instruction Fuzzy Hash: DBD16272508344AEC304EB64CC82EBBB7ECAF88705F44091DFA85D6151EB79DA48DB62

Function 00FCA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00FCA0A8
GetFileAttributesW.KERNEL32(?), ref: 00FCA0E6
SetFileAttributesW.KERNEL32(?,?), ref: 00FCA100
FindNextFileW.KERNEL32(00000000,?), ref: 00FCA118
FindClose.KERNEL32(00000000), ref: 00FCA123
FindFirstFileW.KERNEL32(*.*,?), ref: 00FCA13F
SetCurrentDirectoryW.KERNEL32(?), ref: 00FCA18F
SetCurrentDirectoryW.KERNEL32(01017B94), ref: 00FCA1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FCA1B7
FindClose.KERNEL32(00000000), ref: 00FCA1C4
FindClose.KERNEL32(00000000), ref: 00FCA1D4

Strings

*.*, xrefs: 00FCA13A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 044a4842257887e38be4e6098cabf44d187f55a9481110d3e1bdcb95359003c1
Instruction ID: a83f85e302b51d822af0a98b197ed4ffae0561b11eec3c8ea9bc726416671483
Opcode Fuzzy Hash: 044a4842257887e38be4e6098cabf44d187f55a9481110d3e1bdcb95359003c1
Instruction Fuzzy Hash: 6731083190024E6FDB109FB5DD8AFDE77ACAF04378F144059E915E6090EB74EE44AE21

Function 00FC4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FC4785
_wcslen.LIBCMT ref: 00FC47B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FC47E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FC4803
RemoveDirectoryW.KERNEL32(?), ref: 00FC4813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FC489A
CloseHandle.KERNEL32(00000000), ref: 00FC48A5
CloseHandle.KERNEL32(00000000), ref: 00FC48B0

Strings

:, xrefs: 00FC47C7
\, xrefs: 00FC47BC
\??\%s, xrefs: 00FC47A0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: a4de3f81f399dac89b522a5b07ba5093aeaf72b01b7b6462f81ba063a8e7f5ea
Instruction ID: 8a8c21b57613ff8fba0cc77d8a84b9b4a1c2a9ef4c019d06857dd3c6044dee26
Opcode Fuzzy Hash: a4de3f81f399dac89b522a5b07ba5093aeaf72b01b7b6462f81ba063a8e7f5ea
Instruction Fuzzy Hash: 9731947190014AABDB219FA0DC89FEB37BCEF89710F1041BAF619D60A0E7749644EB25

Function 00FCA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00FCA203
FindNextFileW.KERNEL32(00000000,?), ref: 00FCA25E
FindClose.KERNEL32(00000000), ref: 00FCA269
FindFirstFileW.KERNEL32(*.*,?), ref: 00FCA285
SetCurrentDirectoryW.KERNEL32(?), ref: 00FCA2D5
SetCurrentDirectoryW.KERNEL32(01017B94), ref: 00FCA2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FCA2FD
FindClose.KERNEL32(00000000), ref: 00FCA30A
FindClose.KERNEL32(00000000), ref: 00FCA31A

Part of subcall function 00FBE399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FBE3B4

Strings

*.*, xrefs: 00FCA280

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 751a69cd83e0095441986e2964197d87d193e74515bc8022d091e4aa921ec9ed
Instruction ID: 2a6f947650a6ea56307134c6588b9a5a829d1490717f8e7e18a2d86be1de4070
Opcode Fuzzy Hash: 751a69cd83e0095441986e2964197d87d193e74515bc8022d091e4aa921ec9ed
Instruction Fuzzy Hash: 6731483190025E6ECB10AFB5DC4AFDE77ACAF04338F144159E900A7090D776EE45EA11

Function 00FDC8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDC10E,?,?), ref: 00FDD415
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD451
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD4C8
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FDC99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00FDCA09
RegCloseKey.ADVAPI32(00000000), ref: 00FDCA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FDCA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FDCB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FDCBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FDCC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00FDCC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FDCD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FDCDE2
RegCloseKey.ADVAPI32(00000000), ref: 00FDCDEF

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 9dee621ae86821e6d1b7a1e5fe68cd1eda69ce8540ecf5b4af60d14761086184
Instruction ID: f5de0218419e82598b82e78eb7b4d4d255271c1ba7abfb0d84b053655ecb2cd7
Opcode Fuzzy Hash: 9dee621ae86821e6d1b7a1e5fe68cd1eda69ce8540ecf5b4af60d14761086184
Instruction Fuzzy Hash: 4A027271A04241AFC714DF24C895E2ABBE6EF88314F18849DF949CB3A2C735ED46DB91

Function 00FBD921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F55851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F555D1,?,?,00F94B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F55871

Part of subcall function 00FBEAB0: GetFileAttributesW.KERNEL32(?,00FBD840), ref: 00FBEAB1

FindFirstFileW.KERNEL32(?,?), ref: 00FBD9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00FBDA88
MoveFileW.KERNEL32(?,?), ref: 00FBDA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FBDAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FBDAE2

Part of subcall function 00FBDB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00FBDAC7,?,?), ref: 00FBDB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 00FBDAFE
FindClose.KERNEL32(00000000), ref: 00FBDB0F

Strings

\*.*, xrefs: 00FBD978, 00FBD981, 00FBD996

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 19b65e43d0e26c043630ed2f20623c291d0e9133940dc5a34e729f63ec039198
Instruction ID: eeed5d285b9dffd37cff2aa83e3a0ea66528b4b42e5b69c6bd0a1165855309f8
Opcode Fuzzy Hash: 19b65e43d0e26c043630ed2f20623c291d0e9133940dc5a34e729f63ec039198
Instruction Fuzzy Hash: BC614931C0114DAECF05EBA1CD929EDB7B9AF15301F2040A5E902B7192EB396F09EF61

Function 00FCF7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FCF7EE
EmptyClipboard.USER32 ref: 00FCF7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 00FCF809
CloseClipboard.USER32 ref: 00FCF900

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8ea997fd5e988064c009b7bd558e97fbb2bb611913e1aa5fb8c63247df045ed5
Instruction ID: 8288261fed0b39d67282897171ad541c3edb61dc8d65ca9a288a6c453eb17ed6
Opcode Fuzzy Hash: 8ea997fd5e988064c009b7bd558e97fbb2bb611913e1aa5fb8c63247df045ed5
Instruction Fuzzy Hash: 9B41BD31A04642AFD720CF14D989F15BBE1EF44368F14C4ACE8198FAA2C735ED46EB90

Function 00FBF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FB205A
Part of subcall function 00FB2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FB2087
Part of subcall function 00FB2010: GetLastError.KERNEL32 ref: 00FB2097

ExitWindowsEx.USER32(?,00000000), ref: 00FBF249

Strings

, xrefs: 00FBF273
@, xrefs: 00FBF23C
SeShutdownPrivilege, xrefs: 00FBF219
, xrefs: 00FBF237

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 84caa85a5a910d67d680cf206fdef3f3cfb33a363c4d482c66bd63f0d17cf0e6
Instruction ID: fd055c9956e47471cfc8e94f7dcf5b87dc003b03051de884eb2133d675a796f7
Opcode Fuzzy Hash: 84caa85a5a910d67d680cf206fdef3f3cfb33a363c4d482c66bd63f0d17cf0e6
Instruction Fuzzy Hash: 8F01F97BA102146FEB1466BA9CCAFFF726C9F08354F150531FD02E61D1D5645D08BA90

Function 00F8BCD2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F8BD54
_free.LIBCMT ref: 00F8BD78
_free.LIBCMT ref: 00F8BEFF
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FF46D0), ref: 00F8BF11
WideCharToMultiByte.KERNEL32(00000000,00000000,0102221C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F8BF89
WideCharToMultiByte.KERNEL32(00000000,00000000,01022270,000000FF,?,0000003F,00000000,?), ref: 00F8BFB6
_free.LIBCMT ref: 00F8C0CB

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 81960263cc90bd5603255fb80646ab1a078e7954d69b6d76e9546f88b94fa93a
Instruction ID: 697f9413d53be540af878b39046d41b52459c582b6468ac6791ef6fdc676c8b2
Opcode Fuzzy Hash: 81960263cc90bd5603255fb80646ab1a078e7954d69b6d76e9546f88b94fa93a
Instruction Fuzzy Hash: F8C12932D00205AFDB20BF78CC45BEA7BB8EF46320F24419AE594DB251E7359E41EB90

Function 00FC3A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F956C2,?,?,00000000,00000000), ref: 00FC3A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F956C2,?,?,00000000,00000000), ref: 00FC3A35
LoadResource.KERNEL32(?,00000000,?,?,00F956C2,?,?,00000000,00000000,?,?,?,?,?,?,00F566CE), ref: 00FC3A45
SizeofResource.KERNEL32(?,00000000,?,?,00F956C2,?,?,00000000,00000000,?,?,?,?,?,?,00F566CE), ref: 00FC3A56
LockResource.KERNEL32(00F956C2,?,?,00F956C2,?,?,00000000,00000000,?,?,?,?,?,?,00F566CE,?), ref: 00FC3A65

Strings

SCRIPT, xrefs: 00FC3A2B

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 62821a686d1bc9182f17202e2da7c767d6f006aab292d9885bc680a45baa3933
Instruction ID: 61f3e11e60cfc9e64568a1f0a77a7ce30a78cb75a9a76ca8cabe475946f78e78
Opcode Fuzzy Hash: 62821a686d1bc9182f17202e2da7c767d6f006aab292d9885bc680a45baa3933
Instruction Fuzzy Hash: 7111CE74600306BFD7208F25DD89F277BB9EBC5B50F10826CF502DA150DB71DD00A621

Function 00FB20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FB1916
Part of subcall function 00FB1900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FB1922
Part of subcall function 00FB1900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FB1931
Part of subcall function 00FB1900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FB1938
Part of subcall function 00FB1900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FB194E

GetLengthSid.ADVAPI32(?,00000000,00FB1C81), ref: 00FB20FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FB2107
HeapAlloc.KERNEL32(00000000), ref: 00FB210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FB2127
GetProcessHeap.KERNEL32(00000000,00000000,00FB1C81), ref: 00FB213B
HeapFree.KERNEL32(00000000), ref: 00FB2142

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f8f1d007aebed899d7ea1568ed7d07710e2ab8e9917da91dfc8149db6139bf0c
Instruction ID: 188185e29c309d86ff5fc1c7fc37dfcf1ba8523f5314946e2721a1db37637bcd
Opcode Fuzzy Hash: f8f1d007aebed899d7ea1568ed7d07710e2ab8e9917da91dfc8149db6139bf0c
Instruction Fuzzy Hash: D011D072901208FFEB509F69CC89BEE7BB9EF45365F144018E9419B120C7399A40EF60

Function 00FCA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FCA5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FCA6D0

Part of subcall function 00FC42B9: GetInputState.USER32 ref: 00FC4310
Part of subcall function 00FC42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC43AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FCA5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FCA6BA

Strings

*.*, xrefs: 00FCA5A2

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: e4ba7df4daaaf9b33a50fb21ac92667da4c9f89583c44b456a25be385d11a00c
Instruction ID: c314684d134887504d28aa0106442855f6b30638363c6150d4e1b8314da9321d
Opcode Fuzzy Hash: e4ba7df4daaaf9b33a50fb21ac92667da4c9f89583c44b456a25be385d11a00c
Instruction Fuzzy Hash: E7415E7190020EAFCB14DFA4CD46FEEBBB4AF05314F14405AE915A61A1EB35AE44EB61

Function 00F522AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00F5233E
GetSysColor.USER32(0000000F), ref: 00F52421
SetBkColor.GDI32(?,00000000), ref: 00F52434

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: f63338caa66fef5b991aabcc391f6845ea051e2166f24ee4963a2b8fcd6598ba
Instruction ID: c7deab2b8da3a324d075152cf9ecf9d96666b630ab3935e746c0a7c0c6f1aff6
Opcode Fuzzy Hash: f63338caa66fef5b991aabcc391f6845ea051e2166f24ee4963a2b8fcd6598ba
Instruction Fuzzy Hash: AC8157B2508440BAFA78A6794C88F7F254EEB43362B150309FB02C6596C95D9F0AF272

Function 00FD2263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FD3AD7
Part of subcall function 00FD3AAB: _wcslen.LIBCMT ref: 00FD3AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FD22BA
WSAGetLastError.WSOCK32 ref: 00FD22E1
bind.WSOCK32(00000000,?,00000010), ref: 00FD2338
WSAGetLastError.WSOCK32 ref: 00FD2343
closesocket.WSOCK32(00000000), ref: 00FD2372

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 813720d3f06d7791f52c5be369a0818678dc2446f549e2c7db1cf72997349379
Instruction ID: f42d7aa520219b67f59ab30de43f922a6bf03a2000c1f1f7b1be50ee8c1e2004
Opcode Fuzzy Hash: 813720d3f06d7791f52c5be369a0818678dc2446f549e2c7db1cf72997349379
Instruction Fuzzy Hash: F851B375A00200AFE710AF24C886F6A77E5AB44754F088099F9459F3D3C779AD42EBE1

Function 00FE26DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FE275C
IsWindowEnabled.USER32 ref: 00FE276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00FE2777
IsIconic.USER32 ref: 00FE2785
IsZoomed.USER32 ref: 00FE2793

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2982cff0aee5accb6c7fd6f5bcc135e3c40b182c6857cf239f04429de2835cf9
Instruction ID: 896df82c716637366f815c13177ba0fb77ba75aeb4a6af97cbad118e20357392
Opcode Fuzzy Hash: 2982cff0aee5accb6c7fd6f5bcc135e3c40b182c6857cf239f04429de2835cf9
Instruction Fuzzy Hash: 2C21F431B002958FD7509F27CC84B1A7BE9FF84324F198069E8498B351EB71ED42EB90

Function 00FCD889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00FCD8CE
GetLastError.KERNEL32(?,00000000), ref: 00FCD92F
SetEvent.KERNEL32(?,?,00000000), ref: 00FCD943

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c49950354bf579a1c6ba732a86cc748a2dd2fafb3f34653c171e7c2ccd2bcae9
Instruction ID: 3e8711619f405b3898b037391084ef91db69579c38d35cee83a2191fe7d78704
Opcode Fuzzy Hash: c49950354bf579a1c6ba732a86cc748a2dd2fafb3f34653c171e7c2ccd2bcae9
Instruction Fuzzy Hash: F321AF76900706AFE7209F65CE86FAAB7FCEB41324F10442EE64696941E774EA04EB50

Function 00FBE472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00F946AC), ref: 00FBE482
GetFileAttributesW.KERNEL32(?), ref: 00FBE491
FindFirstFileW.KERNEL32(?,?), ref: 00FBE4A2
FindClose.KERNEL32(00000000), ref: 00FBE4AE

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 324c435c7d224a3d50cee5fc9d4d400975b94093fe64d85543cce9245ff1ba26
Instruction ID: 4bb24fe3a4ec4f6306ae84422b94fa2d41fc98b167be912788af73c7a12ae6d8
Opcode Fuzzy Hash: 324c435c7d224a3d50cee5fc9d4d400975b94093fe64d85543cce9245ff1ba26
Instruction Fuzzy Hash: FBF0E5398109149BD210A73CAC4D8EB776EAE02335B504701F936C64F0D7789D95BA95

Function 00FAE5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FAE5F8

Strings

%.3d, xrefs: 00FAE603
X64, xrefs: 00FAE680

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 261e6bc49cce0f9df52ec9e5905f5bde64e66ce221b9bb818389378552e329de
Instruction ID: ddc7e989b2f3b0f325292fbaa91938c23abab8f3205a26c07fc36b8481010660
Opcode Fuzzy Hash: 261e6bc49cce0f9df52ec9e5905f5bde64e66ce221b9bb818389378552e329de
Instruction Fuzzy Hash: B5D05BF7C1410CD6CBC0DB909D88EB9737CBB29300F148C56F906D1100E6349908BF21

Function 00F82992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00F82A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00F82A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00F82AA1

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1359aac43e6c7591e27d8b10d601e7d904d6b250ea2c7f9e43dc1cbf7434ab09
Instruction ID: 2b996cf2874a17b56758e5c2757bd5d3ea1c8eee6b9c4ed7fb1798a209993f10
Opcode Fuzzy Hash: 1359aac43e6c7591e27d8b10d601e7d904d6b250ea2c7f9e43dc1cbf7434ab09
Instruction Fuzzy Hash: 6031D57490122C9BCB61DF68DD887DCBBB8AF08310F5081DAE80CA6250EB349F859F45

Function 00FB2010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F7014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00F709D8
Part of subcall function 00F7014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00F709F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FB205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FB2087
GetLastError.KERNEL32 ref: 00FB2097

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: b0a02f0d6aa6987a693349fc792688629e3f76ba3e13b355bb6790250b324656
Instruction ID: 833cd2d99a149c97085903c7babb0b5fe7879e7a04ee6ce0561be9ee083e34c4
Opcode Fuzzy Hash: b0a02f0d6aa6987a693349fc792688629e3f76ba3e13b355bb6790250b324656
Instruction Fuzzy Hash: 8211BFB2400204AFD718AF54DCC6E6BB7B8EF04750B20852EF05A57251DB70BC41DB20

Function 00F75058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00F7502E,?,010198D8,0000000C,00F75185,?,00000002,00000000), ref: 00F75079
TerminateProcess.KERNEL32(00000000,?,00F7502E,?,010198D8,0000000C,00F75185,?,00000002,00000000), ref: 00F75080
ExitProcess.KERNEL32 ref: 00F75092

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dbae4283a56f96119a29e4dca89389019d487af5d88788b6bbe35dbcb38e44db
Instruction ID: 6353721cb622407392082ea87ef75a56902c53932dd3e3dfa085b422ba775341
Opcode Fuzzy Hash: dbae4283a56f96119a29e4dca89389019d487af5d88788b6bbe35dbcb38e44db
Instruction Fuzzy Hash: F7E08C3140068CAFCF216F50CD48E483B6AEF10B91F008014F8098E531DB7AED52EBC1

Function 00FBECD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00FBED04

Strings

DOWN, xrefs: 00FBECE9

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: c0332242f7f5fc1e508a21fcc55dd69160a7392baeaefdecc9a8248bf968f679
Instruction ID: 1293e27fa3ddc05f5b9f03cfb13007f01f7345fe9e314755a9173e43a6fae753
Opcode Fuzzy Hash: c0332242f7f5fc1e508a21fcc55dd69160a7392baeaefdecc9a8248bf968f679
Instruction Fuzzy Hash: 12E086A619D72538F91421157C06EF6234CAF16734711414BF840E80C4EE986C41B4A9

Function 00FAE652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00FAE664

Strings

X64, xrefs: 00FAE680

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 149c874673d2a8c82e2b1a7c4a50e633229b8d521e7f4aa97dca2ea066f83f1d
Instruction ID: e73a57ed10275e1d83d7ba347aa4a8f5ebe3035ee8897e60934a49bda96b12ff
Opcode Fuzzy Hash: 149c874673d2a8c82e2b1a7c4a50e633229b8d521e7f4aa97dca2ea066f83f1d
Instruction Fuzzy Hash: A9D0C9FA81111DEACB80CB60ECC8ED9737CBB04304F100A51F106A2100DB30A548AF10

Function 00FC41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FD52EE,?,?,00000035,?), ref: 00FC4229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FD52EE,?,?,00000035,?), ref: 00FC4239

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 80b97d4f4b7cba16b2e008ba1cfe64489448086a70ba01ded9fefc2ee9958a57
Instruction ID: 2b578b7ba152d8f0b7f8403f4e4b9044a2a705ac9906712e36c2780f4d14bd63
Opcode Fuzzy Hash: 80b97d4f4b7cba16b2e008ba1cfe64489448086a70ba01ded9fefc2ee9958a57
Instruction Fuzzy Hash: A2F0E5316002296AEB2017659C4EFEB766DEFC5761F000179F609D2181D9709904E6B0

Function 00FBBBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00FBBC24
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00FBBC37

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 72476bfb4dfc4dc9928a5559382607506a246ca0fa5032cf89332dc0a2384b8c
Instruction ID: d6b60831235dee042346f94dbadddc2ab7d6d3781ce31fad00dd5abaade07ac9
Opcode Fuzzy Hash: 72476bfb4dfc4dc9928a5559382607506a246ca0fa5032cf89332dc0a2384b8c
Instruction Fuzzy Hash: 66F06D7180028DABDB01DFA1C805BFE7FB0FF04309F048009F951A9192C7B98201EF94

Function 00FB1A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FB1B48), ref: 00FB1A20
CloseHandle.KERNEL32(?,?,00FB1B48), ref: 00FB1A35

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c225c26d33552e3fadbd6a175867eef6ae60413dcd831425208c502bcf5c76a1
Instruction ID: 087d1d1233bc8850de16574d84f4537f0c140c9c11e012c81e3a6290dbd21736
Opcode Fuzzy Hash: c225c26d33552e3fadbd6a175867eef6ae60413dcd831425208c502bcf5c76a1
Instruction Fuzzy Hash: 9CE0BF72014614EFF7252B11FC45F76B7A9FF04321F14892EF5A5844B0DBA66C91EB50

Function 00FCF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FCF51A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 55b5ede39a444a3e9685f54c600a0d00657b2e65050d4d8ebee4b491748085ad
Instruction ID: 1225b824f772224c3401b3421508789e385af94517dd781113530dcd6f1da146
Opcode Fuzzy Hash: 55b5ede39a444a3e9685f54c600a0d00657b2e65050d4d8ebee4b491748085ad
Instruction Fuzzy Hash: 71E0D8322002059FC7109F69D801E86F7D8AFA4361F048429FD4ACB311C674F9449B90

Function 00F70D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00F7075E), ref: 00F70D4A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fceccaacda007f2fa5c33f4db2ac861a8ab5977a8ca7ae13aec163db4416d525
Instruction ID: d40c843bd38749763646a7d8177d7554f14b9048916154c2a804058a243f13f7
Opcode Fuzzy Hash: fceccaacda007f2fa5c33f4db2ac861a8ab5977a8ca7ae13aec163db4416d525
Instruction Fuzzy Hash:

Function 00FD353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FD358D
DeleteObject.GDI32(00000000), ref: 00FD35A0
DestroyWindow.USER32 ref: 00FD35AF
GetDesktopWindow.USER32 ref: 00FD35CA
GetWindowRect.USER32(00000000), ref: 00FD35D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FD3700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FD370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD3755
GetClientRect.USER32(00000000,?), ref: 00FD3761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FD379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD37BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD37D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD37DD
GlobalLock.KERNEL32(00000000), ref: 00FD37E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD37F5
GlobalUnlock.KERNEL32(00000000), ref: 00FD37FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD3805
GlobalFree.KERNEL32(00000000), ref: 00FD3810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD3822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FF0C04,00000000), ref: 00FD3838
GlobalFree.KERNEL32(00000000), ref: 00FD3848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FD386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FD388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD38AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD3A9C

Strings

DISPLAY, xrefs: 00FD38FF
static, xrefs: 00FD3797, 00FD38EE
AutoIt v3, xrefs: 00FD374F
, xrefs: 00FD3A22

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 06c0dbcc4e66ef44451d893f402ac82f0ce1859be45ea1ab221295b911bc8fcc
Instruction ID: f3e0ca0a45adabd1ab1e081ccb31977380862670f1cb6b4355a0235dd7c8e4ec
Opcode Fuzzy Hash: 06c0dbcc4e66ef44451d893f402ac82f0ce1859be45ea1ab221295b911bc8fcc
Instruction Fuzzy Hash: 34025171900209AFDB14DF64CD89EAE7BBAEF48310F148159FA15AB2A0C775ED01DF61

Function 00FE7B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FE7B67
GetSysColorBrush.USER32(0000000F), ref: 00FE7B98
GetSysColor.USER32(0000000F), ref: 00FE7BA4
SetBkColor.GDI32(?,000000FF), ref: 00FE7BBE
SelectObject.GDI32(?,?), ref: 00FE7BCD
InflateRect.USER32(?,000000FF,000000FF), ref: 00FE7BF8
GetSysColor.USER32(00000010), ref: 00FE7C00
CreateSolidBrush.GDI32(00000000), ref: 00FE7C07
FrameRect.USER32(?,?,00000000), ref: 00FE7C16
DeleteObject.GDI32(00000000), ref: 00FE7C1D
InflateRect.USER32(?,000000FE,000000FE), ref: 00FE7C68
FillRect.USER32(?,?,?), ref: 00FE7C9A
GetWindowLongW.USER32(?,000000F0), ref: 00FE7CBC

Part of subcall function 00FE7E22: GetSysColor.USER32(00000012), ref: 00FE7E5B
Part of subcall function 00FE7E22: SetTextColor.GDI32(?,00FE7B2D), ref: 00FE7E5F
Part of subcall function 00FE7E22: GetSysColorBrush.USER32(0000000F), ref: 00FE7E75
Part of subcall function 00FE7E22: GetSysColor.USER32(0000000F), ref: 00FE7E80
Part of subcall function 00FE7E22: GetSysColor.USER32(00000011), ref: 00FE7E9D
Part of subcall function 00FE7E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FE7EAB
Part of subcall function 00FE7E22: SelectObject.GDI32(?,00000000), ref: 00FE7EBC
Part of subcall function 00FE7E22: SetBkColor.GDI32(?,?), ref: 00FE7EC5
Part of subcall function 00FE7E22: SelectObject.GDI32(?,?), ref: 00FE7ED2
Part of subcall function 00FE7E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00FE7EF1
Part of subcall function 00FE7E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FE7F08
Part of subcall function 00FE7E22: GetWindowLongW.USER32(?,000000F0), ref: 00FE7F15

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 89a8e7077461bd36de34f2ead022982d99adc3b521043f8d20e1652e64d87a8c
Instruction ID: dae78e8f14359c56b201da19acc17122e72109f7ac8eff7006fe216db7a7ccf8
Opcode Fuzzy Hash: 89a8e7077461bd36de34f2ead022982d99adc3b521043f8d20e1652e64d87a8c
Instruction Fuzzy Hash: E3A1A172408385BFD710AF64DC88E6BBBA9FF88330F140A19F9629A1E0D775D944EB51

Function 00F51625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F516B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F92B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F92B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F92F85

Part of subcall function 00F51802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F51488,?,00000000,?,?,?,?,00F5145A,00000000,?), ref: 00F51865

SendMessageW.USER32(?,00001053), ref: 00F92FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F92FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F92FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F92FF9

Strings

0, xrefs: 00F92E11

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 1bd8d9d38255e407980ac70f9265ac9b593274578e138a365c5e9f599bd63452
Instruction ID: bee08ebb88a800823a8f4377186f51ec45dc4bd8b6bc4709353257a4f3b4ef28
Opcode Fuzzy Hash: 1bd8d9d38255e407980ac70f9265ac9b593274578e138a365c5e9f599bd63452
Instruction Fuzzy Hash: 9E12E030A00201AFEB75DF14C884BA9B7E5FF45325F184129F995DB662C736EC86EB81

Function 00FD316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00FD319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FD32C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FD3306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FD3316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FD335D
GetClientRect.USER32(00000000,?), ref: 00FD3369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FD33B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FD33C1
GetStockObject.GDI32(00000011), ref: 00FD33D1
SelectObject.GDI32(00000000,00000000), ref: 00FD33D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FD33E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FD33EE
DeleteDC.GDI32(00000000), ref: 00FD33F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FD3423
SendMessageW.USER32(00000030,00000000,00000001), ref: 00FD343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FD347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FD348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 00FD349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FD34D4
GetStockObject.GDI32(00000011), ref: 00FD34DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FD34EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FD34F4

Strings

DISPLAY, xrefs: 00FD33B7
msctls_progress32, xrefs: 00FD3470
static, xrefs: 00FD33AC, 00FD34CE
AutoIt v3, xrefs: 00FD3355

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 5c7bbbcdaef874f471ee25125a7d6b3f536bd0fcde87add8f8c07c7826ca7880
Instruction ID: f3a73276c6e152f3667a4829ffcea216da0570a7e9d4af9c5ceab74ce0b48f0b
Opcode Fuzzy Hash: 5c7bbbcdaef874f471ee25125a7d6b3f536bd0fcde87add8f8c07c7826ca7880
Instruction Fuzzy Hash: 19B163B1A00215AFEB24DFA8CC85FAEBBB9EB44711F148115FA15EB290D774ED40DB90

Function 00FC5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FC5532
GetDriveTypeW.KERNEL32(?,00FEDC30,?,\\.\,00FEDCD0), ref: 00FC560F
SetErrorMode.KERNEL32(00000000,00FEDC30,?,\\.\,00FEDCD0), ref: 00FC577B

Strings

MMC, xrefs: 00FC5723
Removable, xrefs: 00FC5655, 00FC565A
SSD, xrefs: 00FC568F
ATA, xrefs: 00FC56DD
SATA, xrefs: 00FC5715
ATAPI, xrefs: 00FC56D6
USB, xrefs: 00FC56F9
Fibre, xrefs: 00FC56F2
RAID, xrefs: 00FC5700
SCSI, xrefs: 00FC56CF
Unknown, xrefs: 00FC5632, 00FC56C8
iSCSI, xrefs: 00FC5707
SSA, xrefs: 00FC56EB
FileBackedVirtual, xrefs: 00FC5731
SAS, xrefs: 00FC570E
CDROM, xrefs: 00FC5640
Fixed, xrefs: 00FC564E
1394, xrefs: 00FC56E4
Network, xrefs: 00FC5647
\\.\, xrefs: 00FC5584
PhysicalDrive, xrefs: 00FC55BB
RAMDisk, xrefs: 00FC5639
Virtual, xrefs: 00FC572A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a6c9133d331ed4b91c9a9fd8908d95645558abc42de04ff3e90bc5f681f005a1
Instruction ID: 67e9e7e8c8dedbae13cf456dd4b6d868ec8ee3f6113c71e4023656d033ead10e
Opcode Fuzzy Hash: a6c9133d331ed4b91c9a9fd8908d95645558abc42de04ff3e90bc5f681f005a1
Instruction Fuzzy Hash: 3361BF32A4090EDBC724EF25CA93F7877B1AF44B64BA4401DE446AF255C629ADC1FB41

Function 00FE1A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FE1BC4
GetDesktopWindow.USER32 ref: 00FE1BD9
GetWindowRect.USER32(00000000), ref: 00FE1BE0
GetWindowLongW.USER32(?,000000F0), ref: 00FE1C35
DestroyWindow.USER32(?), ref: 00FE1C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FE1C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FE1CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FE1CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00FE1CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FE1CE1
IsWindowVisible.USER32(00000000), ref: 00FE1D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FE1D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FE1D6C
GetWindowRect.USER32(00000000,?), ref: 00FE1D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00FE1DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00FE1DC4
CopyRect.USER32(?,?), ref: 00FE1DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00FE1E46

Strings

tooltips_class32, xrefs: 00FE1C82
0, xrefs: 00FE1B6F
(, xrefs: 00FE1DB7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 33230991ef3326c0429f15b26523add92966bac5c867d8942af51da08280a9b3
Instruction ID: 96f560987ee1271f5cbb4af62cf04200027f715a5f190eb175f5f6ca15b8c82d
Opcode Fuzzy Hash: 33230991ef3326c0429f15b26523add92966bac5c867d8942af51da08280a9b3
Instruction Fuzzy Hash: 73B17E71604381AFD714DF66C885BABBBE5FF84310F00891CF99A9B261C735E845DB92

Function 00FE0CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FE0D81
_wcslen.LIBCMT ref: 00FE0DBB
_wcslen.LIBCMT ref: 00FE0E25
_wcslen.LIBCMT ref: 00FE0E8D
_wcslen.LIBCMT ref: 00FE0F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FE0F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FE0FA0

Part of subcall function 00F6FD52: _wcslen.LIBCMT ref: 00F6FD5D

Part of subcall function 00FB2B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FB2BA5
Part of subcall function 00FB2B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FB2BD7

Strings

GETTEXT, xrefs: 00FE0E88, 00FE0EA3
SELECTINVERT, xrefs: 00FE101A
FINDITEM, xrefs: 00FE10C3
GETSELECTED, xrefs: 00FE107D
GETSUBITEMCOUNT, xrefs: 00FE0E20, 00FE0E3B
GETSELECTEDCOUNT, xrefs: 00FE0F0C, 00FE0F27
DESELECT, xrefs: 00FE1038
ISSELECTED, xrefs: 00FE0F79
SELECTALL, xrefs: 00FE0FB1
SELECT, xrefs: 00FE0FE4
VIEWCHANGE, xrefs: 00FE1111
SELECTCLEAR, xrefs: 00FE0FC9
GETITEMCOUNT, xrefs: 00FE0DB2, 00FE0DD3

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: bbcf37e5bc43379d6eacce6dddcf9ad184375f5c76f8d5e0c94699846859cf9e
Instruction ID: 25ea7538ed045ca1cd7d5a795d9462cf33e654bc3ec3d77d9308aa55236bb9bc
Opcode Fuzzy Hash: bbcf37e5bc43379d6eacce6dddcf9ad184375f5c76f8d5e0c94699846859cf9e
Instruction Fuzzy Hash: 22E1E6316043818FC714DF26C95197AB3E6FF84314B14896DF8969B3A1DB38ED45EB81

Function 00F52521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F525F8
GetSystemMetrics.USER32(00000007), ref: 00F52600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F5262B
GetSystemMetrics.USER32(00000008), ref: 00F52633
GetSystemMetrics.USER32(00000004), ref: 00F52658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F52675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F52685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F526B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F526CC
GetClientRect.USER32(00000000,000000FF), ref: 00F526EA
GetStockObject.GDI32(00000011), ref: 00F52706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F52711

Part of subcall function 00F519CD: GetCursorPos.USER32(?), ref: 00F519E1
Part of subcall function 00F519CD: ScreenToClient.USER32(00000000,?), ref: 00F519FE
Part of subcall function 00F519CD: GetAsyncKeyState.USER32(00000001), ref: 00F51A23
Part of subcall function 00F519CD: GetAsyncKeyState.USER32(00000002), ref: 00F51A3D

SetTimer.USER32(00000000,00000000,00000028,00F5199C), ref: 00F52738

Strings

AutoIt v3 GUI, xrefs: 00F526B0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 79cf5390441ae29001c2cda325118adc54c28a78a1e84140c08ca42ac85a5e60
Instruction ID: 3cbfbbcf0b610cb54788317cd309bd06cf5d1d344f671ce31ef8522a54b11735
Opcode Fuzzy Hash: 79cf5390441ae29001c2cda325118adc54c28a78a1e84140c08ca42ac85a5e60
Instruction Fuzzy Hash: DAB17A31A002099FDF24DFA8CC85BAE7BB5FB48325F104219FA55AB290DB74E941EF51

Function 00FB16D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FB1A60
Part of subcall function 00FB1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FB14E7,?,?,?), ref: 00FB1A6C
Part of subcall function 00FB1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FB14E7,?,?,?), ref: 00FB1A7B
Part of subcall function 00FB1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FB14E7,?,?,?), ref: 00FB1A82
Part of subcall function 00FB1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FB1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FB1741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FB1775
GetLengthSid.ADVAPI32(?), ref: 00FB178C
GetAce.ADVAPI32(?,00000000,?), ref: 00FB17C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FB17E2
GetLengthSid.ADVAPI32(?), ref: 00FB17F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FB1801
HeapAlloc.KERNEL32(00000000), ref: 00FB1808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FB1829
CopySid.ADVAPI32(00000000), ref: 00FB1830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FB185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FB1881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FB1893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB18BA
HeapFree.KERNEL32(00000000), ref: 00FB18C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB18CA
HeapFree.KERNEL32(00000000), ref: 00FB18D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB18DA
HeapFree.KERNEL32(00000000), ref: 00FB18E1
GetProcessHeap.KERNEL32(00000000,?), ref: 00FB18ED
HeapFree.KERNEL32(00000000), ref: 00FB18F4

Part of subcall function 00FB1ADF: GetProcessHeap.KERNEL32(00000008,00FB14FD,?,00000000,?,00FB14FD,?), ref: 00FB1AED
Part of subcall function 00FB1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FB14FD,?), ref: 00FB1AF4
Part of subcall function 00FB1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FB14FD,?), ref: 00FB1B03

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 82f19f8aac16b16f191f8cae63468917e4d9cd1e667c7ac2ba09f8ca778116ec
Instruction ID: bb5cf94ccefa95de4234fcd5b1111fef2e81eaf0e0452ae8d4f6c58e7c5f32f4
Opcode Fuzzy Hash: 82f19f8aac16b16f191f8cae63468917e4d9cd1e667c7ac2ba09f8ca778116ec
Instruction Fuzzy Hash: 1F7148B2D01209AFDB10DFA6DC84FEEBBB8BF04310F544225E915AA191D735DA05DFA0

Function 00FDCE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FDCF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FEDCD0,00000000,?,00000000,?,?), ref: 00FDCFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FDD004
_wcslen.LIBCMT ref: 00FDD054
_wcslen.LIBCMT ref: 00FDD0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FDD112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FDD221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FDD2AD
RegCloseKey.ADVAPI32(?), ref: 00FDD2E1
RegCloseKey.ADVAPI32(00000000), ref: 00FDD2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FDD3C0

Strings

REG_QWORD, xrefs: 00FDD323
REG_EXPAND_SZ, xrefs: 00FDD02D
REG_SZ, xrefs: 00FDD0A4
REG_DWORD, xrefs: 00FDD264
REG_MULTI_SZ, xrefs: 00FDD155
REG_BINARY, xrefs: 00FDD373

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: eab911cb33044ca319dfbb7a559c6a2f84a057206f7122e02a901077fa3a585b
Instruction ID: 8f77f9b811b611f129358b2240c1324245470d2698385597976f7b571078242d
Opcode Fuzzy Hash: eab911cb33044ca319dfbb7a559c6a2f84a057206f7122e02a901077fa3a585b
Instruction Fuzzy Hash: DC126A356042019FD715DF14C881B2AB7E6FF88724F08885DF98A9B3A2CB35ED46DB91

Function 00FE13BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FE1462
_wcslen.LIBCMT ref: 00FE149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FE14F0
_wcslen.LIBCMT ref: 00FE1526
_wcslen.LIBCMT ref: 00FE15A2
_wcslen.LIBCMT ref: 00FE161D

Part of subcall function 00F6FD52: _wcslen.LIBCMT ref: 00F6FD5D

Part of subcall function 00FB3535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FB3547

Strings

SELECT, xrefs: 00FE17AD
GETTEXT, xrefs: 00FE1733
CHECK, xrefs: 00FE1521, 00FE153C
UNCHECK, xrefs: 00FE17DA
GETSELECTED, xrefs: 00FE16EA
EXPAND, xrefs: 00FE1694
COLLAPSE, xrefs: 00FE159D, 00FE15B8
GETTOTALCOUNT, xrefs: 00FE148E, 00FE14B3
ISCHECKED, xrefs: 00FE177D
GETITEMCOUNT, xrefs: 00FE16BA
EXISTS, xrefs: 00FE1618, 00FE1633

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: a0a230951ecdb68503771ed50e8ba672c67e17c720a674b72b5a4a83c77527e4
Instruction ID: eebda14ef85bec7c2dc166e2fd31456eb5c454fc4844d8445149978fcd7944e1
Opcode Fuzzy Hash: a0a230951ecdb68503771ed50e8ba672c67e17c720a674b72b5a4a83c77527e4
Instruction Fuzzy Hash: 7BE1D2326043818FC714EF26C85096AB7E2FF94354F14895DF8969B361DB34EE49EB81

Function 00FDD3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDC10E,?,?), ref: 00FDD415
_wcslen.LIBCMT ref: 00FDD451
_wcslen.LIBCMT ref: 00FDD4C8
_wcslen.LIBCMT ref: 00FDD4FE
_wcslen.LIBCMT ref: 00FDD559
_wcslen.LIBCMT ref: 00FDD58F
_wcslen.LIBCMT ref: 00FDD5DF

Strings

HKCU, xrefs: 00FDD62E
HKEY_CURRENT_USER, xrefs: 00FDD61D
HKCR, xrefs: 00FDD589, 00FDD58E
HKCC, xrefs: 00FDD60C
HKEY_USERS, xrefs: 00FDD63F
HKU, xrefs: 00FDD650
HKEY_LOCAL_MACHINE, xrefs: 00FDD4C2, 00FDD4C7
HKLM, xrefs: 00FDD4F8, 00FDD4FD
HKEY_CURRENT_CONFIG, xrefs: 00FDD5D9, 00FDD5DE
HKEY_CLASSES_ROOT, xrefs: 00FDD553, 00FDD558

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ceab400908808d9be0ea9a117c37dc4c746c10e376cf1922e054b14d0dc1027d
Instruction ID: ccd2a284097803331c3ff28fe88651107b9f3cdac0376db2ebd459be93f9506e
Opcode Fuzzy Hash: ceab400908808d9be0ea9a117c37dc4c746c10e376cf1922e054b14d0dc1027d
Instruction Fuzzy Hash: 6371D533A0011A8BCB10DF7CDD506BB33A3AF61768B1D4127EC569B394EA39DE54A790

Function 00FE8D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FE8DB5
_wcslen.LIBCMT ref: 00FE8DC9
_wcslen.LIBCMT ref: 00FE8DEC
_wcslen.LIBCMT ref: 00FE8E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FE8E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FE6691), ref: 00FE8EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FE8EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FE8F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FE8F5C
FreeLibrary.KERNEL32(?), ref: 00FE8F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FE8F78
DestroyIcon.USER32(?,?,?,?,?,00FE6691), ref: 00FE8F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FE8FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FE8FB0

Strings

.dll, xrefs: 00FE8E06
.icl, xrefs: 00FE8DC3
.exe, xrefs: 00FE8DE3

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 908d8cb84ab64d81da7ffca376ff1a69321befe3f0805a1f9323596b13cb7645
Instruction ID: 1b48cc23868cc59033476b1b0729d4eb3d17f10072a47c564b676a3f38dd18ed
Opcode Fuzzy Hash: 908d8cb84ab64d81da7ffca376ff1a69321befe3f0805a1f9323596b13cb7645
Instruction Fuzzy Hash: 97610471900258BFEB14EF65CC41BBE77A8FF08B60F108106F919DA0D1DB75A951EBA0

Function 00FC48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FC493D
_wcslen.LIBCMT ref: 00FC4948
_wcslen.LIBCMT ref: 00FC499F
_wcslen.LIBCMT ref: 00FC49DD
GetDriveTypeW.KERNEL32(?), ref: 00FC4A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FC4A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FC4A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FC4ACC

Strings

open, xrefs: 00FC4999, 00FC499E
close cd wait, xrefs: 00FC4AB7
open , xrefs: 00FC4A2A
type cdaudio alias cd wait, xrefs: 00FC4A46
set cd door , xrefs: 00FC4A6D
closed, xrefs: 00FC494D, 00FC4972, 00FC498B, 00FC49C3, 00FC49DC
wait, xrefs: 00FC4A89
close, xrefs: 00FC4943, 00FC495D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 6b615c80562f7864a54261530ac7d68d8632526fb6b5c624060b9b5437188aaf
Instruction ID: 8f13089a723cfde6ee0a5923b36d75001046ae0ea29fe1db73096ab148dbf616
Opcode Fuzzy Hash: 6b615c80562f7864a54261530ac7d68d8632526fb6b5c624060b9b5437188aaf
Instruction Fuzzy Hash: 8471E232A042169FC310EF24CD51A6BB7E4FF94768F00492DF89697261EB39ED49DB81

Function 00FB6382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00FB6395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FB63A7
SetWindowTextW.USER32(?,?), ref: 00FB63BE
GetDlgItem.USER32(?,000003EA), ref: 00FB63D3
SetWindowTextW.USER32(00000000,?), ref: 00FB63D9
GetDlgItem.USER32(?,000003E9), ref: 00FB63E9
SetWindowTextW.USER32(00000000,?), ref: 00FB63EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FB6410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FB642A
GetWindowRect.USER32(?,?), ref: 00FB6433
_wcslen.LIBCMT ref: 00FB649A
SetWindowTextW.USER32(?,?), ref: 00FB64D6
GetDesktopWindow.USER32 ref: 00FB64DC
GetWindowRect.USER32(00000000), ref: 00FB64E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00FB653A
GetClientRect.USER32(?,?), ref: 00FB6547
PostMessageW.USER32(?,00000005,00000000,?), ref: 00FB656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FB6596

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: d81d5a2d79cd65db93f7535d2ee05ae7e308cd08335a98692c3c6b0ea9d6cc19
Instruction ID: 6e17c19025d89652a4f0fdd8504c580cf0a6073c8746e04efe5eb66e8b815a68
Opcode Fuzzy Hash: d81d5a2d79cd65db93f7535d2ee05ae7e308cd08335a98692c3c6b0ea9d6cc19
Instruction Fuzzy Hash: E6719D31900609EFDB20DFA9CE85AAEBBF5FF48714F100518E186E66A0C779E940EF10

Function 00FD086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00FD0884
LoadCursorW.USER32(00000000,00007F8A), ref: 00FD088F
LoadCursorW.USER32(00000000,00007F00), ref: 00FD089A
LoadCursorW.USER32(00000000,00007F03), ref: 00FD08A5
LoadCursorW.USER32(00000000,00007F8B), ref: 00FD08B0
LoadCursorW.USER32(00000000,00007F01), ref: 00FD08BB
LoadCursorW.USER32(00000000,00007F81), ref: 00FD08C6
LoadCursorW.USER32(00000000,00007F88), ref: 00FD08D1
LoadCursorW.USER32(00000000,00007F80), ref: 00FD08DC
LoadCursorW.USER32(00000000,00007F86), ref: 00FD08E7
LoadCursorW.USER32(00000000,00007F83), ref: 00FD08F2
LoadCursorW.USER32(00000000,00007F85), ref: 00FD08FD
LoadCursorW.USER32(00000000,00007F82), ref: 00FD0908
LoadCursorW.USER32(00000000,00007F84), ref: 00FD0913
LoadCursorW.USER32(00000000,00007F04), ref: 00FD091E
LoadCursorW.USER32(00000000,00007F02), ref: 00FD0929
GetCursorInfo.USER32(?), ref: 00FD0939
GetLastError.KERNEL32 ref: 00FD097B

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: fde9a91e28b460537820a271ae8e535a42c26307feae38893983e209a127b48d
Instruction ID: 284800eea5f6818e0a5873e4774f92af7d47fe2b34585095831fa05f95dafe67
Opcode Fuzzy Hash: fde9a91e28b460537820a271ae8e535a42c26307feae38893983e209a127b48d
Instruction Fuzzy Hash: B84185B0D083196ADB10DFBA8C8595EBFE9FF04360B54452AE11CEB381DA78D901CF91

Function 00F70436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F70436

Part of subcall function 00F7045D: InitializeCriticalSectionAndSpinCount.KERNEL32(0102170C,00000FA0,CAE51BB8,?,?,?,?,00F92733,000000FF), ref: 00F7048C
Part of subcall function 00F7045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F92733,000000FF), ref: 00F70497
Part of subcall function 00F7045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F92733,000000FF), ref: 00F704A8
Part of subcall function 00F7045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F704BE
Part of subcall function 00F7045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F704CC
Part of subcall function 00F7045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F704DA
Part of subcall function 00F7045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F70505
Part of subcall function 00F7045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F70510

___scrt_fastfail.LIBCMT ref: 00F70457

Part of subcall function 00F70413: __onexit.LIBCMT ref: 00F70419

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F70492
WakeAllConditionVariable, xrefs: 00F704D2
InitializeConditionVariable, xrefs: 00F704B8
kernel32.dll, xrefs: 00F704A3
SleepConditionVariableCS, xrefs: 00F704C4

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 935934ec5b9a4c3166a40426b2f3dda19a3d4b2560fa41b2cc4b7cfddef07c61
Instruction ID: 0c3e92e6f7bd65208d7bf02f96b62a4fe2a9ab048a5b0893157e9d683257ee71
Opcode Fuzzy Hash: 935934ec5b9a4c3166a40426b2f3dda19a3d4b2560fa41b2cc4b7cfddef07c61
Instruction Fuzzy Hash: 49210E32A40759EBD7205FA4AC45B6D37A4EF44B75F04812BF9099B690DFB8DC00BA53

Function 00FB3A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB3AD9
_wcslen.LIBCMT ref: 00FB3B44

Strings

NAME, xrefs: 00FB3C81, 00FB3C92
TEXT, xrefs: 00FB3DC8
CLASS, xrefs: 00FB3AD4, 00FB3AF1
REGEXPCLASS, xrefs: 00FB3BA1, 00FB3BB2
INSTANCE, xrefs: 00FB3D9F
CLASSNN, xrefs: 00FB3B3F, 00FB3B50

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: f2c9e406e8f51c83ba82e5bd9772edc0d791a13d0e915a2ebcd4de20f93e02e5
Instruction ID: 0e7c6046ed19b210bca79e3943ed4e0f74a78104623e067273b6a6a08da789b4
Opcode Fuzzy Hash: f2c9e406e8f51c83ba82e5bd9772edc0d791a13d0e915a2ebcd4de20f93e02e5
Instruction Fuzzy Hash: 78E1F832E40516ABCB189FB6C8517EDFBB4BF54720F10811AE456F7250DB34AE89AF90

Function 00FC4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00FEDCD0), ref: 00FC4F6C
_wcslen.LIBCMT ref: 00FC4F80
_wcslen.LIBCMT ref: 00FC4FDE
_wcslen.LIBCMT ref: 00FC5039
_wcslen.LIBCMT ref: 00FC5084
_wcslen.LIBCMT ref: 00FC50EC

Part of subcall function 00F6FD52: _wcslen.LIBCMT ref: 00F6FD5D

GetDriveTypeW.KERNEL32(?,01017C10,00000061), ref: 00FC5188

Strings

unknown, xrefs: 00FC514D
fixed, xrefs: 00FC507A, 00FC507F
network, xrefs: 00FC50E2, 00FC50E7
cdrom, xrefs: 00FC4FD4, 00FC4FD9
all, xrefs: 00FC4F76, 00FC4F7B
removable, xrefs: 00FC502F, 00FC5034
ramdisk, xrefs: 00FC5136

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3d5bd471cb838e4b6e5b0322aa77fa37abc5fff7f31086b3a00edcea60bfc342
Instruction ID: c840b08e1c3c0d5cf5cb72f5b38abffb73550d3f33f301623a158f5d435222a3
Opcode Fuzzy Hash: 3d5bd471cb838e4b6e5b0322aa77fa37abc5fff7f31086b3a00edcea60bfc342
Instruction Fuzzy Hash: 06B10531A087039FC710DF28C992F6AB7E5BF94B20F54491DF596C7291D734E884EA92

Function 00FDBA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FDBBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FDBC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FDBC34
_wcslen.LIBCMT ref: 00FDBC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FDBC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FDBC96
_wcslen.LIBCMT ref: 00FDBD92

Part of subcall function 00FC0F4E: GetStdHandle.KERNEL32(000000F6), ref: 00FC0F6D

_wcslen.LIBCMT ref: 00FDBDAB
_wcslen.LIBCMT ref: 00FDBDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FDBE16
GetLastError.KERNEL32(00000000), ref: 00FDBE67
CloseHandle.KERNEL32(?), ref: 00FDBE99
CloseHandle.KERNEL32(00000000), ref: 00FDBEAA
CloseHandle.KERNEL32(00000000), ref: 00FDBEBC
CloseHandle.KERNEL32(00000000), ref: 00FDBECE
CloseHandle.KERNEL32(?), ref: 00FDBF43

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: dfc90271781b69586346db9ccf79e14e1dd7a0b4c4e8e9526644a8591ea640ef
Instruction ID: 4090e845a7d50b9ca3f960ea03f57bedb6ee9c0b485d37a6b79d9a38463b8de0
Opcode Fuzzy Hash: dfc90271781b69586346db9ccf79e14e1dd7a0b4c4e8e9526644a8591ea640ef
Instruction Fuzzy Hash: 9FF17E31A04340DFC715EF24C891B6ABBE2AF84324F19855EF9854B3A2CB75EC45EB52

Function 00FD4A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FEDCD0), ref: 00FD4B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FD4B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00FEDCD0), ref: 00FD4B4F
FreeLibrary.KERNEL32(00000000,?,00FEDCD0), ref: 00FD4B9B
StringFromGUID2.OLE32(?,?,00000028,?,00FEDCD0), ref: 00FD4C05
SysFreeString.OLEAUT32(00000009), ref: 00FD4CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FD4D25
SysFreeString.OLEAUT32(?), ref: 00FD4D4F

Strings

kernel32.dll, xrefs: 00FD4B13
GetModuleHandleExW, xrefs: 00FD4B24

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 97d3c9b22e7fb6f3ae953b6ec6e4c428c6676e4592b9e55a8558cbba07a88dfd
Instruction ID: 9dcb5bb3df8635bd54f064d6dc8881429fe4befb868715ef2d0c916541c1decc
Opcode Fuzzy Hash: 97d3c9b22e7fb6f3ae953b6ec6e4c428c6676e4592b9e55a8558cbba07a88dfd
Instruction Fuzzy Hash: 7E122A71A00109AFDB14DF54C888EAEBBB6FF85314F188099E9199F261D731FD46DBA0

Function 00F5381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(010229C0), ref: 00F93F72
GetMenuItemCount.USER32(010229C0), ref: 00F94022
GetCursorPos.USER32(?), ref: 00F94066
SetForegroundWindow.USER32(00000000), ref: 00F9406F
TrackPopupMenuEx.USER32(010229C0,00000000,?,00000000,00000000,00000000), ref: 00F94082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F9408E

Strings

0, xrefs: 00F5382D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 504b42264b58477b7bcc1b7c5783be6a42a215808380ec2c20d1178f2fc1c87b
Instruction ID: b29bf21a7b75b6d5475c0344f3e160ccc8310b2644c4f0c70ff0493e6213e835
Opcode Fuzzy Hash: 504b42264b58477b7bcc1b7c5783be6a42a215808380ec2c20d1178f2fc1c87b
Instruction Fuzzy Hash: 95710531A44215BEFB259F69DC89FAABF65FF04368F140206F6146A1E0C7B1A914EB90

Function 00FE7711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00FE7823

Part of subcall function 00F58577: _wcslen.LIBCMT ref: 00F5858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FE7897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FE78B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FE78CC
DestroyWindow.USER32(?), ref: 00FE78ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F50000,00000000), ref: 00FE791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FE7935
GetDesktopWindow.USER32 ref: 00FE794E
GetWindowRect.USER32(00000000), ref: 00FE7955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FE796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FE7985

Part of subcall function 00F52234: GetWindowLongW.USER32(?,000000EB), ref: 00F52242

Strings

tooltips_class32, xrefs: 00FE7890, 00FE7915
0, xrefs: 00FE77D0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 4016fcec7c94191848506002fb0f0e8bfaaab9918099a7c807ae7156d4d21aeb
Instruction ID: e04fba2b878e18b1f9f45f8bbe76f645e66624132d6b9fd7ff0dd89ab19bee47
Opcode Fuzzy Hash: 4016fcec7c94191848506002fb0f0e8bfaaab9918099a7c807ae7156d4d21aeb
Instruction Fuzzy Hash: 2A719970508384AFE721EF59CC48F6ABBE9FF89310F14445EF9858B261C775A906EB11

Function 00FE9B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F524B0

DragQueryPoint.SHELL32(?,?), ref: 00FE9BA3

Part of subcall function 00FE80AE: ClientToScreen.USER32(?,?), ref: 00FE80D4
Part of subcall function 00FE80AE: GetWindowRect.USER32(?,?), ref: 00FE814A
Part of subcall function 00FE80AE: PtInRect.USER32(?,?,?), ref: 00FE815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00FE9C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FE9C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FE9C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FE9C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00FE9C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00FE9CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00FE9CD3
DragFinish.SHELL32(?), ref: 00FE9CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00FE9DCD

Strings

@GUI_DRAGFILE, xrefs: 00FE9D7C
@GUI_DRAGID, xrefs: 00FE9D45
@GUI_DROPID, xrefs: 00FE9CFA

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: d124d5ed17ab38f833b6fed96442c59fa348ff391af8dee5f58d37e2f502958a
Instruction ID: 6f0ed96acbbaff9fffa69bf54c9be39ee20499b73409a4cf0e02b09b1108fb32
Opcode Fuzzy Hash: d124d5ed17ab38f833b6fed96442c59fa348ff391af8dee5f58d37e2f502958a
Instruction Fuzzy Hash: 29619971108345AFC301EF60CC85EAFBBE8FF88750F40091EFA91961A1DB749A09DB62

Function 00FCCEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FCCEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FCCF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FCCF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FCCF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FCCF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FCCF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FCCF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FCCFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FCD021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FCD035
InternetCloseHandle.WININET(00000000), ref: 00FCD040

Strings

, xrefs: 00FCCFBA

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 740c1144de30be108bc952ca0eb0bf63ae63962ebf99f19350529c5a3deb5be3
Instruction ID: 587bb466422e308a21254e55d47c15bf1362f14b3cd28dc42084ad3a1d85d2ba
Opcode Fuzzy Hash: 740c1144de30be108bc952ca0eb0bf63ae63962ebf99f19350529c5a3deb5be3
Instruction Fuzzy Hash: 91515BB190060ABFDB219F64CE89FAA7BBCFB08754F00442EF9499A550D734D945FBA0

Function 00FE8FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00FE66D6,?,?), ref: 00FE8FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00FE66D6,?,?,00000000,?), ref: 00FE8FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00FE66D6,?,?,00000000,?), ref: 00FE9009
CloseHandle.KERNEL32(00000000,?,?,?,?,00FE66D6,?,?,00000000,?), ref: 00FE9016
GlobalLock.KERNEL32(00000000), ref: 00FE9024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FE66D6,?,?,00000000,?), ref: 00FE9033
GlobalUnlock.KERNEL32(00000000), ref: 00FE903C
CloseHandle.KERNEL32(00000000,?,?,?,?,00FE66D6,?,?,00000000,?), ref: 00FE9043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FE66D6,?,?,00000000,?), ref: 00FE9054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FF0C04,?), ref: 00FE906D
GlobalFree.KERNEL32(00000000), ref: 00FE907D
GetObjectW.GDI32(00000000,00000018,?), ref: 00FE909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00FE90CD
DeleteObject.GDI32(00000000), ref: 00FE90F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FE910B

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: d70a54cad92e8afee276791fc132f1c530d3bf3aad4573a2a6e271ba672620a7
Instruction ID: a68e1f8006239f2828e2eb6c069dd86e16b617909d529d4fd2629d6d440823ba
Opcode Fuzzy Hash: d70a54cad92e8afee276791fc132f1c530d3bf3aad4573a2a6e271ba672620a7
Instruction Fuzzy Hash: D3413975600248FFDB11DF66DC88EAA7BB8FF89721F104059FA05DB260D7719941EB20

Function 00FDC06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

Part of subcall function 00FDD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDC10E,?,?), ref: 00FDD415
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD451
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD4C8
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FDC154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FDC1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 00FDC26A
RegCloseKey.ADVAPI32(?), ref: 00FDC2DE
RegCloseKey.ADVAPI32(?), ref: 00FDC2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00FDC352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FDC364
RegDeleteKeyW.ADVAPI32(?,?), ref: 00FDC382
FreeLibrary.KERNEL32(00000000), ref: 00FDC3E3
RegCloseKey.ADVAPI32(00000000), ref: 00FDC3F4

Strings

RegDeleteKeyExW, xrefs: 00FDC35E
advapi32.dll, xrefs: 00FDC34D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 58acce133ab23aeabf624c4f5e5f63d0d7b9675416fdf017737932efef1c22d8
Instruction ID: 838de56092d5bfffb292fd787dee9be409dae7cd39dcbb84c12578516e1c91d7
Opcode Fuzzy Hash: 58acce133ab23aeabf624c4f5e5f63d0d7b9675416fdf017737932efef1c22d8
Instruction Fuzzy Hash: 9DC1A031604242AFD710DF14C884F2ABBE6BF84318F18859DE9568B7A2CB35ED46DBD1

Function 00FD2FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FD3035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FD3045
CreateCompatibleDC.GDI32(?), ref: 00FD3051
SelectObject.GDI32(00000000,?), ref: 00FD305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FD30CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FD3109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FD312D
SelectObject.GDI32(?,?), ref: 00FD3135
DeleteObject.GDI32(?), ref: 00FD313E
DeleteDC.GDI32(?), ref: 00FD3145
ReleaseDC.USER32(00000000,?), ref: 00FD3150

Strings

(, xrefs: 00FD30EA

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a47de253b24619589edb989320eaa88517ed85d84160cbe34e3fa773b4a64ea6
Instruction ID: b95e71a36f313485179bd4e154e8ed9e7ec6bb8cc9947b631ce4a44897bcaac4
Opcode Fuzzy Hash: a47de253b24619589edb989320eaa88517ed85d84160cbe34e3fa773b4a64ea6
Instruction Fuzzy Hash: 7661E275D00219EFCB04CFA4DC84EAEBBB6FF48310F24852AE655AB250D775A941DF90

Function 00FEA94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F524B0

GetSystemMetrics.USER32(0000000F), ref: 00FEA990
GetSystemMetrics.USER32(00000011), ref: 00FEA9A7
GetSystemMetrics.USER32(00000004), ref: 00FEA9B3
GetSystemMetrics.USER32(0000000F), ref: 00FEA9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00FEAC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FEAC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FEAC54
ShowWindow.USER32(00000003,00000000), ref: 00FEAC73
InvalidateRect.USER32(?,00000000,00000001), ref: 00FEAC95
DefDlgProcW.USER32(?,00000005,?), ref: 00FEACBB

Strings

@, xrefs: 00FEABD0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @
API String ID: 3962739598-2766056989
Opcode ID: c36de545752fff032717290d738bbf9859ffd98e85863db2509d59050fab8698
Instruction ID: 033ef05d667489bfc50e485ddebe37597ca716fe2749159d78c2f717de724580
Opcode Fuzzy Hash: c36de545752fff032717290d738bbf9859ffd98e85863db2509d59050fab8698
Instruction Fuzzy Hash: 41B18A31A00299DFCF14CF6AC9C47AE7BB2BF84710F188069ED459F295D774A980EB52

Function 00FB52AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00FB52E6
GetWindowTextW.USER32(?,?,00000400), ref: 00FB5328
_wcslen.LIBCMT ref: 00FB5339
CharUpperBuffW.USER32(?,00000000), ref: 00FB5345
_wcsstr.LIBVCRUNTIME ref: 00FB537A
GetClassNameW.USER32(00000018,?,00000400), ref: 00FB53B2
GetWindowTextW.USER32(?,?,00000400), ref: 00FB53EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00FB5445
GetClassNameW.USER32(?,?,00000400), ref: 00FB5477
GetWindowRect.USER32(?,?), ref: 00FB54EF

Strings

ThumbnailClass, xrefs: 00FB53BD, 00FB5450

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a937be7f83cd56ecf3b62ea1d3ab76d33f55a7e3aa6e5422e929e2ff37cf6595
Instruction ID: e8ad66b63ef44cca8c24b96aa6cfb6b6d6684200455178d42863c80230494b27
Opcode Fuzzy Hash: a937be7f83cd56ecf3b62ea1d3ab76d33f55a7e3aa6e5422e929e2ff37cf6595
Instruction Fuzzy Hash: F9910371504B06AFD718DF25C890BEAB7E9FF00714F084519FA8A82190EB39ED55EF91

Function 00FE976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F524B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FE97B6
GetFocus.USER32 ref: 00FE97C6
GetDlgCtrlID.USER32(00000000), ref: 00FE97D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00FE9879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FE992B
GetMenuItemCount.USER32(?), ref: 00FE9948
GetMenuItemID.USER32(?,00000000), ref: 00FE9958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FE998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FE99CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FE99FD

Strings

0, xrefs: 00FE98FB

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 050649a6e1a2e6a9c1c165038c0fe5a5df7cd908f5a8b78c310040083c9af3f5
Instruction ID: dcb6bcf8126daadfdded276900f2789ebd5d53cb68e96dd3700b33913fafe7de
Opcode Fuzzy Hash: 050649a6e1a2e6a9c1c165038c0fe5a5df7cd908f5a8b78c310040083c9af3f5
Instruction Fuzzy Hash: DF81CF719083819FD710CF26CC84A6B7BE8BF89364F04091DF98597291D7B4D905EBA2

Function 00FBC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(010229C0,000000FF,00000000,00000030), ref: 00FBC973
SetMenuItemInfoW.USER32(010229C0,00000004,00000000,00000030), ref: 00FBC9A8
Sleep.KERNEL32(000001F4), ref: 00FBC9BA
GetMenuItemCount.USER32(?), ref: 00FBCA00
GetMenuItemID.USER32(?,00000000), ref: 00FBCA1D
GetMenuItemID.USER32(?,-00000001), ref: 00FBCA49
GetMenuItemID.USER32(?,?), ref: 00FBCA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FBCAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FBCAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FBCB0C

Strings

0, xrefs: 00FBC904

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 62f124d1f7a88502310a1660ea4869a26aeebf22a30d5378cec65ca9e78b869d
Instruction ID: 14d5393ff97f9a6d17030ae82a502f4df5ec4bcbda21e151f2c7735702baa78b
Opcode Fuzzy Hash: 62f124d1f7a88502310a1660ea4869a26aeebf22a30d5378cec65ca9e78b869d
Instruction Fuzzy Hash: FC61BE71A0024AAFDF21CFA5CC98AEF7BB8FB45358F144015E951A7281C739AD00EFA0

Function 00FBE4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FBE4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FBE4FA
_wcslen.LIBCMT ref: 00FBE504
_wcsstr.LIBVCRUNTIME ref: 00FBE554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FBE570

Strings

04090000, xrefs: 00FBE5A6
StringFileInfo\, xrefs: 00FBE543
%u.%u.%u.%u, xrefs: 00FBE64E
DefaultLangCodepage, xrefs: 00FBE5D3
\VarFileInfo\Translation, xrefs: 00FBE568

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: d16d659f28a2d30a619f6a2df8ee6850818b1a57d0aeb7ee414615b45eea7f0e
Instruction ID: 4799c2101f8f2020a3500a5af39800384202745502b7526ba9cbe21c18fa4018
Opcode Fuzzy Hash: d16d659f28a2d30a619f6a2df8ee6850818b1a57d0aeb7ee414615b45eea7f0e
Instruction Fuzzy Hash: 3F412772A402187BDB10AB658C47EFF376CDF55720F14406AF904E6082FFB9DA01B6A6

Function 00FDD694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FDD6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FDD6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FDD7A8

Part of subcall function 00FDD694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FDD70A
Part of subcall function 00FDD694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FDD71D
Part of subcall function 00FDD694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FDD72F
Part of subcall function 00FDD694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FDD765
Part of subcall function 00FDD694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FDD788

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FDD753

Strings

RegDeleteKeyExW, xrefs: 00FDD729
advapi32.dll, xrefs: 00FDD718

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f7f4dd8b30afb91f913098c6f824a2804690090fc72ad6f410200212e8e88a21
Instruction ID: 9894cfebe52926170d74551163403962e507156b9df0c3bab69632bb3fda20fe
Opcode Fuzzy Hash: f7f4dd8b30afb91f913098c6f824a2804690090fc72ad6f410200212e8e88a21
Instruction Fuzzy Hash: C5318072D0112DBBDB219B90DCC8EFFBB7DEF45714F0400A6A905E6214D7349E45AAA0

Function 00FBEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FBEFCB

Part of subcall function 00F6F215: timeGetTime.WINMM(?,?,00FBEFEB), ref: 00F6F219

Sleep.KERNEL32(0000000A), ref: 00FBEFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00FBF01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FBF03E
SetActiveWindow.USER32 ref: 00FBF05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FBF06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FBF08A
Sleep.KERNEL32(000000FA), ref: 00FBF095
IsWindow.USER32 ref: 00FBF0A1
EndDialog.USER32(00000000), ref: 00FBF0B2

Strings

BUTTON, xrefs: 00FBF030

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: df6412a570b63c086348cb66341280e8e6cc16e1bcacf04be9ae26337bb2cb51
Instruction ID: 5d8c3c30b53ede0574db4e00273fbfe58b30dcb136b56d6361235a7fe572ee88
Opcode Fuzzy Hash: df6412a570b63c086348cb66341280e8e6cc16e1bcacf04be9ae26337bb2cb51
Instruction Fuzzy Hash: F721CF75500248AFE3307F61ECC9AA67BADFB4D794B144025F6428A266CB7A8C44BF11

Function 00FBF313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FBF374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FBF38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FBF39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FBF3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FBF3BE

Strings

open , xrefs: 00FBF323
status PlayMe mode, xrefs: 00FBF36F
play PlayMe, xrefs: 00FBF3B9
close PlayMe, xrefs: 00FBF385, 00FBF3B2
alias PlayMe, xrefs: 00FBF34D
play PlayMe wait, xrefs: 00FBF3A8

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: bcc8146269cce8d8d393615940023fa3eb1bfe7b71ec40e1ee6526b27b541a41
Instruction ID: 2076c769122a578ade44263b3baee3cc56e961e70276a381f7e1ef8c8d5593e0
Opcode Fuzzy Hash: bcc8146269cce8d8d393615940023fa3eb1bfe7b71ec40e1ee6526b27b541a41
Instruction Fuzzy Hash: 16110231A9025939D720B367CC4AEFF7ABCEBC2B00F40042DB901EA0D5EAA41D0DD9B0

Function 00FBA958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FBA9D9
SetKeyboardState.USER32(?), ref: 00FBAA44
GetAsyncKeyState.USER32(000000A0), ref: 00FBAA64
GetKeyState.USER32(000000A0), ref: 00FBAA7B
GetAsyncKeyState.USER32(000000A1), ref: 00FBAAAA
GetKeyState.USER32(000000A1), ref: 00FBAABB
GetAsyncKeyState.USER32(00000011), ref: 00FBAAE7
GetKeyState.USER32(00000011), ref: 00FBAAF5
GetAsyncKeyState.USER32(00000012), ref: 00FBAB1E
GetKeyState.USER32(00000012), ref: 00FBAB2C
GetAsyncKeyState.USER32(0000005B), ref: 00FBAB55
GetKeyState.USER32(0000005B), ref: 00FBAB63

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cedf85cac4e06a8fc2193ece75d1000c84977ce64e8979e8ea6268d3d37a5da1
Instruction ID: 35b87930b7746c4a2951f6b3dfcfa45c82b58f6913b6f55ea72267c561a8667e
Opcode Fuzzy Hash: cedf85cac4e06a8fc2193ece75d1000c84977ce64e8979e8ea6268d3d37a5da1
Instruction Fuzzy Hash: 6C51E870E0478829FB35D7628850BEABFB59F01390F088599C5C25B5C2EA649B4CEF63

Function 00FB662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FB6649
GetWindowRect.USER32(00000000,?), ref: 00FB6662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00FB66C0
GetDlgItem.USER32(?,00000002), ref: 00FB66D0
GetWindowRect.USER32(00000000,?), ref: 00FB66E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00FB6736
GetDlgItem.USER32(?,000003E9), ref: 00FB6744
GetWindowRect.USER32(00000000,?), ref: 00FB6756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00FB6798
GetDlgItem.USER32(?,000003EA), ref: 00FB67AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FB67C1
InvalidateRect.USER32(?,00000000,00000001), ref: 00FB67CE

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ca081d12ae8fa199e3e6590edaa2b6f70823ba1fbf30929dd6dd9c14ba316d15
Instruction ID: 5b6ff4f5cd9d73b2cea1a72b1838ba5ca583bd26f254b77811d2e7437538eb02
Opcode Fuzzy Hash: ca081d12ae8fa199e3e6590edaa2b6f70823ba1fbf30929dd6dd9c14ba316d15
Instruction Fuzzy Hash: D6512FB1E00209AFDF18CF69DD89AAEBBB5FB48314F108129F919E7690DB749D049B50

Function 00F5146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F51802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F51488,?,00000000,?,?,?,?,00F5145A,00000000,?), ref: 00F51865

DestroyWindow.USER32(?), ref: 00F51521
KillTimer.USER32(00000000,?,?,?,?,00F5145A,00000000,?), ref: 00F515BB
DestroyAcceleratorTable.USER32(00000000), ref: 00F929B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F5145A,00000000,?), ref: 00F929E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F5145A,00000000,?), ref: 00F929F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F5145A,00000000), ref: 00F92A15
DeleteObject.GDI32(00000000), ref: 00F92A27

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 09c435d4b29d41bf88fe5c289fe8a967379e1a87c70ddd5cfdccd5eae8fd1805
Instruction ID: 80a5b411d1cac55ae42cc1e28a6a8ae548f74c8b8979fe1ea8ebe6681385a4fe
Opcode Fuzzy Hash: 09c435d4b29d41bf88fe5c289fe8a967379e1a87c70ddd5cfdccd5eae8fd1805
Instruction Fuzzy Hash: 57618D32A01705EFDB35DF54D948B2977B1FB81323F244518E9824AA64C77AB899FF80

Function 00F52128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F52234: GetWindowLongW.USER32(?,000000EB), ref: 00F52242

GetSysColor.USER32(0000000F), ref: 00F52152

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 22b100c675a7cf01a0b5232f220c44c2b70c4175286b710ea447c07f0cbbea35
Instruction ID: 6f0a50e7e35bdab173d5aba0cc9644b49fe3e7fd6cf144421d0a5f8f09f65968
Opcode Fuzzy Hash: 22b100c675a7cf01a0b5232f220c44c2b70c4175286b710ea447c07f0cbbea35
Instruction Fuzzy Hash: CA418231500A44AFEB245F289C84BBA3765AB46332F154355FFA28B2E1C7359D46FB50

Function 00FBA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00FA0D31,00000001,0000138C,00000001,00000000,00000001,?,00FCEEAE,01022430), ref: 00FBA091
LoadStringW.USER32(00000000,?,00FA0D31,00000001), ref: 00FBA09A

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00FA0D31,00000001,0000138C,00000001,00000000,00000001,?,00FCEEAE,01022430,?), ref: 00FBA0BC
LoadStringW.USER32(00000000,?,00FA0D31,00000001), ref: 00FBA0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FBA1E0

Strings

^ ERROR, xrefs: 00FBA175
Line %d:, xrefs: 00FBA11A
Line %d (File "%s"):, xrefs: 00FBA109
Error: , xrefs: 00FBA197
%s (%d) : ==> %s: %s %s, xrefs: 00FBA1C4

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 396c0aef37b00527522d9b3541fb7ba860c81950070879963310ccc62d2319a1
Instruction ID: 7e7e34045d9c1f12ad54873ad9641038ad9939fabd388fea8a978190543ebff5
Opcode Fuzzy Hash: 396c0aef37b00527522d9b3541fb7ba860c81950070879963310ccc62d2319a1
Instruction Fuzzy Hash: 83414372800209ABCB15FBE1DD46DEEB778AF54301F500065FA01B6052EB396F49EF61

Function 00FB0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F58577: _wcslen.LIBCMT ref: 00F5858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FB1093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FB10AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FB10CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FB10F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00FB111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FB1128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FB112D

Strings

SOFTWARE\Classes\, xrefs: 00FB0FFF
\CLSID, xrefs: 00FB1015
\IPC$, xrefs: 00FB1075

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 6a44751813897bc18dcf44a9164e5c5df35ae71b7e8d892f4a4099062bd9e731
Instruction ID: cdf309ec5aa9ad5527758bd52fff99d3ea2fb744766f1069e2d91747a031ba7d
Opcode Fuzzy Hash: 6a44751813897bc18dcf44a9164e5c5df35ae71b7e8d892f4a4099062bd9e731
Instruction Fuzzy Hash: DB411772C1022DABCF11EBA4DC95DEEB7B8BF04750F444129EA01A7161EB359E09DF90

Function 00FE4A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FE4AD9
CreateCompatibleDC.GDI32(00000000), ref: 00FE4AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FE4AF3
SelectObject.GDI32(00000000,00000000), ref: 00FE4AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FE4B06
DeleteDC.GDI32(00000000), ref: 00FE4B10
GetWindowLongW.USER32(?,000000EC), ref: 00FE4B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00FE4B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00FE4B3C

Strings

static, xrefs: 00FE4A71

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: e10e12d56eaca0f80b1f1e2ecb50ca21f5c25d3b4f99e3168ebb53e64999d980
Instruction ID: 436d5f6a1a831bae627e6176b49c51f73d5cc0e7ca271ce80da4c7410f764857
Opcode Fuzzy Hash: e10e12d56eaca0f80b1f1e2ecb50ca21f5c25d3b4f99e3168ebb53e64999d980
Instruction Fuzzy Hash: AB318F32500259BBDF119FA5DC48FDA3BA9FF0D764F110224FA14EA1A0C779E850EB94

Function 00FD468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FD46B9
CoInitialize.OLE32(00000000), ref: 00FD46E7
CoUninitialize.OLE32 ref: 00FD46F1
_wcslen.LIBCMT ref: 00FD478A
GetRunningObjectTable.OLE32(00000000,?), ref: 00FD480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FD4932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FD496B
CoGetObject.OLE32(?,00000000,00FF0B64,?), ref: 00FD498A
SetErrorMode.KERNEL32(00000000), ref: 00FD499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FD4A21
VariantClear.OLEAUT32(?), ref: 00FD4A35

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: bc85c3ac0609b18e791277559089df0f4203a8b871538ee7d421381d8a2f066d
Instruction ID: 9693c0ca8d37fcc11ddc7a4bd05f42f3aaed91052db49847fa84474d0c785117
Opcode Fuzzy Hash: bc85c3ac0609b18e791277559089df0f4203a8b871538ee7d421381d8a2f066d
Instruction Fuzzy Hash: CAC13471A043459F9700DF68C88492BB7EAFF89758F08491EF98A9B250DB31ED05EB52

Function 00FC84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FC8538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FC85D4
SHGetDesktopFolder.SHELL32(?), ref: 00FC85E8
CoCreateInstance.OLE32(00FF0CD4,00000000,00000001,01017E8C,?), ref: 00FC8634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FC86B9
CoTaskMemFree.OLE32(?,?), ref: 00FC8711
SHBrowseForFolderW.SHELL32(?), ref: 00FC879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FC87BF
CoTaskMemFree.OLE32(00000000), ref: 00FC87C6
CoTaskMemFree.OLE32(00000000), ref: 00FC881B
CoUninitialize.OLE32 ref: 00FC8821

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 13ece0eeca6c2c09f0a954b6dcd75c042b7d2de933085a2a705e4d148778df41
Instruction ID: bacb8d18f449a34ef5d7f8a467c13d80dd7dd1e38b34964e451022300528d1c7
Opcode Fuzzy Hash: 13ece0eeca6c2c09f0a954b6dcd75c042b7d2de933085a2a705e4d148778df41
Instruction Fuzzy Hash: 6AC14D75A00109EFCB00DFA4C985EAEBBF5FF48354B148498E919DB661DB30ED46DB90

Function 00FB0378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FB039F
SafeArrayAllocData.OLEAUT32(?), ref: 00FB03F8
VariantInit.OLEAUT32(?), ref: 00FB040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FB042A
VariantCopy.OLEAUT32(?,?), ref: 00FB047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FB0491
VariantClear.OLEAUT32(?), ref: 00FB04A6
SafeArrayDestroyData.OLEAUT32(?), ref: 00FB04B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FB04BC
VariantClear.OLEAUT32(?), ref: 00FB04CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FB04D9

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9496760d2023158c89d4a06110286fedc9d9fb8c425401d76c32fd0fabd0b971
Instruction ID: 990405e120bff7178b11dd8c7973738eb2ebd497f3a4672daee80a61bacd8dec
Opcode Fuzzy Hash: 9496760d2023158c89d4a06110286fedc9d9fb8c425401d76c32fd0fabd0b971
Instruction Fuzzy Hash: 55417135A0021DDFCB10DFA5DC889EE7BB9EF18354F008069E905AB2A1CB34A945DF90

Function 00FBA635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FBA65D
GetAsyncKeyState.USER32(000000A0), ref: 00FBA6DE
GetKeyState.USER32(000000A0), ref: 00FBA6F9
GetAsyncKeyState.USER32(000000A1), ref: 00FBA713
GetKeyState.USER32(000000A1), ref: 00FBA728
GetAsyncKeyState.USER32(00000011), ref: 00FBA740
GetKeyState.USER32(00000011), ref: 00FBA752
GetAsyncKeyState.USER32(00000012), ref: 00FBA76A
GetKeyState.USER32(00000012), ref: 00FBA77C
GetAsyncKeyState.USER32(0000005B), ref: 00FBA794
GetKeyState.USER32(0000005B), ref: 00FBA7A6

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cd03889f58f98bf119cd8c9348277a93566e24aecef1baa3110f3e17c7c8e758
Instruction ID: 234d5163344934aa4d335e3fc8b8f6a948a94adf5ca2852bca718bd865fc4382
Opcode Fuzzy Hash: cd03889f58f98bf119cd8c9348277a93566e24aecef1baa3110f3e17c7c8e758
Instruction Fuzzy Hash: 9E41F478D087C96DFF31876188143E5BFB16B11324F58805AC5C24A5C2EFA499C8EFA3

Function 00FD9730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00FD9750

Part of subcall function 00FB9805: _wcslen.LIBCMT ref: 00FB9828

_wcslen.LIBCMT ref: 00FD97AB
_wcslen.LIBCMT ref: 00FD97F9
_wcslen.LIBCMT ref: 00FD9839
_wcslen.LIBCMT ref: 00FD98CB

Strings

stdcall, xrefs: 00FD9833, 00FD9838
cdecl, xrefs: 00FD97A5, 00FD97AA
winapi, xrefs: 00FD97F3, 00FD97F8
none, xrefs: 00FD98C2, 00FD98C7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 7fb0e9969a7f2536a4c115e58f4ec69a32fc8229a0f22e4889137eaac596d78b
Instruction ID: 2463f4ff10b45ac9f7035b478a3301ec69028b316748766bc1dfdfb499a6ec14
Opcode Fuzzy Hash: 7fb0e9969a7f2536a4c115e58f4ec69a32fc8229a0f22e4889137eaac596d78b
Instruction Fuzzy Hash: E651F632E081169BCB14DFA8C9509BEB3A2BF15760B68422BE866E7384D775DD40F790

Function 00FD4189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00FD41D1
CoUninitialize.OLE32 ref: 00FD41DC
CoCreateInstance.OLE32(?,00000000,00000017,00FF0B44,?), ref: 00FD4236
IIDFromString.OLE32(?,?), ref: 00FD42A9
VariantInit.OLEAUT32(?), ref: 00FD4341
VariantClear.OLEAUT32(?), ref: 00FD4393

Strings

NULL Pointer assignment, xrefs: 00FD427B
Invalid parameter, xrefs: 00FD42C2
Failed to create object, xrefs: 00FD4241, 00FD42F7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: a1f408e88d77a3e54b9599537c1d613ff2e0b3bdc332aed43d36abbd4830277f
Instruction ID: 63ce8e2c8ff9672d6a5fa4a98b15bd37403281287b2e33f988791e5bed0e2f0f
Opcode Fuzzy Hash: a1f408e88d77a3e54b9599537c1d613ff2e0b3bdc332aed43d36abbd4830277f
Instruction Fuzzy Hash: 6161AE716083019FD311DF68C889B6ABBE6EF49715F08090AF9859B391C774FD48EB92

Function 00FC8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FC8C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FC8CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FC8CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC8D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00FC8D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00FC8D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FC8DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00FC8DDA

Strings

*.*, xrefs: 00FC8DE0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e5ce85591fdd428f85dfacc19994fdb05e3f0582eeefa9d0ce37f3ee31f67743
Instruction ID: e21757e7c046f67959ac89f593813a21436e9ce95a58e3c8f30be6dedfe53bab
Opcode Fuzzy Hash: e5ce85591fdd428f85dfacc19994fdb05e3f0582eeefa9d0ce37f3ee31f67743
Instruction Fuzzy Hash: D6615E725043069FC710EF60C945E9EB7E8FF99350F04481EF98A87251DB35E949DB92

Function 00FE46E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00FE4715
SetMenu.USER32(?,00000000), ref: 00FE4724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FE47AC
IsMenu.USER32(?), ref: 00FE47C0
CreatePopupMenu.USER32 ref: 00FE47CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FE47F7
DrawMenuBar.USER32 ref: 00FE47FF

Strings

F, xrefs: 00FE47EA
0, xrefs: 00FE46F0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 65f7339bf84ce6d5615c7bf20e7eb7d8288610e9428badb044c4c7a66aa65f28
Instruction ID: ec76ecd9778f74301964c807c848fd9dcc7d55e0c1393b85dfc3a329c6f27fc3
Opcode Fuzzy Hash: 65f7339bf84ce6d5615c7bf20e7eb7d8288610e9428badb044c4c7a66aa65f28
Instruction Fuzzy Hash: 25418A75A01389AFDB24DF65D884AAA7BB6FF09314F14402DEA459B390C771AD10EF50

Function 00FB282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

Part of subcall function 00FB45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00FB28B1
GetDlgCtrlID.USER32 ref: 00FB28BC
GetParent.USER32 ref: 00FB28D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FB28DB
GetDlgCtrlID.USER32(?), ref: 00FB28E4
GetParent.USER32(?), ref: 00FB28F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FB28FB

Strings

ListBox, xrefs: 00FB286E
ComboBox, xrefs: 00FB2839

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 84e333802de8309ad62c6d57c7bf933a29423c00f8c3cd2d9e50501d7772e782
Instruction ID: eecc32e960ace51785948205b1af3f4b82ee27d1a733befc33381adafc6fab24
Opcode Fuzzy Hash: 84e333802de8309ad62c6d57c7bf933a29423c00f8c3cd2d9e50501d7772e782
Instruction Fuzzy Hash: 4621A475D00118BBCF11AFA1CC85EEEBBB4EF06350F004156B951AB291DB799809FF60

Function 00FB290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

Part of subcall function 00FB45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00FB2990
GetDlgCtrlID.USER32 ref: 00FB299B
GetParent.USER32 ref: 00FB29B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FB29BA
GetDlgCtrlID.USER32(?), ref: 00FB29C3
GetParent.USER32(?), ref: 00FB29D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FB29DA

Strings

ListBox, xrefs: 00FB294F
ComboBox, xrefs: 00FB291A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8516cad4772c4ae07045875507f75412921bafaf640ea6a0452693405ad6e8f2
Instruction ID: 480bf668423de27b384cffb224015c5d8665d1c5caba9d8896db25c633b1019d
Opcode Fuzzy Hash: 8516cad4772c4ae07045875507f75412921bafaf640ea6a0452693405ad6e8f2
Instruction Fuzzy Hash: A121C0B5D00118BBCF11ABA1CC85EFEBBB8EF05350F004016B955AB2A1DB799849FF60

Function 00FE44BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FE4539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FE453C
GetWindowLongW.USER32(?,000000F0), ref: 00FE4563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FE4586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FE45FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FE4648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FE4663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FE467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FE4692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FE46AF

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5781d6ec09b7b197f4fcbad670a30547a6b01fa53db86c9ee1c1964128ffbc24
Instruction ID: 55521f78f1c147b63e729c30ea677eae3799a1dfb003e063c3e55ecfb21ab8d8
Opcode Fuzzy Hash: 5781d6ec09b7b197f4fcbad670a30547a6b01fa53db86c9ee1c1964128ffbc24
Instruction Fuzzy Hash: 24618C75A00248AFDB21DFA4CC81EEEB7B8EF09710F100159FA15EB2A1C774AD56EB50

Function 00FBBAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FBBB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FBABA8,?,00000001), ref: 00FBBB2C
GetWindowThreadProcessId.USER32(00000000), ref: 00FBBB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FBABA8,?,00000001), ref: 00FBBB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FBBB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FBABA8,?,00000001), ref: 00FBBB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FBABA8,?,00000001), ref: 00FBBB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FBABA8,?,00000001), ref: 00FBBBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FBABA8,?,00000001), ref: 00FBBBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FBABA8,?,00000001), ref: 00FBBBE4

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 37c159ccae868640c6b735bfd5b69ad92c9b615da86c0399e7343460f0fbb5a5
Instruction ID: 8621cda8944e442c3cca628f3edc329685bdf4f5aad4a24ffed681fbe100c4ed
Opcode Fuzzy Hash: 37c159ccae868640c6b735bfd5b69ad92c9b615da86c0399e7343460f0fbb5a5
Instruction Fuzzy Hash: DD316172904208AFDB30DF15DCC8FA977A9EB84322F208419F905DB198D7F9D980AF60

Function 00F82FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F83007

Part of subcall function 00F82D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00F8DB51,01021DC4,00000000,01021DC4,00000000,?,00F8DB78,01021DC4,00000007,01021DC4,?,00F8DF75,01021DC4), ref: 00F82D4E
Part of subcall function 00F82D38: GetLastError.KERNEL32(01021DC4,?,00F8DB51,01021DC4,00000000,01021DC4,00000000,?,00F8DB78,01021DC4,00000007,01021DC4,?,00F8DF75,01021DC4,01021DC4), ref: 00F82D60

_free.LIBCMT ref: 00F83013
_free.LIBCMT ref: 00F8301E
_free.LIBCMT ref: 00F83029
_free.LIBCMT ref: 00F83034
_free.LIBCMT ref: 00F8303F
_free.LIBCMT ref: 00F8304A
_free.LIBCMT ref: 00F83055
_free.LIBCMT ref: 00F83060
_free.LIBCMT ref: 00F8306E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dbbf9d19648d0b17907b1126d96db95cfde33e6693509d6a34e8871eb1de7d7e
Instruction ID: f4b9961778aa022811f2929824b25a2bd429241283f8c38e251d70f623b2e0ab
Opcode Fuzzy Hash: dbbf9d19648d0b17907b1126d96db95cfde33e6693509d6a34e8871eb1de7d7e
Instruction Fuzzy Hash: E5117476500108AFCB81FF94CC86DDD7FA5EF05350B9185A5FA089B232EA35EA51AB90

Function 00F52AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F52AF9
OleUninitialize.OLE32(?,00000000), ref: 00F52B98
UnregisterHotKey.USER32(?), ref: 00F52D7D
DestroyWindow.USER32(?), ref: 00F93A1B
FreeLibrary.KERNEL32(?), ref: 00F93A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F93AAD

Strings

close all, xrefs: 00F52AF4

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 950a9e78b26083085544c1630670c46cdbc499c133d09404568ad2d34fee0ada
Instruction ID: 6829b0fff0e6b5829ad77c44141626f8c9304546a09bd506f180c0fc9d10b728
Opcode Fuzzy Hash: 950a9e78b26083085544c1630670c46cdbc499c133d09404568ad2d34fee0ada
Instruction Fuzzy Hash: 78D18F31B01212DFDB69EF14C885B29F7B0BF45721F1142ADE94A6B262CB35AD16EF40

Function 00FC8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC89F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00FC8A06
GetFileAttributesW.KERNEL32(?), ref: 00FC8A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FC8A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00FC8A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00FC8AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FC8AF5

Strings

*.*, xrefs: 00FC8AAB

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 54ab4d0595c8be68b77fa532a7f96983da9f046c6568ba1fc39c4a7d73728077
Instruction ID: 3e02bbf7cd77859bc2eddf33ec61915907e8a9580cdd7407744345d0dde6021f
Opcode Fuzzy Hash: 54ab4d0595c8be68b77fa532a7f96983da9f046c6568ba1fc39c4a7d73728077
Instruction Fuzzy Hash: B881B1729042069BCB24EF14C946FBAB3E8BF847A0F54481EF885D7250DB38D946AB52

Function 00F57447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F574D7

Part of subcall function 00F57567: GetClientRect.USER32(?,?), ref: 00F5758D
Part of subcall function 00F57567: GetWindowRect.USER32(?,?), ref: 00F575CE
Part of subcall function 00F57567: ScreenToClient.USER32(?,?), ref: 00F575F6

GetDC.USER32 ref: 00F96083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F96096
SelectObject.GDI32(00000000,00000000), ref: 00F960A4
SelectObject.GDI32(00000000,00000000), ref: 00F960B9
ReleaseDC.USER32(?,00000000), ref: 00F960C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F96152

Strings

U, xrefs: 00F96021

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 475dc10f56f2792f3a1ce11577f4f0f283a4c13ec03b39f915c3550d4a27bf29
Instruction ID: 4c246071d906478103f1307351810348dbc2f08778b6094758dbef9658e8d284
Opcode Fuzzy Hash: 475dc10f56f2792f3a1ce11577f4f0f283a4c13ec03b39f915c3550d4a27bf29
Instruction Fuzzy Hash: 63710031904205DFDF25DF64DC84ABA3BB1FF48361F24426AEE559A1A6C7358884FF10

Function 00FE955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F524B0

Part of subcall function 00F519CD: GetCursorPos.USER32(?), ref: 00F519E1
Part of subcall function 00F519CD: ScreenToClient.USER32(00000000,?), ref: 00F519FE
Part of subcall function 00F519CD: GetAsyncKeyState.USER32(00000001), ref: 00F51A23
Part of subcall function 00F519CD: GetAsyncKeyState.USER32(00000002), ref: 00F51A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00FE95C7
ImageList_EndDrag.COMCTL32 ref: 00FE95CD
ReleaseCapture.USER32 ref: 00FE95D3
SetWindowTextW.USER32(?,00000000), ref: 00FE966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FE9681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00FE975B

Strings

@GUI_DRAGFILE, xrefs: 00FE96F6
@GUI_DROPID, xrefs: 00FE96AD

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: a18f3172afc818052d53e7d1a88d1f01304a859930982199d3ba440fb5eb3e93
Instruction ID: aa3565be112a71337b8b0fbf8da6eba3e74c1fbb9e54d36f43e987e1dfa579c1
Opcode Fuzzy Hash: a18f3172afc818052d53e7d1a88d1f01304a859930982199d3ba440fb5eb3e93
Instruction Fuzzy Hash: 0151DF71204344AFD714EF10CC86FAA77E4FB88765F400A1DFA959B2E2CB759908EB52

Function 00FCCC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FCCCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FCCCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FCCD0F
GetLastError.KERNEL32 ref: 00FCCD67
SetEvent.KERNEL32(?), ref: 00FCCD7B
InternetCloseHandle.WININET(00000000), ref: 00FCCD86

Strings

, xrefs: 00FCCD00

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1e97605acb85c315baed11489f75a5f2f7e43c8031bcc57362a42a78d3caf524
Instruction ID: eec9a3e7c197725b24a117669bbf1751b57c225835c53c17c9a53de0fb49ba97
Opcode Fuzzy Hash: 1e97605acb85c315baed11489f75a5f2f7e43c8031bcc57362a42a78d3caf524
Instruction Fuzzy Hash: BF3191B1900209AFD7219F658D86FAB7BFCEB45750B10452EF45AD6600D734DD08ABA1

Function 00FBA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F955AE,?,?,Bad directive syntax error,00FEDCD0,00000000,00000010,?,?), ref: 00FBA236
LoadStringW.USER32(00000000,?,00F955AE,?), ref: 00FBA23D

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FBA301

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00FBA26B
., xrefs: 00FBA2E7
Error: , xrefs: 00FBA2CF
Line %d:, xrefs: 00FBA28C
Line %d (File "%s"):, xrefs: 00FBA2A7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 710038140fa419ee03a3a8a221d8b6c013fe132de25255dc7a7602d7dce02738
Instruction ID: c29c117d0eed33b5b96ff8929d85466cb925bccb4a2f5b8a644b6c9389157af0
Opcode Fuzzy Hash: 710038140fa419ee03a3a8a221d8b6c013fe132de25255dc7a7602d7dce02738
Instruction Fuzzy Hash: 4221653194021EEFCF11AF90CC46EEE7B75BF18700F444459F6156A062EB7A9618FB11

Function 00FB29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FB29F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00FB2A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FB2A9A

Strings

largeicons, xrefs: 00FB2A2E
smallicons, xrefs: 00FB2A62
details, xrefs: 00FB2A48
list, xrefs: 00FB2A7C
SHELLDLL_DefView, xrefs: 00FB2A19

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 178bf580f5f6f6e01925f79d387aa9c13d1a9cf513bc914bd51354c56f36310c
Instruction ID: a5e6243c666858aef8fa4c1832cd891391cda73a26c75caa32a48a4f7bf39241
Opcode Fuzzy Hash: 178bf580f5f6f6e01925f79d387aa9c13d1a9cf513bc914bd51354c56f36310c
Instruction Fuzzy Hash: 8A11E977644307B9F6246722DC07DE6779CDF15B34B204016F505E9091FBAE68417915

Function 00F57567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F5758D
GetWindowRect.USER32(?,?), ref: 00F575CE
ScreenToClient.USER32(?,?), ref: 00F575F6
GetClientRect.USER32(?,?), ref: 00F5773A
GetWindowRect.USER32(?,?), ref: 00F5775B

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 2caaed4d06653e8654e7c5a37c8a9d2ae00c89313dbbdae02952be73e374db79
Instruction ID: 73fa89446033b93074865fc6c46019a9a4f1ba352c55a3bca6cc2088c3722092
Opcode Fuzzy Hash: 2caaed4d06653e8654e7c5a37c8a9d2ae00c89313dbbdae02952be73e374db79
Instruction Fuzzy Hash: 3DC1473990464AEBDF10DFA8D580BEDBBB1FF08320F14841AE999E7250D734A945EB60

Function 00F8D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00F8D237
_free.LIBCMT ref: 00F8D2A2
_free.LIBCMT ref: 00F8D2C8
_free.LIBCMT ref: 00F8D2F1
_free.LIBCMT ref: 00F8D329
_free.LIBCMT ref: 00F8D35A
_free.LIBCMT ref: 00F8D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00F8D41C
_free.LIBCMT ref: 00F8D435

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: e502976905f241cf96f483955f7d9387d470896782ed77d3ade086f8aae65f5e
Instruction ID: 28de6561d84529facbc536d82ec5547a476ecd37e7c93f0ec2a8ef0cb8fd6d43
Opcode Fuzzy Hash: e502976905f241cf96f483955f7d9387d470896782ed77d3ade086f8aae65f5e
Instruction Fuzzy Hash: 41612572D01301AFDF35BF74DC85AEE7BA4AF01330F15416DE944A72C5EA3AA901A791

Function 00FE5B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00FE5C24
ShowWindow.USER32(?,00000000), ref: 00FE5C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00FE5C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00FE5C6F

Part of subcall function 00FE79F2: DeleteObject.GDI32(00000000), ref: 00FE7A1E

GetWindowLongW.USER32(?,000000F0), ref: 00FE5CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FE5CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FE5CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00FE5D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00FE5D34

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 585028beb4c348db640bc11d8568ae2d296bbdff9b924793dbca35ae3d118575
Instruction ID: 2d7cae92114fb4e53204fbe3126a39bb8e3d40b58c5ddfc7b65c4db9569c5190
Opcode Fuzzy Hash: 585028beb4c348db640bc11d8568ae2d296bbdff9b924793dbca35ae3d118575
Instruction Fuzzy Hash: 0151A630A40A88BFEF349F2ACC49F983B61FB44B68F244111FA159A1E1C775A980FB51

Function 00F513A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F928D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F928EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F928FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F92912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F92933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F511F5,00000000,00000000,00000000,000000FF,00000000), ref: 00F92942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F9295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F511F5,00000000,00000000,00000000,000000FF,00000000), ref: 00F9296E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 044269d6d43b8a78d2ee49696cb2237db20f08040bd4e7c09b2fd87207cc0c2d
Instruction ID: 685a5dbcadf4c2287f0e8c31d981903128bff44157a623f4f6e810f5ed284b87
Opcode Fuzzy Hash: 044269d6d43b8a78d2ee49696cb2237db20f08040bd4e7c09b2fd87207cc0c2d
Instruction Fuzzy Hash: 73519A30A00209AFEB24DF25CC85FAA7BB5FF48361F104519FA529B6A0D771E985EB50

Function 00FCCB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FCCBC7
GetLastError.KERNEL32 ref: 00FCCBDA
SetEvent.KERNEL32(?), ref: 00FCCBEE

Part of subcall function 00FCCC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FCCCB7
Part of subcall function 00FCCC98: GetLastError.KERNEL32 ref: 00FCCD67
Part of subcall function 00FCCC98: SetEvent.KERNEL32(?), ref: 00FCCD7B
Part of subcall function 00FCCC98: InternetCloseHandle.WININET(00000000), ref: 00FCCD86

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 6dfddf759e1547000d73fd6a72e8ff9f27566c7d7297b677b1d2a6878669736f
Instruction ID: 3a0371f233a0f56ca5de909edb347a99cad6119ef317bffb0f4b4e1d5db83ac0
Opcode Fuzzy Hash: 6dfddf759e1547000d73fd6a72e8ff9f27566c7d7297b677b1d2a6878669736f
Instruction Fuzzy Hash: E4316B71500786AFDB219F61CE85F6ABBE8FF44310B04452DF95E86A10C735E814BBA0

Function 00FB2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB43AD
Part of subcall function 00FB4393: GetCurrentThreadId.KERNEL32 ref: 00FB43B4
Part of subcall function 00FB4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FB2F00), ref: 00FB43BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FB2F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FB2F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00FB2F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FB2F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FB2F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00FB2F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FB2F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FB2F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00FB2F74

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c07cbc87ec1c78fcd085ca13f3347c5f3c5acc097191bb84df33a0bd3a14d691
Instruction ID: 35acc3bccb90fc75185009c5162821aca47941fe5d43c4bf58d0d33e09bd9afe
Opcode Fuzzy Hash: c07cbc87ec1c78fcd085ca13f3347c5f3c5acc097191bb84df33a0bd3a14d691
Instruction Fuzzy Hash: 7201D8317842147BFB106769DCCAF593F59DB4EB11F100011F318AE1E1C9E66444EEA9

Function 00FB2150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00FB1D95,?,?,00000000), ref: 00FB2159
HeapAlloc.KERNEL32(00000000,?,00FB1D95,?,?,00000000), ref: 00FB2160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FB1D95,?,?,00000000), ref: 00FB2175
GetCurrentProcess.KERNEL32(?,00000000,?,00FB1D95,?,?,00000000), ref: 00FB217D
DuplicateHandle.KERNEL32(00000000,?,00FB1D95,?,?,00000000), ref: 00FB2180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FB1D95,?,?,00000000), ref: 00FB2190
GetCurrentProcess.KERNEL32(00FB1D95,00000000,?,00FB1D95,?,?,00000000), ref: 00FB2198
DuplicateHandle.KERNEL32(00000000,?,00FB1D95,?,?,00000000), ref: 00FB219B
CreateThread.KERNEL32(00000000,00000000,00FB21C1,00000000,00000000,00000000), ref: 00FB21B5

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 365dd04080b5ff945aa5e018d637f3d7b2185f4af2b605a251849bb6b5107d8c
Instruction ID: a7bb8bbbd1cec20bc80be0c98685385a6022226c0fc2cc7507d175c52126d59f
Opcode Fuzzy Hash: 365dd04080b5ff945aa5e018d637f3d7b2185f4af2b605a251849bb6b5107d8c
Instruction Fuzzy Hash: B601B6B5240348BFEB10AFA5DC8DF6B7BACEB89711F008411FA05DF6A1CA759800DB21

Function 00FDAB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00FBDD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00FBDDAC
Part of subcall function 00FBDD87: Process32FirstW.KERNEL32(00000000,?), ref: 00FBDDBA
Part of subcall function 00FBDD87: CloseHandle.KERNEL32(00000000), ref: 00FBDE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FDABCA
GetLastError.KERNEL32 ref: 00FDABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FDAC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FDACC5
GetLastError.KERNEL32(00000000), ref: 00FDACD0
CloseHandle.KERNEL32(00000000), ref: 00FDAD21

Strings

SeDebugPrivilege, xrefs: 00FDABEC

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: be018070fc17859bd0820131b05165e5d6ed6a75062a0538c6331d66373cc7bb
Instruction ID: c1c360c9e663de5b2b539b6ab884068346512432a00834fdf91cf7e6e5c40aa3
Opcode Fuzzy Hash: be018070fc17859bd0820131b05165e5d6ed6a75062a0538c6331d66373cc7bb
Instruction Fuzzy Hash: BA61DE31614242AFD314DF14C884F25BBE2AF44328F18848DE8664FBA3C775ED49EB92

Function 00FE4322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FE43C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FE43D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FE43F0
_wcslen.LIBCMT ref: 00FE4435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FE4462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FE4490

Strings

SysListView32, xrefs: 00FE4393

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b0a753f52740ecb5f91b6f912c9c1da405a63189f1a0cfcc4dc974440412cef4
Instruction ID: 46acad33b810dd7f2fc59d20cd351d57c1c543414c059855602c15686814030d
Opcode Fuzzy Hash: b0a753f52740ecb5f91b6f912c9c1da405a63189f1a0cfcc4dc974440412cef4
Instruction Fuzzy Hash: 9641D531E00349ABDF21DF65CC49BEA77A9FF48360F10012AF948E7291D775A980EB90

Function 00FBC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FBC6C4
IsMenu.USER32(00000000), ref: 00FBC6E4
CreatePopupMenu.USER32 ref: 00FBC71A
GetMenuItemCount.USER32(01206558), ref: 00FBC76B
InsertMenuItemW.USER32(01206558,?,00000001,00000030), ref: 00FBC793

Strings

2, xrefs: 00FBC6FE
0, xrefs: 00FBC66F

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: cb47c46e3d2506eef86e9ef02e03e2f8a81d2b856719f93701bdd92ab263e13d
Instruction ID: 5358700f20c619e31030e948044c61b436c838b78638e3e04de3c52a62ee6318
Opcode Fuzzy Hash: cb47c46e3d2506eef86e9ef02e03e2f8a81d2b856719f93701bdd92ab263e13d
Instruction Fuzzy Hash: 4E519D74A002059BDF10CF6AC884BEFBBF9AF44324F34421AE9159B291DB709941EFA1

Function 00FBD11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FBD1BE

Strings

question, xrefs: 00FBD177
info, xrefs: 00FBD15F
stop, xrefs: 00FBD18F
warning, xrefs: 00FBD1A7
blank, xrefs: 00FBD140

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f84f2e34cdaeff4080cf33ec72810cd2ffbcb70da8591db046837cbc643d5753
Instruction ID: 39a0aa7bc8afa1503ea7e5eeddea6408c86debaecafc5c699c6c966d3d4f8fe1
Opcode Fuzzy Hash: f84f2e34cdaeff4080cf33ec72810cd2ffbcb70da8591db046837cbc643d5753
Instruction Fuzzy Hash: 52110A76649306BBF7055B5ADC82DEA779CDF05770F20002AF944EA181F7B96A006963

Function 00FBE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FBE759
gethostname.WSOCK32(?,00000100), ref: 00FBE773
gethostbyname.WSOCK32(?), ref: 00FBE780
inet_ntoa.WSOCK32(?), ref: 00FBE7C2
_strcat.LIBCMT ref: 00FBE7D0
WSACleanup.WSOCK32 ref: 00FBE7F5

Strings

0.0.0.0, xrefs: 00FBE79E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: d1225888244664b2989cfedc6a242a7abea6ccede312969bfe374c6f244d0593
Instruction ID: b16401c794223c0e75f1015e5304292c8f7a694c6adf301f5825dc149280277b
Opcode Fuzzy Hash: d1225888244664b2989cfedc6a242a7abea6ccede312969bfe374c6f244d0593
Instruction Fuzzy Hash: ED11D632900159BFCB24A765DC8AEDE77BCEF41720F1000B6F555AA091EFB89A81BA51

Function 00FBF630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FBF641
_wcslen.LIBCMT ref: 00FBF652
_wcslen.LIBCMT ref: 00FBF690
_wcslen.LIBCMT ref: 00FBF6C6
_wcslen.LIBCMT ref: 00FBF6F6
_wcslen.LIBCMT ref: 00FBF706
_wcslen.LIBCMT ref: 00FBF742
_wcslen.LIBCMT ref: 00FBF771

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 196cdb05febfff54e5f179326c9f65e18f07454af966c198abe36d2493ce590b
Instruction ID: 777974cb40d7c80220e5f67926bcc1752b8d2f40929ce4c449f3615cdcec5ccb
Opcode Fuzzy Hash: 196cdb05febfff54e5f179326c9f65e18f07454af966c198abe36d2493ce590b
Instruction Fuzzy Hash: CA419265D10518B6CB11EBB8CC8AACFB7A8AF05310F608463E50DE3121FB38E255D7A7

Function 00F6FBC6 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F939E2,00000004,00000000,00000000), ref: 00F6FC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F939E2,00000004,00000000,00000000), ref: 00FAFC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F939E2,00000004,00000000,00000000), ref: 00FAFC98

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5a2784328d0cc4c58e93dcd338fed00468c2272b790e8833152cb47e5af2ac3f
Instruction ID: 41bce6107e6ca0908811f284bb102bcec96e82c048d0ee5c14397aa68de497dd
Opcode Fuzzy Hash: 5a2784328d0cc4c58e93dcd338fed00468c2272b790e8833152cb47e5af2ac3f
Instruction Fuzzy Hash: D2412B71A083CC9EC7358B79E9C8B397B92AB87370F14453CE9474AA64C635AA4CF711

Function 00FE379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FE37B7
GetDC.USER32(00000000), ref: 00FE37BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FE37CA
ReleaseDC.USER32(00000000,00000000), ref: 00FE37D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FE3812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FE3823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FE6504,?,?,000000FF,00000000,?,000000FF,?), ref: 00FE385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FE387D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 71e8b8bed17ac0d936ac5d371d067e4647e3a23dc5a6d3e0e0c47a5462f6c437
Instruction ID: 4e7fd72d5f8238a5ba26e1634a98cfdd04e4778080c559e195c8b6b81f8c4038
Opcode Fuzzy Hash: 71e8b8bed17ac0d936ac5d371d067e4647e3a23dc5a6d3e0e0c47a5462f6c437
Instruction Fuzzy Hash: 09319C72201258BFEB118F51CC89FEB3BA9EF49761F044065FE089E291C6B59D41DBA0

Function 00FD5A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00FD5A8B, 00FD5DE0
Not an Object type, xrefs: 00FD5A64

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e0ac11150046a13c33849cd9e458bad723faf3017d8d233b37f58893fd7aeb6b
Instruction ID: 9ca4837cbb87e5d12996e15de74d7089a21e2738e070000e009be66b5aea40a0
Opcode Fuzzy Hash: e0ac11150046a13c33849cd9e458bad723faf3017d8d233b37f58893fd7aeb6b
Instruction Fuzzy Hash: 30D19F71A0060A9FDF10CF68C885AAEB7B6BF48714F18816AE915AB381D770ED45DB60

Function 00F918A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00F91B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00F9194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F91B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F919D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00F91B7B,?,00F91B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F91A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F91B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F91A7B

Part of subcall function 00F83B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F76A79,?,0000015D,?,?,?,?,00F785B0,000000FF,00000000,?,?), ref: 00F83BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00F91B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F91AF7
__freea.LIBCMT ref: 00F91B22
__freea.LIBCMT ref: 00F91B2E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: a74345ee56be0702a78b7938253558c6e4fbc5488f4ab04bd9a160028dbbbccd
Instruction ID: 8e62daf735e26a4cd39b8a062eb0859757507cf3d6311fe3941c6c1a7fbee50f
Opcode Fuzzy Hash: a74345ee56be0702a78b7938253558c6e4fbc5488f4ab04bd9a160028dbbbccd
Instruction Fuzzy Hash: 6291B272E012179EFF258E64CC91AEE7BB6BF49320F180679E805E7180E729DC41E760

Function 00FD4F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FD50A5
VariantInit.OLEAUT32(?), ref: 00FD51A6
VariantClear.OLEAUT32(?), ref: 00FD51B0
VariantClear.OLEAUT32(?), ref: 00FD520D

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00FD5189
Null Object assignment in FOR..IN loop, xrefs: 00FD5035, 00FD5163, 00FD521B

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: ef4db64e84794be336217a8620388612033542a702e02af7d7bf59765ed4f091
Instruction ID: 90452b0fce005336d0d9389426bf1bd67e001c64a80625fcb50c5987cbfa3044
Opcode Fuzzy Hash: ef4db64e84794be336217a8620388612033542a702e02af7d7bf59765ed4f091
Instruction Fuzzy Hash: 3791B471E00619ABDF20CFA4CC48FAEBBB9EF45B24F14851AF515AB280D7709945DFA0

Function 00FC1B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00FC1C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FC1C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00FC1C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FC1C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FC1D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FC1D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FC1DEF

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: e555d7fc44ff17c2d9addacc24c8e2c513ac114316179760f1af6333e99d5cbc
Instruction ID: 7b847581f83393596d89ce03b6f9987bb76a3156ef8d2e5a8fa9a7a3a77b7320
Opcode Fuzzy Hash: e555d7fc44ff17c2d9addacc24c8e2c513ac114316179760f1af6333e99d5cbc
Instruction Fuzzy Hash: 2291E272A0021A9FDB01DF94C986FFEB7B4FF06721F108019E941EB292D778A955EB50

Function 00FD43A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FD43C8
CharUpperBuffW.USER32(?,?), ref: 00FD44D7
_wcslen.LIBCMT ref: 00FD44E7
VariantClear.OLEAUT32(?), ref: 00FD467C

Part of subcall function 00FC169E: VariantInit.OLEAUT32(00000000), ref: 00FC16DE
Part of subcall function 00FC169E: VariantCopy.OLEAUT32(?,?), ref: 00FC16E7
Part of subcall function 00FC169E: VariantClear.OLEAUT32(?), ref: 00FC16F3

Strings

AUTOIT.ERROR, xrefs: 00FD44DD, 00FD44E2
Incorrect Parameter format, xrefs: 00FD4403, 00FD45FE

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 5384e45412ee3ee7464a7e8757147a8acf37e64a4766d0d92d1106eb9288cfcb
Instruction ID: 500b5a613a558c9cb6655781aaad1c62af392c356de05cfdf273aa603ccda33f
Opcode Fuzzy Hash: 5384e45412ee3ee7464a7e8757147a8acf37e64a4766d0d92d1106eb9288cfcb
Instruction Fuzzy Hash: 56915A75A043019FC704EF24C88196AB7E5FF89714F18891EF88A97351DB35ED46EB82

Function 00FD560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00FB08FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB0831,80070057,?,?,?,00FB0C4E), ref: 00FB091B
Part of subcall function 00FB08FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB0831,80070057,?,?), ref: 00FB0936
Part of subcall function 00FB08FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB0831,80070057,?,?), ref: 00FB0944
Part of subcall function 00FB08FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB0831,80070057,?), ref: 00FB0954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FD56AE
_wcslen.LIBCMT ref: 00FD57B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FD582C
CoTaskMemFree.OLE32(?), ref: 00FD5837

Strings

NULL Pointer assignment, xrefs: 00FD5880, 00FD58AF

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: ae3837833eafaaaae1673a48931608b32fb3482ca1a201e31f9e601ee611ff68
Instruction ID: fa5cb9a40b1d9c9695a775e8a4fd2767223b5e3e19af8bf09cdc603303b6bc56
Opcode Fuzzy Hash: ae3837833eafaaaae1673a48931608b32fb3482ca1a201e31f9e601ee611ff68
Instruction Fuzzy Hash: C5910471D0021DAFDF10DFA4DC81AEEB7B9AF08714F14416AE915AB251EB349A48EF60

Function 00FE2B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FE2C1F
GetMenuItemCount.USER32(00000000), ref: 00FE2C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FE2C79
_wcslen.LIBCMT ref: 00FE2CAF
GetMenuItemID.USER32(?,?), ref: 00FE2CE9
GetSubMenu.USER32(?,?), ref: 00FE2CF7

Part of subcall function 00FB4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB43AD
Part of subcall function 00FB4393: GetCurrentThreadId.KERNEL32 ref: 00FB43B4
Part of subcall function 00FB4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FB2F00), ref: 00FB43BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FE2D7F

Part of subcall function 00FBF292: Sleep.KERNEL32 ref: 00FBF30A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a317a687e7ed273be2b111856da1ad9a1842c3c4eb5167a3964c0efe88015a2c
Instruction ID: e77b7d57d4c913906b32d8ae8c578698f007911d34bc565623710fa5f93d8b10
Opcode Fuzzy Hash: a317a687e7ed273be2b111856da1ad9a1842c3c4eb5167a3964c0efe88015a2c
Instruction Fuzzy Hash: 0B71B075E00204AFCB50DF65CC85AAEB7F5EF48320F148469E916EB351EB34AE41AB90

Function 00FE88F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FE8992
IsWindowEnabled.USER32(00000000), ref: 00FE899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00FE8A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00FE8AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00FE8AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00FE8B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FE8B1E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 1582ce6c8328342ecd6ed12d4e2e2e5d80b3b943a0c86bdec0decea98336cfb6
Instruction ID: 45f280bc260b0bda54ba32f8e8b4db7c380c36e8bf144a176c9052fbbaa936f2
Opcode Fuzzy Hash: 1582ce6c8328342ecd6ed12d4e2e2e5d80b3b943a0c86bdec0decea98336cfb6
Instruction Fuzzy Hash: 8471C374A00284BFDF21AF56C884FBE7BB5FF497A0F140459E84967251CB35AD42EB11

Function 00FBB881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FBB8C0
GetKeyboardState.USER32(?), ref: 00FBB8D5
SetKeyboardState.USER32(?), ref: 00FBB936
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FBB964
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FBB983
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FBB9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FBB9E7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f72b95fe9ab2d86f57119d10f7dd9683f3738269b00f8e63d74beb39da3ed11b
Instruction ID: dfc2443a5de3eda38365939f28ec337bdef5e6a64b5bbb2f0e67c88cbdf9cab0
Opcode Fuzzy Hash: f72b95fe9ab2d86f57119d10f7dd9683f3738269b00f8e63d74beb39da3ed11b
Instruction Fuzzy Hash: D351B1A0D087D53EFB3642368C55BFABEA95B06714F088889E1D9498D2C3D8EDC4EB50

Function 00FBB6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FBB6E0
GetKeyboardState.USER32(?), ref: 00FBB6F5
SetKeyboardState.USER32(?), ref: 00FBB756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FBB782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FBB79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FBB7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FBB7FF

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6a62a74baa2833faf3302275abd2fe9982a6321cf27a3a7186ec903bf78853d0
Instruction ID: 7538c7005f1e9ee550d99fdcd878c81f9d040866acb6c9053ed814dfc4d8e27f
Opcode Fuzzy Hash: 6a62a74baa2833faf3302275abd2fe9982a6321cf27a3a7186ec903bf78853d0
Instruction Fuzzy Hash: 8351E1A0E087D53EFB3283268C55BFABEA95B45314F188489E0D94A8D2D7D4EC84FF50

Function 00F857A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00F85F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00F857E3
__fassign.LIBCMT ref: 00F8585E
__fassign.LIBCMT ref: 00F85879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00F8589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00F85F16,00000000,?,?,?,?,?,?,?,?,?,00F85F16,?), ref: 00F858BE
WriteFile.KERNEL32(?,?,00000001,00F85F16,00000000,?,?,?,?,?,?,?,?,?,00F85F16,?), ref: 00F858F7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 2a036d512e074b300896964660947ab6c03ff390b1231220f67a15a78aba2889
Instruction ID: 9845e2d90af7961e903a000b6f09c91f9861f2dc0d488001b8d337c565d6a045
Opcode Fuzzy Hash: 2a036d512e074b300896964660947ab6c03ff390b1231220f67a15a78aba2889
Instruction Fuzzy Hash: AF51BE71A00649DFDB10DFA8D885BEEBBF8FF08720F14411AE955E7291E730AA41DB61

Function 00F73090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F730BB
___except_validate_context_record.LIBVCRUNTIME ref: 00F730C3
_ValidateLocalCookies.LIBCMT ref: 00F73151
__IsNonwritableInCurrentImage.LIBCMT ref: 00F7317C
_ValidateLocalCookies.LIBCMT ref: 00F731D1

Strings

csm, xrefs: 00F73166

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c867e4a459208a9e52578c3afd4f5c2ad65c7f0e5747cac86c8640eb81eeb43e
Instruction ID: ca1855c8f4cf46f0142c710ed5376074280b1c4f40bb7c999a268c2ce59887cb
Opcode Fuzzy Hash: c867e4a459208a9e52578c3afd4f5c2ad65c7f0e5747cac86c8640eb81eeb43e
Instruction Fuzzy Hash: E641A135E00219ABCB10DF68C885AAE7BA5BF44324F54C156E8186B362D775EB01FB92

Function 00FD1B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FD3AD7
Part of subcall function 00FD3AAB: _wcslen.LIBCMT ref: 00FD3AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FD1B6F
WSAGetLastError.WSOCK32 ref: 00FD1B7E
WSAGetLastError.WSOCK32 ref: 00FD1C26
closesocket.WSOCK32(00000000), ref: 00FD1C56

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: b107bbeb0fb1eab42713fcfc27103ce89c006fe384babb1d13c0693555432313
Instruction ID: 2053dc1a1ff0e82517d088423adcdc394c4d1b84a3f8cf751a5aa6c456a47e26
Opcode Fuzzy Hash: b107bbeb0fb1eab42713fcfc27103ce89c006fe384babb1d13c0693555432313
Instruction Fuzzy Hash: E341C431A00104AFDB109F64CC85BA9B7AAFF85324F18815AFD059F391D774AD85DBE1

Function 00FBD7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FBD7CD,?), ref: 00FBE714

Part of subcall function 00FBE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FBD7CD,?), ref: 00FBE72D

lstrcmpiW.KERNEL32(?,?), ref: 00FBD7F0
MoveFileW.KERNEL32(?,?), ref: 00FBD82A
_wcslen.LIBCMT ref: 00FBD8B0
_wcslen.LIBCMT ref: 00FBD8C6
SHFileOperationW.SHELL32(?), ref: 00FBD90C

Strings

\*.*, xrefs: 00FBD89E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: a3dd7d54e372a715c458eb98e0ada5c9fa6b41e6449e86a1ec204f21f96e10df
Instruction ID: e41b497e51217b6c6e1a201359cea3390b09385b52e0b46d9fdb7a942ba4c654
Opcode Fuzzy Hash: a3dd7d54e372a715c458eb98e0ada5c9fa6b41e6449e86a1ec204f21f96e10df
Instruction Fuzzy Hash: A8413171D0521C9EDF16EBA5DD81ADE77BCAF08350F1000EAA509EB141EB39A788EF51

Function 00FE3899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00FE38B8
GetWindowLongW.USER32(?,000000F0), ref: 00FE38EB
GetWindowLongW.USER32(?,000000F0), ref: 00FE3920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00FE3952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00FE397C
GetWindowLongW.USER32(?,000000F0), ref: 00FE398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FE39A7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5ac9b2b08d4eb485b14f57869f52d7a89b5b769ab371c547c5d4422ff801af87
Instruction ID: 2fddafe96d430bc126d167c276ab9eb427205e44f1618992405df22973b6e710
Opcode Fuzzy Hash: 5ac9b2b08d4eb485b14f57869f52d7a89b5b769ab371c547c5d4422ff801af87
Instruction Fuzzy Hash: E9312531B04299AFDB318F4ADC8CF6837A1EB86760F1501A4F5409F2A6CB75AA44EB01

Function 00FB808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FB80D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FB80F6
SysAllocString.OLEAUT32(00000000), ref: 00FB80F9
SysAllocString.OLEAUT32(?), ref: 00FB8117
SysFreeString.OLEAUT32(?), ref: 00FB8120
StringFromGUID2.OLE32(?,?,00000028), ref: 00FB8145
SysAllocString.OLEAUT32(?), ref: 00FB8153

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: af203d4f993191285b92e656bcf130fd127524af69f131a035408c836e353a71
Instruction ID: 83b9fc9506c0a3d6ad598e2a3d7bc3f45774a7bc96bb2e9b38339908ae94b4d1
Opcode Fuzzy Hash: af203d4f993191285b92e656bcf130fd127524af69f131a035408c836e353a71
Instruction Fuzzy Hash: D1219576601219AF9F10EFA9CC84DFA73ACEB493A07048425F915DB2A0DB74DD47DB60

Function 00FB8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FB81A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FB81CF
SysAllocString.OLEAUT32(00000000), ref: 00FB81D2
SysAllocString.OLEAUT32 ref: 00FB81F3
SysFreeString.OLEAUT32 ref: 00FB81FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00FB8216
SysAllocString.OLEAUT32(?), ref: 00FB8224

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 21a1a08fdd187a15dd04fd7e790bdb19681de0b6c9f9a92e59d296778863cd7a
Instruction ID: d7bd59c367f4ee73952c3be5ff7f0401d073ede0cba072f92195333b7430ab98
Opcode Fuzzy Hash: 21a1a08fdd187a15dd04fd7e790bdb19681de0b6c9f9a92e59d296778863cd7a
Instruction Fuzzy Hash: 0D217476600108BF9B10EFA9DC89DEA77ECEB493607048125F915CB2A0DA74EC42EB64

Function 00FC0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FC0E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FC0ED5

Strings

nul, xrefs: 00FC0F0E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5bbccde5bfdb25e7735cdb394aced3e733f3754896cac171285b024b0d34e364
Instruction ID: adcdc71e88c322d4357510fec611250fd3bce22d1aabbe67bc2eba80b1e76a59
Opcode Fuzzy Hash: 5bbccde5bfdb25e7735cdb394aced3e733f3754896cac171285b024b0d34e364
Instruction Fuzzy Hash: EF214D7190030BEBDB208F65DD46F9A77A8EF54720F204A1DFCA5972D0DB709882EB50

Function 00FC0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FC0F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FC0FA8

Strings

nul, xrefs: 00FC0FE0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8340fd423611e3c71288df98b20fdfa3402908ff5da7eadaa78e17dce7b6d21e
Instruction ID: e53ea291a16fd15598df9d909b187e1f4caa9486cf6d21bbd9ef755bb6bdf301
Opcode Fuzzy Hash: 8340fd423611e3c71288df98b20fdfa3402908ff5da7eadaa78e17dce7b6d21e
Instruction Fuzzy Hash: 1521803194034ADBEB208F688D46F9977A8BF56730F200A1DE9A1D72D1DB709891EB50

Function 00FE4B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F57873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F578B1
Part of subcall function 00F57873: GetStockObject.GDI32(00000011), ref: 00F578C5
Part of subcall function 00F57873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F578CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FE4BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FE4BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FE4BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FE4BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FE4BE3

Strings

Msctls_Progress32, xrefs: 00FE4B81

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9067bbbe575f0eaf0cd0543fbd340c138f759e7f833b8c60e00124c1096dc60c
Instruction ID: 2d4f6148cb2609c328a916034c1e566592549c06a60fe2fe09730b6ecf78c7ff
Opcode Fuzzy Hash: 9067bbbe575f0eaf0cd0543fbd340c138f759e7f833b8c60e00124c1096dc60c
Instruction Fuzzy Hash: AC1193B254021DBEEF119EA5CC85EE77F9DEF087A8F014111FA08A6090C776DC21ABA0

Function 00F8DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F8DB23: _free.LIBCMT ref: 00F8DB4C

_free.LIBCMT ref: 00F8DBAD

Part of subcall function 00F82D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00F8DB51,01021DC4,00000000,01021DC4,00000000,?,00F8DB78,01021DC4,00000007,01021DC4,?,00F8DF75,01021DC4), ref: 00F82D4E
Part of subcall function 00F82D38: GetLastError.KERNEL32(01021DC4,?,00F8DB51,01021DC4,00000000,01021DC4,00000000,?,00F8DB78,01021DC4,00000007,01021DC4,?,00F8DF75,01021DC4,01021DC4), ref: 00F82D60

_free.LIBCMT ref: 00F8DBB8
_free.LIBCMT ref: 00F8DBC3
_free.LIBCMT ref: 00F8DC17
_free.LIBCMT ref: 00F8DC22
_free.LIBCMT ref: 00F8DC2D
_free.LIBCMT ref: 00F8DC38

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: 84efdc66d6664f3d49858f426389e1bc8b7baf2b195b5c3140f46b3dcba574af
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: F3112173541B04BAD560BBB0CC4BFCFBBDC9F54700F414C19B299AA192DB79B504A750

Function 00FBE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FBE328
LoadStringW.USER32(00000000), ref: 00FBE32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FBE345
LoadStringW.USER32(00000000), ref: 00FBE34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FBE390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FBE36D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: b467bfef1c2e12864164da1a477b895f2accde6c8e7bac6d7be8d247b7efa651
Instruction ID: 7dc0b2f09db0271e167ab55ab9919cc81e4facf7dff42c9a73740e5ff9cca0b6
Opcode Fuzzy Hash: b467bfef1c2e12864164da1a477b895f2accde6c8e7bac6d7be8d247b7efa651
Instruction Fuzzy Hash: 9E0186F690024CBFE7119BA4CDC9EE7776CD708300F004591B746EA441EA749E845F71

Function 00FC1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FC1322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00FC1334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00FC1342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00FC1350
CloseHandle.KERNEL32(00000000), ref: 00FC135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FC136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00FC1376

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 23beb8f1a714ab19b22e7ac1f21bfd776d1181bde552e56edae9e92f35ca8564
Instruction ID: 6dffd39158a9ffde732881b964467e8a364f215a2a2fb174fe3bdeb22c3ddb1a
Opcode Fuzzy Hash: 23beb8f1a714ab19b22e7ac1f21bfd776d1181bde552e56edae9e92f35ca8564
Instruction Fuzzy Hash: 6AF03C32442646BFD3425F54EE89BC6BB39FF05312F401025F21199CA087759474EF90

Function 00FD26BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FD281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FD283E
WSAGetLastError.WSOCK32 ref: 00FD284F
htons.WSOCK32(?,?,?,?,?), ref: 00FD2938
inet_ntoa.WSOCK32(?), ref: 00FD28E9

Part of subcall function 00FB433E: _strlen.LIBCMT ref: 00FB4348

Part of subcall function 00FD3C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00FCF669), ref: 00FD3C9D

_strlen.LIBCMT ref: 00FD2992

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 23b3fc2373fc6bfd496d18876b94c9ba766984108cad080cbc36ca4e45deba3f
Instruction ID: 3297bf08b1a0b459cb6c4f35c7d0c79ef7d015bd99f432582b4b5b6e1e59898a
Opcode Fuzzy Hash: 23b3fc2373fc6bfd496d18876b94c9ba766984108cad080cbc36ca4e45deba3f
Instruction Fuzzy Hash: 2EB1E531604300AFD320DF24C885F2AB7E6AF94324F58854DF55A4B3A2DB35ED46EB91

Function 00F80527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F8042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80446
__allrem.LIBCMT ref: 00F8045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F8047B
__allrem.LIBCMT ref: 00F80492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F804B0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: 5655fc7b3d473cca96116399796b265cd5abfb0f50a9595f76ac8ffbfd76e417
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: B081F972A41706ABE764FF68CC81BEA73A8AF44330F64412AF511D7681EF74D908A794

Function 00F86571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F78649,00F78649,?,?,?,00F867C2,00000001,00000001,8BE85006), ref: 00F865CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F867C2,00000001,00000001,8BE85006,?,?,?), ref: 00F86651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F8674B
__freea.LIBCMT ref: 00F86758

Part of subcall function 00F83B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F76A79,?,0000015D,?,?,?,?,00F785B0,000000FF,00000000,?,?), ref: 00F83BC5

__freea.LIBCMT ref: 00F86761
__freea.LIBCMT ref: 00F86786

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3019ff77f61a0fa82b6ba01582f32e0fb2163b88fb0e94defe5b43170f260852
Instruction ID: dcd061d4e919faa1e93ee90278dc86fcdad39f2b81741e7674b2277c226a9378
Opcode Fuzzy Hash: 3019ff77f61a0fa82b6ba01582f32e0fb2163b88fb0e94defe5b43170f260852
Instruction Fuzzy Hash: DE51D572A00206AFEB25AE64CC86EEF77A9EB40764F144669FD14DA140EF35DC50A7A0

Function 00FDC63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

Part of subcall function 00FDD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDC10E,?,?), ref: 00FDD415
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD451
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD4C8
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FDC72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FDC785
RegCloseKey.ADVAPI32(00000000), ref: 00FDC7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FDC7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FDC853
RegCloseKey.ADVAPI32(?), ref: 00FDC85F

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 715eeb154fa176a8ae073a993cf9905523abde1fffe47d414643aa6598cfdc3b
Instruction ID: 8e8a06bfffc9f2bfcb38f6a28f9e54734f4f189f8840c7401954edc3ea666fcf
Opcode Fuzzy Hash: 715eeb154fa176a8ae073a993cf9905523abde1fffe47d414643aa6598cfdc3b
Instruction Fuzzy Hash: C8819031508242AFC714DF24C885E2ABBE6FF84318F18859DF5594B2A2DB31ED45EB92

Function 00FB009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00FB00A9
SysAllocString.OLEAUT32(00000000), ref: 00FB0150
VariantCopy.OLEAUT32(00FB0354,00000000), ref: 00FB0179
VariantClear.OLEAUT32(00FB0354), ref: 00FB019D
VariantCopy.OLEAUT32(00FB0354,00000000), ref: 00FB01A1
VariantClear.OLEAUT32(?), ref: 00FB01AB

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: eae324b9077b059e648f1d41d4a9a212061546b2993bae451e1a8ee44940e075
Instruction ID: fffefb4c1e2d64fc530ed492c6c9cf009da39c56c55376f7bb960986680c2b9b
Opcode Fuzzy Hash: eae324b9077b059e648f1d41d4a9a212061546b2993bae451e1a8ee44940e075
Instruction Fuzzy Hash: DF51E835500310EACF24AB66DC89BAAB3A5EF45310B148457F906DF296DE748C44FF52

Function 00FC9B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F541EA: _wcslen.LIBCMT ref: 00F541EF

Part of subcall function 00F58577: _wcslen.LIBCMT ref: 00F5858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00FC9F2A
_wcslen.LIBCMT ref: 00FC9F4B
_wcslen.LIBCMT ref: 00FC9F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00FC9FCA

Strings

X, xrefs: 00FC9E57

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ba650eb7e68368d7a371c83f00d1592714e1d94fd79aa035689101ef2da8e681
Instruction ID: b4bee811ad0de12c76f605a3f805231905fdda66025ea1a2aac6d568b81c84ee
Opcode Fuzzy Hash: ba650eb7e68368d7a371c83f00d1592714e1d94fd79aa035689101ef2da8e681
Instruction Fuzzy Hash: 3DE1B3319083019FC724DF24C986F6AB7E0BF84354F04856DF98A9B2A2DB75DD05DB92

Function 00FC6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FC6F21
CoInitialize.OLE32(00000000), ref: 00FC707E
CoCreateInstance.OLE32(00FF0CC4,00000000,00000001,00FF0B34,?), ref: 00FC7095
CoUninitialize.OLE32 ref: 00FC7319

Strings

.lnk, xrefs: 00FC6EFF, 00FC6F69, 00FC7025

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 8a41990d3060cbf4f7ab7cb668a4efa8c6d8120a7a0cb831ad00630e0a9944d8
Instruction ID: 6caf5eab8b5415366a81dd1d0e913f6fb8be24955319c82154ce9a900062613e
Opcode Fuzzy Hash: 8a41990d3060cbf4f7ab7cb668a4efa8c6d8120a7a0cb831ad00630e0a9944d8
Instruction Fuzzy Hash: 6ED14871608301AFC304EF24C881E6BB7E8FF98744F40495DF6959B262DB75E90ADB92

Function 00F51B00 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F5249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F524B0

BeginPaint.USER32(?,?,?), ref: 00F51B35
GetWindowRect.USER32(?,?), ref: 00F51B99
ScreenToClient.USER32(?,?), ref: 00F51BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F51BC7
EndPaint.USER32(?,?,?,?,?), ref: 00F51C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F93287

Part of subcall function 00F51C2D: BeginPath.GDI32(00000000), ref: 00F51C4B

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 790797da3214452b5293d633a4349c9cd785aca6c79c89ca6e22141a6fe31baf
Instruction ID: cbbbe94660444eb0052b1e24c493bfbb67ddee84d5751c3650ad18dfd0b38f56
Opcode Fuzzy Hash: 790797da3214452b5293d633a4349c9cd785aca6c79c89ca6e22141a6fe31baf
Instruction Fuzzy Hash: AE41D431604304AFDB20DF14DCC4FB67BA8FB45335F100659FA948B1A1C735A948EB61

Function 00FC1196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FC11B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FC11EE
EnterCriticalSection.KERNEL32(?), ref: 00FC120A
LeaveCriticalSection.KERNEL32(?), ref: 00FC1283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FC129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FC12C8

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 2f35c2774757715c117fd1334e95a10c5184bf85c134b43df57dec4aa3357cc6
Instruction ID: 76b1a5306679128c7fc29e95473084b1aebadb85b2aa7f9f61522d2c48a5d676
Opcode Fuzzy Hash: 2f35c2774757715c117fd1334e95a10c5184bf85c134b43df57dec4aa3357cc6
Instruction Fuzzy Hash: 75416A71900205EFDF04DF54DCC5AAAB7B8FF05310B1480A9ED049E296DB74DE61EBA0

Function 00FE8C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00FAFBEF,00000000,?,?,00000000,?,00F939E2,00000004,00000000,00000000), ref: 00FE8CA7
EnableWindow.USER32(?,00000000), ref: 00FE8CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00FE8D2C
ShowWindow.USER32(?,00000004), ref: 00FE8D40
EnableWindow.USER32(?,00000001), ref: 00FE8D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FE8D8A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e8928131dbd276ed58e07a29737f50ce76fc34db3d4bfe32bcc3d2439b2285fc
Instruction ID: e1f19acc811509969832bad316891332a07bee57d8775913d24e0d86cf2645c2
Opcode Fuzzy Hash: e8928131dbd276ed58e07a29737f50ce76fc34db3d4bfe32bcc3d2439b2285fc
Instruction Fuzzy Hash: 7A41CA30B01284AFDB35EF69C885BA17BF1FB46394F2440A5E54D5F1A2CB355847EB50

Function 00FD2D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00FD2D45

Part of subcall function 00FCEF33: GetWindowRect.USER32(?,?), ref: 00FCEF4B

GetDesktopWindow.USER32 ref: 00FD2D6F
GetWindowRect.USER32(00000000), ref: 00FD2D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FD2DB2
GetCursorPos.USER32(?), ref: 00FD2DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FD2E3C

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 611f2c53b001b8056f1317d8f684d4901f1a023df13d76eb9ae9e4e0d5d02145
Instruction ID: fe625d1b28b9f5e639678b510163e251f0f122700c6ba44717138e768b449108
Opcode Fuzzy Hash: 611f2c53b001b8056f1317d8f684d4901f1a023df13d76eb9ae9e4e0d5d02145
Instruction Fuzzy Hash: CC31CF72505315ABC720DF18CC45B9AB7AAFF98354F04091AF8959B291DA30E909DBD2

Function 00FB55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FB55F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FB5616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FB564E
_wcslen.LIBCMT ref: 00FB566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FB5674
_wcsstr.LIBVCRUNTIME ref: 00FB567E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 25616a7c14df66861a087a1f6d4f78c902c5da969db2feda810ce86c32b8fdd5
Instruction ID: 0e317cc63e4791ab4332c8cdacc6d031d35c8df3c66a565e5febccf640428421
Opcode Fuzzy Hash: 25616a7c14df66861a087a1f6d4f78c902c5da969db2feda810ce86c32b8fdd5
Instruction Fuzzy Hash: 9B212932604504BBEB155B26DC49FBB7BA9DF45B20F14803AF809CE091EFB9DC41BA61

Function 00FC6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F55851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F555D1,?,?,00F94B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F55871

_wcslen.LIBCMT ref: 00FC62C0
CoInitialize.OLE32(00000000), ref: 00FC63DA
CoCreateInstance.OLE32(00FF0CC4,00000000,00000001,00FF0B34,?), ref: 00FC63F3
CoUninitialize.OLE32 ref: 00FC6411

Strings

.lnk, xrefs: 00FC62BB, 00FC6306, 00FC63CA

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 62df3de592d176b0f1612f1d7d456db0ec487d73061dd798f751386f26f84426
Instruction ID: 0a593f7a9f97fe1b20c693fa68800c8a686a75e7853d09c6778c92bee23d7adb
Opcode Fuzzy Hash: 62df3de592d176b0f1612f1d7d456db0ec487d73061dd798f751386f26f84426
Instruction Fuzzy Hash: 3DD14171A082029FC714DF24C981E2ABBF5AF89724F14885DF985DB361CB35EC49DB92

Function 00FE86FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00FE8740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FE8765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FE877D
GetSystemMetrics.USER32(00000004), ref: 00FE87A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00FCC1F2,00000000), ref: 00FE87C6

Part of subcall function 00F5249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F524B0

GetSystemMetrics.USER32(00000004), ref: 00FE87B1

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: b9f529e599ea88f7ad6aebe6bad4ebd85176dd8847bf397bbf522ce546cddd26
Instruction ID: c0657d9b4ae491889b73f72203b6800971e802756253c5ad1c55a9bf08bf9547
Opcode Fuzzy Hash: b9f529e599ea88f7ad6aebe6bad4ebd85176dd8847bf397bbf522ce546cddd26
Instruction Fuzzy Hash: 7521C4716102859FCB24AF79CC48A6A3BA5FB453B5F344729F96BC65E0DF308842EB10

Function 00F736F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F736E9,00F73355), ref: 00F73700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F7370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F73727
SetLastError.KERNEL32(00000000,?,00F736E9,00F73355), ref: 00F73779

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 48ad7c531cac468bb68031967fa7a103bf622e84bb6c7bf04723740f764b46e6
Instruction ID: 8b88bc910e6244fc95ac0af8de49d8db0788e2d009fed3c9958c57ef529473d7
Opcode Fuzzy Hash: 48ad7c531cac468bb68031967fa7a103bf622e84bb6c7bf04723740f764b46e6
Instruction Fuzzy Hash: F40128B790E3217EA63966B4ACCA6673695EB057B1320822BF518440E0EF1E4D037342

Function 00F830E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00F74D53,00000000,?,?,00F768E2,?,?,00000000), ref: 00F830EB
_free.LIBCMT ref: 00F8311E
_free.LIBCMT ref: 00F83146
SetLastError.KERNEL32(00000000,?,00000000), ref: 00F83153
SetLastError.KERNEL32(00000000,?,00000000), ref: 00F8315F
_abort.LIBCMT ref: 00F83165

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 6e04c24f7d53463663e060551c418ad8963640865dd4b583ae66639dd5f87ca5
Instruction ID: d3c0af09a7329c3352e4f367acb8ce4371cd5dafa80e273ba159f5047e03f1d8
Opcode Fuzzy Hash: 6e04c24f7d53463663e060551c418ad8963640865dd4b583ae66639dd5f87ca5
Instruction Fuzzy Hash: A5F0A936E0490166C6113735AC4EADF36559FC1F71B250415FA24961F1EF2D89027361

Function 00FE9480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F51F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F51F87
Part of subcall function 00F51F2D: SelectObject.GDI32(?,00000000), ref: 00F51F96
Part of subcall function 00F51F2D: BeginPath.GDI32(?), ref: 00F51FAD
Part of subcall function 00F51F2D: SelectObject.GDI32(?,00000000), ref: 00F51FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FE94AA
LineTo.GDI32(?,00000003,00000000), ref: 00FE94BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FE94CC
LineTo.GDI32(?,00000000,00000003), ref: 00FE94DC
EndPath.GDI32(?), ref: 00FE94EC
StrokePath.GDI32(?), ref: 00FE94FC

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4c21a4dbf92b6ae328900dfb051dfd5df9dc6db6d639a3f88cf0471d02c06ae8
Instruction ID: 78e422698448b760fd8ec900762db7659cca5ce775c96e7f4e64411be6a6fdfe
Opcode Fuzzy Hash: 4c21a4dbf92b6ae328900dfb051dfd5df9dc6db6d639a3f88cf0471d02c06ae8
Instruction Fuzzy Hash: 5911CC7600014DBFDF129F90DC89E9A7F6DEB08364F048015FE1959165C772AD55EBA0

Function 00FB5B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FB5B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FB5B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FB5B94
ReleaseDC.USER32(00000000,00000000), ref: 00FB5B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FB5BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00FB5BC5

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9fe675ba59a69cefc0a2004e94ddbf832e31fd940927851ab9196e7f4af2e7a8
Instruction ID: 4d9fb439bcf83ae2ec8706029417a8c8de23ab3899861cc389fdf58a40a6cda9
Opcode Fuzzy Hash: 9fe675ba59a69cefc0a2004e94ddbf832e31fd940927851ab9196e7f4af2e7a8
Instruction Fuzzy Hash: 83014475E00758BBEB109BA69C49F4E7F78EB44751F044065FA05AB680D6749D00DF90

Function 00F5327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F532AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F532B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F532C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F532CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F532D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F532DD

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 67646e1f44ce901e09eebc4c644008795658e01607d91638f5b16432ab54a622
Instruction ID: 444e8c9bf28811d52e8646dead4a872c40bb2552064719f090fc4d28119fe1d3
Opcode Fuzzy Hash: 67646e1f44ce901e09eebc4c644008795658e01607d91638f5b16432ab54a622
Instruction Fuzzy Hash: E10167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00FBF437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FBF447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FBF45D
GetWindowThreadProcessId.USER32(?,?), ref: 00FBF46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FBF47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FBF485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FBF48C

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 24708fa61fb7e377afb2c20605f2910d195607d8d7c44b3dd963a6fb6d6e97e9
Instruction ID: a643a580c2f836a0522ee229d138209b3f4fd208194e5c36aedac7211e12dc65
Opcode Fuzzy Hash: 24708fa61fb7e377afb2c20605f2910d195607d8d7c44b3dd963a6fb6d6e97e9
Instruction Fuzzy Hash: 54F03A3224119CBFE7215B62DC4EEEF3B7CEFC6B11F000058FA1199490D7A46A01EAB5

Function 00F934D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00F934EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F93506
GetWindowDC.USER32(?), ref: 00F93512
GetPixel.GDI32(00000000,?,?), ref: 00F93521
ReleaseDC.USER32(?,00000000), ref: 00F93533
GetSysColor.USER32(00000005), ref: 00F9354D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: c81821db59cdfe979e534cf7547d651680c96ae906a9a40a234a9185373e0cd7
Instruction ID: d456d1356d8fd08796c80de69cf626ee04293dbf55a6f094cac7f39d89acfc93
Opcode Fuzzy Hash: c81821db59cdfe979e534cf7547d651680c96ae906a9a40a234a9185373e0cd7
Instruction Fuzzy Hash: 5E014B31500259EFEB505FA4DC48BEA7BB5FB48321F550161FA1AAA5A0CB321E51BF10

Function 00FB21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FB21CC
UnloadUserProfile.USERENV(?,?), ref: 00FB21D8
CloseHandle.KERNEL32(?), ref: 00FB21E1
CloseHandle.KERNEL32(?), ref: 00FB21E9
GetProcessHeap.KERNEL32(00000000,?), ref: 00FB21F2
HeapFree.KERNEL32(00000000), ref: 00FB21F9

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 274aeddf71d8244ff0f1a2c6b350d30d5d14bf902f26bd51357af48739be8d68
Instruction ID: 220cd1c09908b5a8cd10388a2ec41b30ff9c7bbee159f871ad07bc02041beda9
Opcode Fuzzy Hash: 274aeddf71d8244ff0f1a2c6b350d30d5d14bf902f26bd51357af48739be8d68
Instruction Fuzzy Hash: CEE01A76004149FFEB015FA1EC4CD0ABF39FF49322B104220F2358A870CB329420EB50

Function 00FBCE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F541EA: _wcslen.LIBCMT ref: 00F541EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FBCF99
_wcslen.LIBCMT ref: 00FBCFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FBD047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FBD075

Strings

0, xrefs: 00FBCF5A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: d93899b1195487f73b2f4feef644eafde5392ac9c79774b00ae3235d29460b0b
Instruction ID: 7a9f5f3fbd4556663be5e034c80bdbc6fbecbf7256861f89c3fece6097d5c320
Opcode Fuzzy Hash: d93899b1195487f73b2f4feef644eafde5392ac9c79774b00ae3235d29460b0b
Instruction Fuzzy Hash: 8351F332A043019BD714AE26CC45BABB7E8AF453A4F040A2DF995D7190EB74C945EB93

Function 00FDB7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00FDB903

Part of subcall function 00F541EA: _wcslen.LIBCMT ref: 00F541EF

GetProcessId.KERNEL32(00000000), ref: 00FDB998
CloseHandle.KERNEL32(00000000), ref: 00FDB9C7

Strings

@, xrefs: 00FDB8D2
<, xrefs: 00FDB8CB

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: d6e5ede2b72270a12a1c93220f12ea0cdfaa3ecac5d5897c2d33183b81d37905
Instruction ID: 1f525caf82726b8878a9569dbcea8caa8c60b84807638ed103840f71335bc31e
Opcode Fuzzy Hash: d6e5ede2b72270a12a1c93220f12ea0cdfaa3ecac5d5897c2d33183b81d37905
Instruction Fuzzy Hash: 5471AA30A00219DFCB10EF94C895A9DBBF1FF08310F09849AE916AB351CB78ED45EB91

Function 00FB7B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FB7B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FB7BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FB7BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FB7C36

Strings

DllGetClassObject, xrefs: 00FB7BA9

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: bff88ca49b6f98ee356fd0d8314a278566bfc6937ec63c1236f9fdf71b50de28
Instruction ID: 73a44fa71011da1b1cb035d6d6b8a0dbff522a19ce2a07d5b9744d7ee74b52ec
Opcode Fuzzy Hash: bff88ca49b6f98ee356fd0d8314a278566bfc6937ec63c1236f9fdf71b50de28
Instruction Fuzzy Hash: 4F419EB1604308EFDB15EF26C884A9A7BB9EF84314B1080ADA9059F246D7B4DD40EFA0

Function 00FE4818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FE48D1
IsMenu.USER32(?), ref: 00FE48E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FE492E
DrawMenuBar.USER32 ref: 00FE4941

Strings

0, xrefs: 00FE4825

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 05e8e887f9259f4a28c7d80d339e3ec696c5fb1898e8d713e8b224c6050056bb
Instruction ID: 5074538c4026c317ae1287ba6258edeb31b29304ba0ddc0476c2b6c5b3081ba1
Opcode Fuzzy Hash: 05e8e887f9259f4a28c7d80d339e3ec696c5fb1898e8d713e8b224c6050056bb
Instruction Fuzzy Hash: 8F415775A01289EFDB20CF52D8C4AAEBBB9FF06324F04412DE955AB251C334AD54EF60

Function 00FB272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

Part of subcall function 00FB45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FB27B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FB27C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FB27F6

Part of subcall function 00F58577: _wcslen.LIBCMT ref: 00F5858A

Strings

ListBox, xrefs: 00FB2772
ComboBox, xrefs: 00FB273D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 2301c40713140494a324a90901876d60145d5f0ec9e62c0fbf28ff1ff09367aa
Instruction ID: 9cba789cee82931e09a6e2e502189419d006cddde152500092bb6657f4bb66d7
Opcode Fuzzy Hash: 2301c40713140494a324a90901876d60145d5f0ec9e62c0fbf28ff1ff09367aa
Instruction Fuzzy Hash: AF210771900104BEDB05AB65DC86DFEB778DF453A0F14412AF811A71E1DF79890AFA50

Function 00FE39B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FE3A29
LoadLibraryW.KERNEL32(?), ref: 00FE3A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FE3A45
DestroyWindow.USER32(?), ref: 00FE3A4D

Strings

SysAnimate32, xrefs: 00FE3A04

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 71f12670daf5e87de1065720a8ab4eeec921e4611a6e4265a3c75d41bf28f741
Instruction ID: ca8a37a5ed254c5124a4d117063903edd57d4b19c3a7ee4ca057d55e237b6e61
Opcode Fuzzy Hash: 71f12670daf5e87de1065720a8ab4eeec921e4611a6e4265a3c75d41bf28f741
Instruction Fuzzy Hash: 2E21CD75A00289BBEB109F66DC8CFAB37AAEB45764F105228FA91970D1C375CD80A760

Function 00F750DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F7508E,?,?,00F7502E,?,010198D8,0000000C,00F75185,?,00000002), ref: 00F750FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F75110
FreeLibrary.KERNEL32(00000000,?,?,?,00F7508E,?,?,00F7502E,?,010198D8,0000000C,00F75185,?,00000002,00000000), ref: 00F75133

Strings

CorExitProcess, xrefs: 00F75108
mscoree.dll, xrefs: 00F750F6

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3be2ac900fa785df92046204491eb895b5cf4facbab724a3cce276c584d91cc1
Instruction ID: bbd23ac49dabe3c09b2d566e74eab638ec98a776d9ed4171fe1a814d44255ed7
Opcode Fuzzy Hash: 3be2ac900fa785df92046204491eb895b5cf4facbab724a3cce276c584d91cc1
Instruction Fuzzy Hash: 35F04431A0020CBFDB115F94DC49BADBBB4EF04B66F404069F909A6560DBB59A40EB91

Function 00FAE778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00FAE785
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FAE797
FreeLibrary.KERNEL32(00000000), ref: 00FAE7BD

Strings

X64, xrefs: 00FAE680
GetSystemWow64DirectoryW, xrefs: 00FAE791

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: e5ef923ac45689eaeaf111a78f3d94c9c75a277fec8067ab8e4e0d0a78da40fa
Instruction ID: b1346dbf0912e5118799bad38a3ba8196686687f1e80e30a3370413c0e5cb0d1
Opcode Fuzzy Hash: e5ef923ac45689eaeaf111a78f3d94c9c75a277fec8067ab8e4e0d0a78da40fa
Instruction Fuzzy Hash: 6AF02BF2D215609FE73557208C84F6936246F23704B200999F842FB120DB34CD44FB44

Function 00F5663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F5668B,?,?,00F562FA,?,00000001,?,?,00000000), ref: 00F5664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F5665C
FreeLibrary.KERNEL32(00000000,?,?,00F5668B,?,?,00F562FA,?,00000001,?,?,00000000), ref: 00F5666E

Strings

kernel32.dll, xrefs: 00F56642
Wow64DisableWow64FsRedirection, xrefs: 00F56656

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a1312489a56a0cb5350518f7617fbae80be892be417b698eb23bdf3b61ed06f9
Instruction ID: 7f74231af955da91d1e10462d18eda4f473f502ede689ef658384791b69c766b
Opcode Fuzzy Hash: a1312489a56a0cb5350518f7617fbae80be892be417b698eb23bdf3b61ed06f9
Instruction Fuzzy Hash: 16E0CD35A0152217A3111726BC0CB5E75289F82F3BB050219FD10DF514DF58CC05A4E5

Function 00F56607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F95657,?,?,00F562FA,?,00000001,?,?,00000000), ref: 00F56610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F56622
FreeLibrary.KERNEL32(00000000,?,?,00F95657,?,?,00F562FA,?,00000001,?,?,00000000), ref: 00F56635

Strings

kernel32.dll, xrefs: 00F56609
Wow64RevertWow64FsRedirection, xrefs: 00F5661C

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 8e2321c2cdc5c7b8e425bb38f5765c02d1e7bbd79fa3628ab962f7c828a93a16
Instruction ID: 9292b2ce6978bda77b8bed8d990f9e88bab5b6be9b387629b86748d38c61581a
Opcode Fuzzy Hash: 8e2321c2cdc5c7b8e425bb38f5765c02d1e7bbd79fa3628ab962f7c828a93a16
Instruction Fuzzy Hash: B0D02B31B025715B523227257C0898F3B249FD1F363450015FD10EF524CF28CC05E1D8

Function 00FC3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FC35C4
DeleteFileW.KERNEL32(?), ref: 00FC3646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FC365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FC366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FC367F

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c2aadb4870fd503f19a3dd25ff2d597ea7c6c84e80f96089ded0a56750f63609
Instruction ID: e93c50f538f9cab35d95e88935c73cec653c976f7156e37242d506c136ffe33f
Opcode Fuzzy Hash: c2aadb4870fd503f19a3dd25ff2d597ea7c6c84e80f96089ded0a56750f63609
Instruction Fuzzy Hash: A6B17072D00119ABDF11DBA4CD86FDEBB7CEF48354F4080AAF609E7141EA349B44AB61

Function 00FDADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00FDAE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FDAE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FDAEC8
CloseHandle.KERNEL32(?), ref: 00FDB09D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 9e5414d6d087431d858b56ab55224d9a4c70984bc0243135c6197c6a15bfb4d6
Instruction ID: f39f9d18c79be6ccfb1721efcbe914eb96d04f4847ebd7d1cc6338b5e3dc9110
Opcode Fuzzy Hash: 9e5414d6d087431d858b56ab55224d9a4c70984bc0243135c6197c6a15bfb4d6
Instruction Fuzzy Hash: 57A1AF71A04301AFE720DF24C886F2AB7E5AF44720F18885DF9999B392DB75EC45DB81

Function 00FDC429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

Part of subcall function 00FDD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDC10E,?,?), ref: 00FDD415
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD451
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD4C8
Part of subcall function 00FDD3F8: _wcslen.LIBCMT ref: 00FDD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FDC505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FDC560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FDC5C3
RegCloseKey.ADVAPI32(?,?), ref: 00FDC606
RegCloseKey.ADVAPI32(00000000), ref: 00FDC613

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 541bcb675f38b2d75551936378c1c37d4f3cdead8d5a1e277571d88419feb863
Instruction ID: a4a70a46fe33d85b99b7d52520778e36486b20c491d640b4d42d84b9d55a60ef
Opcode Fuzzy Hash: 541bcb675f38b2d75551936378c1c37d4f3cdead8d5a1e277571d88419feb863
Instruction Fuzzy Hash: 0F61AF31608242AFC314DF14C890F2ABBE5FF84318F58859DF5998B292DB31ED46EB91

Function 00FBED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FBD7CD,?), ref: 00FBE714

Part of subcall function 00FBE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FBD7CD,?), ref: 00FBE72D

Part of subcall function 00FBEAB0: GetFileAttributesW.KERNEL32(?,00FBD840), ref: 00FBEAB1

lstrcmpiW.KERNEL32(?,?), ref: 00FBED8A
MoveFileW.KERNEL32(?,?), ref: 00FBEDC3
_wcslen.LIBCMT ref: 00FBEF02
_wcslen.LIBCMT ref: 00FBEF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00FBEF67

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: ff605132d96d7fd9ba0cea080aa9c4d28837c8dcc5d0165b49bae5903f34873e
Instruction ID: 574a7e05addf3e17b5d79e60b6079e44ad903507495dffdfcb7298a3dbdfdc45
Opcode Fuzzy Hash: ff605132d96d7fd9ba0cea080aa9c4d28837c8dcc5d0165b49bae5903f34873e
Instruction Fuzzy Hash: 1B5170B25083859BC724EB95CC81DDBB3ECEF84310F40492EF689D3151EF75A6889B66

Function 00FB9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FB9534
VariantClear.OLEAUT32 ref: 00FB95A5
VariantClear.OLEAUT32 ref: 00FB9604
VariantClear.OLEAUT32(?), ref: 00FB9677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FB96A2

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 21ad6f0d9c1379aebf5a1706f382d642b4ecb714d0a0bd9795e37112b68eec8b
Instruction ID: 55f50de538b0ae9f39bc66dbed8fad9d2c4712c128de6913b40a06f672c67bef
Opcode Fuzzy Hash: 21ad6f0d9c1379aebf5a1706f382d642b4ecb714d0a0bd9795e37112b68eec8b
Instruction Fuzzy Hash: 945168B5A04219EFCB10CF69C884EAAB7F9FF88310B158559EA09DB350E774E911CF90

Function 00FC9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FC95F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FC961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FC9677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FC969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FC96A4

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 1a7ac2c108434b6f2196889155858d700835ba4c4d817f646da6e5f0179237a2
Instruction ID: 252e2833d72a917c9634f37f0a89cc8e94459c12a3dd5bd7e57aab8ee3e2cfbd
Opcode Fuzzy Hash: 1a7ac2c108434b6f2196889155858d700835ba4c4d817f646da6e5f0179237a2
Instruction Fuzzy Hash: 6E513A35A00219AFCB05DF64C885E6ABBF5FF48354F048058E949AB3A2CB75ED45EF90

Function 00FD9941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FD999D
GetProcAddress.KERNEL32(00000000,?), ref: 00FD9A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FD9A49
GetProcAddress.KERNEL32(00000000,?), ref: 00FD9A8F
FreeLibrary.KERNEL32(00000000), ref: 00FD9AAF

Part of subcall function 00F6F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FC1A02,?,7529E610), ref: 00F6F9F1
Part of subcall function 00F6F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00FB0354,00000000,00000000,?,?,00FC1A02,?,7529E610,?,00FB0354), ref: 00F6FA18

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 392d56c83d1c1178a85b9c04db4be767f6cbc762713a2b899a4da3ab062410f1
Instruction ID: 743bff124257c9d24da37f10332ef4cc6753b30050542c0d898291ed0de9e13b
Opcode Fuzzy Hash: 392d56c83d1c1178a85b9c04db4be767f6cbc762713a2b899a4da3ab062410f1
Instruction Fuzzy Hash: 58517C35A04205DFCB01DFA8C4909ADBBF1FF09324B098199E90A9B722D775ED86DF81

Function 00FE75AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FE766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00FE7682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FE76AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FCB5BE,00000000,00000000), ref: 00FE76D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FE76FF

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 631fb889ef4c4a94890f8a637bb2ec63a4c9a6c8817f881193072070460586d0
Instruction ID: ae68efe5721663d9f4d21525bda60a3e74a83ba0b7236a5d8d91c7d05e4a3987
Opcode Fuzzy Hash: 631fb889ef4c4a94890f8a637bb2ec63a4c9a6c8817f881193072070460586d0
Instruction Fuzzy Hash: 0E410635A08784AFC725EF6DCC88FA67B65FB45364F150224F819AB2E0D370AD11FA50

Function 00F823C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F82433
_free.LIBCMT ref: 00F82453

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2d224b00a8625f8bad585af1f7b299573314c7b28277ad9b033fbcfece522e11
Instruction ID: e9b982d8c08e13f6c285ed714e10b928c04e3bcd499a48dd5c75052ee3ba8da5
Opcode Fuzzy Hash: 2d224b00a8625f8bad585af1f7b299573314c7b28277ad9b033fbcfece522e11
Instruction Fuzzy Hash: 4741D672E002009FDB20EF78C885A9DB7E5EF88324B158569E515EB386DB35FD01EB91

Function 00F519CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F519E1
ScreenToClient.USER32(00000000,?), ref: 00F519FE
GetAsyncKeyState.USER32(00000001), ref: 00F51A23
GetAsyncKeyState.USER32(00000002), ref: 00F51A3D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c08b58b48391d99a9cc4f0c94f1e0b9ca196137602c16244599e5cc1821ae8be
Instruction ID: 29ac0bead16757c38c7b6344c496a8dfd9a4c0b9be888922d9ce67755cad2d54
Opcode Fuzzy Hash: c08b58b48391d99a9cc4f0c94f1e0b9ca196137602c16244599e5cc1821ae8be
Instruction Fuzzy Hash: 52417F71A0410ABFEF059F64C844BEEB774FF45325F208216E829A62A0C7346A94EB51

Function 00FC42B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FC4310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FC4367
TranslateMessage.USER32(?), ref: 00FC4390
DispatchMessageW.USER32(?), ref: 00FC439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FC43AB

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 463c636550cb3bf319ace73bdf8d6c49947b0edee694226d0d3e2d4a44f04544
Instruction ID: 6ae15edd269b370d17bdc90a69db69bea69362a26e076667bf37bf5d46ad2917
Opcode Fuzzy Hash: 463c636550cb3bf319ace73bdf8d6c49947b0edee694226d0d3e2d4a44f04544
Instruction Fuzzy Hash: 5431F770D04387DEEB38CF74DA5AFB63BA8AB40314F14456DD4A2C6090E3A9B485FB25

Function 00FB224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FB2262
PostMessageW.USER32(00000001,00000201,00000001), ref: 00FB230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00FB2316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00FB2327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00FB232F

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 21179d6af65765bf542efebfc3ae646070eeed6ffab671384f884d246dcd95ae
Instruction ID: 08e631326d7a1b42732489bf44a9260c897169c94a471e92ab6e0f27699febe8
Opcode Fuzzy Hash: 21179d6af65765bf542efebfc3ae646070eeed6ffab671384f884d246dcd95ae
Instruction Fuzzy Hash: 9A31B371900259EFDB14CFA8CD89ADE3BB5EB04325F104229F925EB2D0C7749944EF50

Function 00FCD95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00FCCC63,00000000), ref: 00FCD97D
InternetReadFile.WININET(?,00000000,?,?), ref: 00FCD9B4
GetLastError.KERNEL32(?,00000000,?,?,?,00FCCC63,00000000), ref: 00FCD9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FCCC63,00000000), ref: 00FCDA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FCCC63,00000000), ref: 00FCDA37

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 27331876337eaa60af0c841e644750e96563c62c44ea7e4bb50a2b5980502db8
Instruction ID: 4373371eef04fac21b45da21e6faf45f9769b4a4fc0b8d99a432a7758a796d36
Opcode Fuzzy Hash: 27331876337eaa60af0c841e644750e96563c62c44ea7e4bb50a2b5980502db8
Instruction Fuzzy Hash: 9C316B71904206EFDB20DFA5D9C6FAEB7F8EF04364B10842EE54AD6541DB34EE40AB60

Function 00FE61A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FE61E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FE623C
_wcslen.LIBCMT ref: 00FE624E
_wcslen.LIBCMT ref: 00FE6259
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FE62B5

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 63919b02f85ab5388c521e1d18a7cde4075471807ba42425d9a8afb243498234
Instruction ID: 65bf69acc92d54fa6e65339e10ea4c20a6fbb51e7892b20912c0806e30adb41a
Opcode Fuzzy Hash: 63919b02f85ab5388c521e1d18a7cde4075471807ba42425d9a8afb243498234
Instruction Fuzzy Hash: 4A219131D0029C9BDB219FA1CC84AEE77B8FF14764F104216FA29EA180D7749985EF50

Function 00FD138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FD13AE
GetForegroundWindow.USER32 ref: 00FD13C5
GetDC.USER32(00000000), ref: 00FD1401
GetPixel.GDI32(00000000,?,00000003), ref: 00FD140D
ReleaseDC.USER32(00000000,00000003), ref: 00FD1445

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 87a05f2f4906cadf61e129331d7711958ec2226d8291b1ad907ff26de4b743c9
Instruction ID: 7d4efb5c720d066bc0edd57a66f9f04abe775f8d467ef02c32c8624586951492
Opcode Fuzzy Hash: 87a05f2f4906cadf61e129331d7711958ec2226d8291b1ad907ff26de4b743c9
Instruction Fuzzy Hash: 7D218E36600208AFD704EF65CC85E9EBBF6FF88741B04842DF85A9B751CA34AD04EB90

Function 00F8D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F8D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F8D169

Part of subcall function 00F83B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F76A79,?,0000015D,?,?,?,?,00F785B0,000000FF,00000000,?,?), ref: 00F83BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F8D18F
_free.LIBCMT ref: 00F8D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F8D1B1

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 54dddc649cdb25772140d687f290e7421d5fb18611026ecff37978e3935f0438
Instruction ID: 133d64cf32628a0d2bd52e4c35895a3ef2354b5f5ff2c27729fc3c1f1f12abaf
Opcode Fuzzy Hash: 54dddc649cdb25772140d687f290e7421d5fb18611026ecff37978e3935f0438
Instruction Fuzzy Hash: 4201B172A01A197F372176765C8DDBB7B6DDFC2BA1314012AFC04C6284EE658C01A2B0

Function 00FB6078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FB608D
_memcmp.LIBVCRUNTIME ref: 00FB60AB
_memcmp.LIBVCRUNTIME ref: 00FB60BE
_memcmp.LIBVCRUNTIME ref: 00FB60D6
_memcmp.LIBVCRUNTIME ref: 00FB60EE

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d71b0013f5271ca86089f80ed50c44e4cc3a958c3189f99f5ae8ed0f028a3659
Instruction ID: ad64974bf689382550b1d81c87ed4b91829baad0aafde2c0c11eda8bc19ee4c8
Opcode Fuzzy Hash: d71b0013f5271ca86089f80ed50c44e4cc3a958c3189f99f5ae8ed0f028a3659
Instruction Fuzzy Hash: B70179B2A043097B9714661B9C42FFB735DAE503E8B004025FE0DDA242EB69ED15F9A2

Function 00F8316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,00F7F64E,00F7545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F83170
_free.LIBCMT ref: 00F831A5
_free.LIBCMT ref: 00F831CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F831D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F831E2

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: cf9d8a4bc51f86b1a7c7799f54b8da0c49b77eb4b54de3e4a45b144f2e366c3d
Instruction ID: 95e036cc045d415759d930741e48e2849ec824f6266b22a231274f39f8761850
Opcode Fuzzy Hash: cf9d8a4bc51f86b1a7c7799f54b8da0c49b77eb4b54de3e4a45b144f2e366c3d
Instruction Fuzzy Hash: FD01F473F41E007B961236349C8EEEB3669AFC1F713200429F925961A1EE2A8A017360

Function 00FB08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB0831,80070057,?,?,?,00FB0C4E), ref: 00FB091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB0831,80070057,?,?), ref: 00FB0936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB0831,80070057,?,?), ref: 00FB0944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB0831,80070057,?), ref: 00FB0954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FB0831,80070057,?,?), ref: 00FB0960

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ccdbd65b2ea1d741c93d4216b2504f85d80457934ed6638bc09e1f811b40e38b
Instruction ID: 937fe2361dbaf79b253f43b426bb600448937c02cc68d4bfcf28149878746bfb
Opcode Fuzzy Hash: ccdbd65b2ea1d741c93d4216b2504f85d80457934ed6638bc09e1f811b40e38b
Instruction Fuzzy Hash: 06014F76A00319BFEB114F56DC84B9B7AADEB847A1F144124F905EA211DB71DE40ABA0

Function 00FBF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00FBF2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 00FBF2BC
Sleep.KERNEL32(00000000), ref: 00FBF2C4
QueryPerformanceCounter.KERNEL32(?), ref: 00FBF2CE
Sleep.KERNEL32 ref: 00FBF30A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2023227469cdad05c91cc0595d5fb75f02f7173e9afccefb7d0941e07f139263
Instruction ID: 7f20505392d2a9f66415d51bbbe01b071418f86565c69277ddf5fdea7aa67cac
Opcode Fuzzy Hash: 2023227469cdad05c91cc0595d5fb75f02f7173e9afccefb7d0941e07f139263
Instruction Fuzzy Hash: 15018071C0161DDBDF00AFB5DC89AEDBBB8FB08710F040466E501B2240DB349558EBA1

Function 00FB1A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FB1A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,00FB14E7,?,?,?), ref: 00FB1A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FB14E7,?,?,?), ref: 00FB1A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FB14E7,?,?,?), ref: 00FB1A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FB1A99

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 08025827e4e3b086f8bbb58e1c21d8b75971a57ac39361b705ee69bcdde401e9
Instruction ID: 3600046289dab42359acba7f2be9eed0ed31902d0dfbfcd828de64727aabc4aa
Opcode Fuzzy Hash: 08025827e4e3b086f8bbb58e1c21d8b75971a57ac39361b705ee69bcdde401e9
Instruction Fuzzy Hash: DF0181B5601209BFDB114F65DC88DAA3F6DFF85364B210424F845CB260DA35DC41AA60

Function 00FB1960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FB1976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FB1982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB1991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB1998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB19AE

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 61428789dd2fb081663ba838de874fe548b304d0d27d90f21b7a40b39bfd7c4d
Instruction ID: 62e6f6eb2617df1f74158891a0084721a494cc6a029eac783638cbe07ba0ce26
Opcode Fuzzy Hash: 61428789dd2fb081663ba838de874fe548b304d0d27d90f21b7a40b39bfd7c4d
Instruction Fuzzy Hash: 59F06279500349AFD7214F65EC99F973B6DFF897A0F100414FA45CB651CA70D8009A60

Function 00FB1900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FB1916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FB1922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FB1931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FB1938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FB194E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 450b4a6faefbf39d67469afb1bd4fac32e446d72ea9478ccc7ba8762036f45c3
Instruction ID: e994943e67e7f05d36a9b451fa54e5b1042f4de804b56bec79c2899a15be0747
Opcode Fuzzy Hash: 450b4a6faefbf39d67469afb1bd4fac32e446d72ea9478ccc7ba8762036f45c3
Instruction Fuzzy Hash: 3BF06D7560034AAFDB210FA5DC9DF963BADFF897A0F500414FA45DB6A1CA70DC00AA60

Function 00FC0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00FC0B24,?,00FC3D41,?,00000001,00F93AF4,?), ref: 00FC0CCB
CloseHandle.KERNEL32(?,?,?,?,00FC0B24,?,00FC3D41,?,00000001,00F93AF4,?), ref: 00FC0CD8
CloseHandle.KERNEL32(?,?,?,?,00FC0B24,?,00FC3D41,?,00000001,00F93AF4,?), ref: 00FC0CE5
CloseHandle.KERNEL32(?,?,?,?,00FC0B24,?,00FC3D41,?,00000001,00F93AF4,?), ref: 00FC0CF2
CloseHandle.KERNEL32(?,?,?,?,00FC0B24,?,00FC3D41,?,00000001,00F93AF4,?), ref: 00FC0CFF
CloseHandle.KERNEL32(?,?,?,?,00FC0B24,?,00FC3D41,?,00000001,00F93AF4,?), ref: 00FC0D0C

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ba68294435514b1485bdf7cf3b6e634d4a32f57e6ae02873785ff695a0cb3b80
Instruction ID: 47bfd588cbdcec20668a91a415f997d51b3058ecbbb54794211ebbc535016c02
Opcode Fuzzy Hash: ba68294435514b1485bdf7cf3b6e634d4a32f57e6ae02873785ff695a0cb3b80
Instruction Fuzzy Hash: 9C01A271800B16DFCB30AFA6DA81916F7F5BF503253158A3ED19752931CBB0A955EF80

Function 00FB65AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FB65BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FB65D6
MessageBeep.USER32(00000000), ref: 00FB65EE
KillTimer.USER32(?,0000040A), ref: 00FB660A
EndDialog.USER32(?,00000001), ref: 00FB6624

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a41c104c3f44106fee6a080efc19e493d58094c2a403993ce220ed2af1473962
Instruction ID: d2a9b4b0b28fc9f2a14488cd715b164b102358fc93825a0fcc0784c7b5d0f464
Opcode Fuzzy Hash: a41c104c3f44106fee6a080efc19e493d58094c2a403993ce220ed2af1473962
Instruction Fuzzy Hash: 5E018630900308ABEB305F21DD8EBD67B78FB00705F040569A586E54E1DBF4AA54AE50

Function 00F8DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F8DAD2

Part of subcall function 00F82D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00F8DB51,01021DC4,00000000,01021DC4,00000000,?,00F8DB78,01021DC4,00000007,01021DC4,?,00F8DF75,01021DC4), ref: 00F82D4E
Part of subcall function 00F82D38: GetLastError.KERNEL32(01021DC4,?,00F8DB51,01021DC4,00000000,01021DC4,00000000,?,00F8DB78,01021DC4,00000007,01021DC4,?,00F8DF75,01021DC4,01021DC4), ref: 00F82D60

_free.LIBCMT ref: 00F8DAE4
_free.LIBCMT ref: 00F8DAF6
_free.LIBCMT ref: 00F8DB08
_free.LIBCMT ref: 00F8DB1A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7f6bda998fcb5aa9df0ff3afa9b7ba150ccc32839f71e8d5be13a55e7a0a36e3
Instruction ID: a129d405d7a1091005a3c2e4cfcba4137e691da87cb8ded4c435b026ab310d95
Opcode Fuzzy Hash: 7f6bda998fcb5aa9df0ff3afa9b7ba150ccc32839f71e8d5be13a55e7a0a36e3
Instruction Fuzzy Hash: B6F06233904214AB8664FB98E8C9C9AB7EEEE443203A54C05F448D7541CB3DFC809750

Function 00F82610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F8262E

Part of subcall function 00F82D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00F8DB51,01021DC4,00000000,01021DC4,00000000,?,00F8DB78,01021DC4,00000007,01021DC4,?,00F8DF75,01021DC4), ref: 00F82D4E
Part of subcall function 00F82D38: GetLastError.KERNEL32(01021DC4,?,00F8DB51,01021DC4,00000000,01021DC4,00000000,?,00F8DB78,01021DC4,00000007,01021DC4,?,00F8DF75,01021DC4,01021DC4), ref: 00F82D60

_free.LIBCMT ref: 00F82640
_free.LIBCMT ref: 00F82653
_free.LIBCMT ref: 00F82664
_free.LIBCMT ref: 00F82675

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c58505d45230fe5ef0f8c3367eda463c9ecb3afc4e43a0613d55a77eb77ae218
Instruction ID: 0c6aca1d884c48e6d23ae7259a72c19c8cb40e55cc5962b89187d3a4267fd4df
Opcode Fuzzy Hash: c58505d45230fe5ef0f8c3367eda463c9ecb3afc4e43a0613d55a77eb77ae218
Instruction Fuzzy Hash: 69F0FE718011209B86B2BF94FC89C887B64FB39761325490AF8A4D626DD73F2902BFC4

Function 00F812B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00F81469
__freea.LIBCMT ref: 00F81487

Part of subcall function 00F818A7: _free.LIBCMT ref: 00F818BF

Strings

am/pm, xrefs: 00F814EA
a/p, xrefs: 00F8154E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 2f147ae965ed863bec4aeccc14144da54c189aabf45dfa2a96d3f892b72f2a8a
Instruction ID: 5e7966923c92abceb51435e0d217b3498c4a94ef971f2791839fb77cb0f7b232
Opcode Fuzzy Hash: 2f147ae965ed863bec4aeccc14144da54c189aabf45dfa2a96d3f892b72f2a8a
Instruction Fuzzy Hash: BCD10571D00206DADB24BF68C855BFEB7B9FF05720F28435AE5429B250E3359D82EB91

Function 00FB3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBBDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FB2B1D,?,?,00000034,00000800,?,00000034), ref: 00FBBDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FB30AD

Part of subcall function 00FBBD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FB2B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00FBBDBF

Part of subcall function 00FBBCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00FBBD1C
Part of subcall function 00FBBCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FB2AE1,00000034,?,?,00001004,00000000,00000000), ref: 00FBBD2C
Part of subcall function 00FBBCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FB2AE1,00000034,?,?,00001004,00000000,00000000), ref: 00FBBD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FB311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FB3167

Strings

@, xrefs: 00FB317F

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ff0c98ef40072703b5a2b04e3a03923d082f9489b605fa27392dbd7e489bf053
Instruction ID: c1c1f95d992f23cac5cd68d4c5e762d6200af71ce9321499cc66a5a77c67027c
Opcode Fuzzy Hash: ff0c98ef40072703b5a2b04e3a03923d082f9489b605fa27392dbd7e489bf053
Instruction Fuzzy Hash: A3413A72D00218BEDB10DBA9CC85ADEBBB8EF49300F004095FA55BB180DA746F89DF60

Function 00F81A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\250478\Epson.com,00000104), ref: 00F81AD9
_free.LIBCMT ref: 00F81BA4
_free.LIBCMT ref: 00F81BAE

Strings

C:\Users\user\AppData\Local\Temp\250478\Epson.com, xrefs: 00F81AD0, 00F81AD7, 00F81B06, 00F81B3E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\250478\Epson.com
API String ID: 2506810119-4009054095
Opcode ID: c8574cd10c7c254c8de115b61f4095514d18d95c176972b89568679987971284
Instruction ID: 33de664c91d31b8cbac9eabf9f83ac49e2766fcbb9649c3d72a4b0b23b92ef2d
Opcode Fuzzy Hash: c8574cd10c7c254c8de115b61f4095514d18d95c176972b89568679987971284
Instruction Fuzzy Hash: 96317371E00218BFCB21EF99DC85DDEBBFCFB85710B2042A6E80497211E6755E45EB90

Function 00FBCB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FBCBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 00FBCBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,010229C0,01206558), ref: 00FBCC40

Strings

0, xrefs: 00FBCB8A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 35256239ef1c3fe8210a2259c1b56fea08ae5bf5f1a17f9ce08555f887c8cece
Instruction ID: 09ef61735f27f0aabb50be643f8ac685d21ef7c7866f808626d746ad2d51d4de
Opcode Fuzzy Hash: 35256239ef1c3fe8210a2259c1b56fea08ae5bf5f1a17f9ce08555f887c8cece
Instruction Fuzzy Hash: AE41D1716043429FD720DF25CC84B9BBBE4AB84720F14462DF5A59B291CB34E904DF92

Function 00FE4EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FEDCD0,00000000,?,?,?,?), ref: 00FE4F48
GetWindowLongW.USER32 ref: 00FE4F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FE4F75

Strings

SysTreeView32, xrefs: 00FE4F1A

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 6eda1e9f3ef9ba4323df6394eb0c355444df148d7d243e8836282b0e207c12f0
Instruction ID: f198ba59e5f2b528289c0b326f4bbb2a03a729a39f65bbaa7c897d4e85a25e60
Opcode Fuzzy Hash: 6eda1e9f3ef9ba4323df6394eb0c355444df148d7d243e8836282b0e207c12f0
Instruction Fuzzy Hash: 7D31BE31600285AFDB208F79DC45BEA77A9EB48334F204719F979A31E0C774EC50AB50

Function 00FD3AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD3DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FD3AD4,?,?), ref: 00FD3DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FD3AD7
_wcslen.LIBCMT ref: 00FD3AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00FD3B63

Strings

255.255.255.255, xrefs: 00FD3AF2, 00FD3AF7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ef51a833da45b3d9a9fb2c1ee46d6ce96ee2ddca2803f0638fd767e938abc94f
Instruction ID: 022d012f6857a02165f9e2b83a9817e0359c8c6d186c1592896f891d0f608ef2
Opcode Fuzzy Hash: ef51a833da45b3d9a9fb2c1ee46d6ce96ee2ddca2803f0638fd767e938abc94f
Instruction Fuzzy Hash: C831E6396002059FC710CF28C485E6977F2EF54328F28815BE9168B392C731EE41EB62

Function 00FE4954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FE49DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FE49F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FE4A14

Strings

SysMonthCal32, xrefs: 00FE49A7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8fac3631b67e267f463f1197ef45d7bda1584bfc69b1f42e3cb5198de5a57bc4
Instruction ID: ddd6cc704afc36bb7ce3df3b4a5e692486f74ef582c51ecdcc6b98beb5ef61a7
Opcode Fuzzy Hash: 8fac3631b67e267f463f1197ef45d7bda1584bfc69b1f42e3cb5198de5a57bc4
Instruction Fuzzy Hash: 2821B132540259ABDF118F55CC82FEF3B69EF88724F110218FA157B090D6B5B855AB90

Function 00FE50F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FE51A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FE51B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FE51B8

Strings

msctls_updown32, xrefs: 00FE5122

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 342620e8677b4afaf61a57da54f0470af6eab8eeaca4dd1942de5f784f0b1c58
Instruction ID: 8a533d55b42d4cbed41ad11637aca7e4dc905b6e596775660a4d4b8592c072eb
Opcode Fuzzy Hash: 342620e8677b4afaf61a57da54f0470af6eab8eeaca4dd1942de5f784f0b1c58
Instruction Fuzzy Hash: 3421A1B5600649AFDB10DF55CC81EB737ADEF5A7A8B100059FA009B351CB79EC11EBA0

Function 00FE4253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FE42DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FE42EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FE4312

Strings

Listbox, xrefs: 00FE42AB

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: dce2ba4d254846972719ff9defc8a5b76b359ecd9e4cdc9398168960f5734925
Instruction ID: 99f8708e7a7f47cde933d2ea1276f048269b0c408d492b836eab579227b6c54e
Opcode Fuzzy Hash: dce2ba4d254846972719ff9defc8a5b76b359ecd9e4cdc9398168960f5734925
Instruction Fuzzy Hash: 6D219532A10158BFDF118F95DC85FAB376EEF89764F118118FA049B190C675AC51A790

Function 00FC5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FC544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FC54A1
SetErrorMode.KERNEL32(00000000,?,?,00FEDCD0), ref: 00FC5515

Strings

%lu, xrefs: 00FC54B4

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 08882b5e9f9d30caf94e3e0961330fecae1276af5f47e6ae6b7b7a8e098b7450
Instruction ID: 08b42ad72291f82171843f124ca11c1c175555b5d31fd3c0ef31ad784ed743bb
Opcode Fuzzy Hash: 08882b5e9f9d30caf94e3e0961330fecae1276af5f47e6ae6b7b7a8e098b7450
Instruction Fuzzy Hash: 01319370A00109AFDB00DF54C985EAA7BF8EF04318F144099F909DF262DB75EE45EB61

Function 00FE4C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FE4CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FE4D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FE4D0F

Strings

msctls_trackbar32, xrefs: 00FE4CC4

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ef054548f4ca2c21da6bccbe27dbbdd09802642a01d1b2be292237f2500087fb
Instruction ID: 5cb7212620410e916789e711988fb729fb3e81ae3bfea50c1e51a4640365d543
Opcode Fuzzy Hash: ef054548f4ca2c21da6bccbe27dbbdd09802642a01d1b2be292237f2500087fb
Instruction Fuzzy Hash: EA112971640288BEEF215F6ACC06FAB37ECEF89B65F110519FA55E60A0C271EC51EB10

Function 00FB389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F58577: _wcslen.LIBCMT ref: 00F5858A

Part of subcall function 00FB36F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FB3712
Part of subcall function 00FB36F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB3723
Part of subcall function 00FB36F4: GetCurrentThreadId.KERNEL32 ref: 00FB372A
Part of subcall function 00FB36F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FB3731

GetFocus.USER32 ref: 00FB38C4

Part of subcall function 00FB373B: GetParent.USER32(00000000), ref: 00FB3746

GetClassNameW.USER32(?,?,00000100), ref: 00FB390F
EnumChildWindows.USER32(?,00FB3987), ref: 00FB3937

Strings

%s%d, xrefs: 00FB394B

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 06b3cce835cc3bcdaa5fab9e756ac6edb64108ca5901c55808e90045e004934b
Instruction ID: 55332db4499525ac35b98154fde18a9a80cf392a27487a5cf03a2048bfa36224
Opcode Fuzzy Hash: 06b3cce835cc3bcdaa5fab9e756ac6edb64108ca5901c55808e90045e004934b
Instruction Fuzzy Hash: E511D571640249ABCF01BF758CC5EED77AA9F94350F044069BD099B252DE75990AAF20

Function 00FE6321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FE6360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FE638D
DrawMenuBar.USER32(?), ref: 00FE639C

Strings

0, xrefs: 00FE632E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 22cdb560fe98749fce42a657e0952c91b0aef29f8a298f17ce8104691d8b07da
Instruction ID: 2b39ac8f7060594588607c429cb0e8c800763da5450642a040e1492b66e60752
Opcode Fuzzy Hash: 22cdb560fe98749fce42a657e0952c91b0aef29f8a298f17ce8104691d8b07da
Instruction Fuzzy Hash: EE015E32500298EFDB119F11DC84BAA7BB4FF447A5F148099E449DA150DF708985FF21

Function 00FB096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55aae5e46460c4ed9589294ca32597e35d26833f3f916ed7977c85e52f4e2174
Instruction ID: c6314a663327f6a845124dbf984f30493fcfbed721e1e0a1f831e0355f1ba51a
Opcode Fuzzy Hash: 55aae5e46460c4ed9589294ca32597e35d26833f3f916ed7977c85e52f4e2174
Instruction Fuzzy Hash: 4EC15B75A0021AAFCB14CF95C884EAEBBB5FF88714F108598E405EB251DB31EE41EF90

Function 00F841F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F8427E
__alldvrm.LIBCMT ref: 00F8447F
__alldvrm.LIBCMT ref: 00F844A1

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: ffd3a7f87865c4c0c93934b7e9998f090521280160229799ead50dd14bfc7737
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: C7A14872D043879FEB21EF58C8917EEBBE4EF51324F2441ADE9959B281C338A941E750

Function 00FB0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FF0BD4,?), ref: 00FB0EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FF0BD4,?), ref: 00FB0EF8
CLSIDFromProgID.OLE32(?,?,00000000,00FEDCE0,000000FF,?,00000000,00000800,00000000,?,00FF0BD4,?), ref: 00FB0F1D
_memcmp.LIBVCRUNTIME ref: 00FB0F3E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: c4386d03b76002c0676a1b764929a886f8fb8701a51af7377d200e1ee6c0a939
Instruction ID: 8573df98dc2d9f9ce1ffe6b21b7fc9f7e20633ed4cfd35c362038c344cbef35a
Opcode Fuzzy Hash: c4386d03b76002c0676a1b764929a886f8fb8701a51af7377d200e1ee6c0a939
Instruction Fuzzy Hash: F381E671A00109EFCB14DF94C984EEEB7B9FF89315B204598F506AB250DB71AE06DB60

Function 00FDB0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FDB10C
Process32FirstW.KERNEL32(00000000,?), ref: 00FDB11A

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

Process32NextW.KERNEL32(00000000,?), ref: 00FDB1FC
CloseHandle.KERNEL32(00000000), ref: 00FDB20B

Part of subcall function 00F6E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F94D73,?), ref: 00F6E395

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 259b579af873035a407bc213679b3db5c7b0f953a9aa740f4d2eabe0480557a5
Instruction ID: b248d93554891147a9914d24af3c7fa674002a51db1f7346d9ad6e6dad842acf
Opcode Fuzzy Hash: 259b579af873035a407bc213679b3db5c7b0f953a9aa740f4d2eabe0480557a5
Instruction Fuzzy Hash: 35515B71908300AFD310EF24CC86A6BBBE8FF89754F44492DF98597291EB34D909DB92

Function 00F91711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F91840

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 40d09acc4c2593ee041ca815fbd92ad003b596605e2bb19f09fcebe0380d284a
Instruction ID: c13d435be66351d29613ec41ab2a66f55cc16b240d7b788631da8938d49a4675
Opcode Fuzzy Hash: 40d09acc4c2593ee041ca815fbd92ad003b596605e2bb19f09fcebe0380d284a
Instruction Fuzzy Hash: 85412B32A00103ABFF217BF98C86ABE3AA4FF41770F144636F418D6291E67949417763

Function 00FD2533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00FD255A
WSAGetLastError.WSOCK32 ref: 00FD2568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FD25E7
WSAGetLastError.WSOCK32 ref: 00FD25F1

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 96a1cd397332f1d929285dfc478a07210e4e801e44c3e5af35ad3f9a1e4054e8
Instruction ID: a181dc02306fab6cbcfac354a90129533eb08f11c51ec58e017ab3fd5a20a49a
Opcode Fuzzy Hash: 96a1cd397332f1d929285dfc478a07210e4e801e44c3e5af35ad3f9a1e4054e8
Instruction Fuzzy Hash: F841C274A00300AFE720AF24DC86F2A77A5AF54758F58C448FA169F3D2C776ED429B90

Function 00FE6CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FE6D1A
ScreenToClient.USER32(?,?), ref: 00FE6D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FE6DBA

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ba2ce988966653c2df8735ae96e4c7867bc20bf61d1e7a05c69b681a8cebcd41
Instruction ID: f1af94461039f86f7f5eb62854286f49a46132643ed74696a56eb4c9933071cc
Opcode Fuzzy Hash: ba2ce988966653c2df8735ae96e4c7867bc20bf61d1e7a05c69b681a8cebcd41
Instruction Fuzzy Hash: B1514C34A00249EFCF24DF65D880AAE7BB6FF943A4F608159F955DB290D730AD81EB50

Function 00F8B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c49b6db6f97eafd4533ab90ecd9dd3792081ede6244ef5442498a93fff29130
Instruction ID: 224d7f1cb567be7f5734512af9b06719bde51b02049c477e908c38ab13f482ff
Opcode Fuzzy Hash: 6c49b6db6f97eafd4533ab90ecd9dd3792081ede6244ef5442498a93fff29130
Instruction Fuzzy Hash: 8A41EA72A00704BFE725BF78CC41BAA7BEDEF84710F10852AF115DB291D775A9069780

Function 00FC611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FC61C8
GetLastError.KERNEL32(?,00000000), ref: 00FC61EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FC6213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FC623F

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 2617ce785d742f6cc60792ec3afb81a8351581d132abbc40a0c129dcf8390033
Instruction ID: 1644252998b922de6cfa15faaca8e09c6c41a3634cabe4c4a38b610ad6b89483
Opcode Fuzzy Hash: 2617ce785d742f6cc60792ec3afb81a8351581d132abbc40a0c129dcf8390033
Instruction Fuzzy Hash: 3C414F35A00611DFCB11DF54C985A59B7F1AF89751B088488ED4AAF362CB34FD05EB91

Function 00FBB41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00FBB473
SetKeyboardState.USER32(00000080), ref: 00FBB48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00FBB4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00FBB54F

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5f0dcf64914247317f97e53c8f1650b761ffd92f95447eef5b7a30f975beb248
Instruction ID: 5a068e34206ff4f190d507bc05ed2ab38e0940b18e2a13e9c91dbf95a5010b85
Opcode Fuzzy Hash: 5f0dcf64914247317f97e53c8f1650b761ffd92f95447eef5b7a30f975beb248
Instruction Fuzzy Hash: E8312870E40248AEFF30CF26CC457FE7BB5BB44320F08421AE495561D6C7B48945AF92

Function 00FBB563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00FBB5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FBB5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FBB63B
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00FBB68D

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 60216014380edd157714a5e3d65c89da3aae37de2e60c6af7f8c9ceac8d0dce4
Instruction ID: a15ee05e3329e05dd5b50643129e99fbf8ed94ee1dcf1c7de5a54bcedb5818ee
Opcode Fuzzy Hash: 60216014380edd157714a5e3d65c89da3aae37de2e60c6af7f8c9ceac8d0dce4
Instruction Fuzzy Hash: B531FB30E4064C6EFF308B66CC057FE7BA7AF85320F04426AE485961D1C7B48E55AF91

Function 00FE80AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FE80D4
GetWindowRect.USER32(?,?), ref: 00FE814A
PtInRect.USER32(?,?,?), ref: 00FE815A
MessageBeep.USER32(00000000), ref: 00FE81C6

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 73294b2fcc95adbe72749498c338d347082c8d3d8676c27773243a4d6be08a94
Instruction ID: bda27133de76ea07d26a92f5f12be04f758c359c2912c5f772805daca0817c6e
Opcode Fuzzy Hash: 73294b2fcc95adbe72749498c338d347082c8d3d8676c27773243a4d6be08a94
Instruction Fuzzy Hash: 2D41A630B00295DFCB25EF59C884A6977F5FF45394F244068E9589F265CB39E843EB50

Function 00FE2176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FE2187

Part of subcall function 00FB4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB43AD
Part of subcall function 00FB4393: GetCurrentThreadId.KERNEL32 ref: 00FB43B4
Part of subcall function 00FB4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FB2F00), ref: 00FB43BB

GetCaretPos.USER32(?), ref: 00FE219B
ClientToScreen.USER32(00000000,?), ref: 00FE21E8
GetForegroundWindow.USER32 ref: 00FE21EE

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 643fc5ac009c9e885e9683351a13262411b78501c9ebce5ac9c9cab32fabfcd0
Instruction ID: 684bbb2417450fd34d64ff7ef110cb22d449eac273d0c5c0212d5ca8a31b4809
Opcode Fuzzy Hash: 643fc5ac009c9e885e9683351a13262411b78501c9ebce5ac9c9cab32fabfcd0
Instruction Fuzzy Hash: 56314171D00249AFC704DFAACCC1CAEB7FCEF58304B54446AE516E7211EA759E45DBA0

Function 00FBE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00F541EA: _wcslen.LIBCMT ref: 00F541EF

_wcslen.LIBCMT ref: 00FBE8E2
_wcslen.LIBCMT ref: 00FBE8F9
_wcslen.LIBCMT ref: 00FBE924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00FBE92F

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: e7800be8845a24ade38ee581c9b928a1354758186312313281e0abdeeac0054e
Instruction ID: 4b006512461f18b9a04415087bbc3c355bfbed93ecd893e11e9b4e856245328b
Opcode Fuzzy Hash: e7800be8845a24ade38ee581c9b928a1354758186312313281e0abdeeac0054e
Instruction Fuzzy Hash: BC21D371D00218EFDB11AFA5CD81BEEB7F8EF45360F148065F908AB241D774AE419BA2

Function 00FE9A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F524B0

GetCursorPos.USER32(?), ref: 00FE9A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FE9A72
GetCursorPos.USER32(?), ref: 00FE9ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00FE9AF0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 24ccc59dc8be05d3ad45047c77563d8d8049d1a470cd759166529dec6a23700c
Instruction ID: 8e9f47031e7056d6577093516c4dff8c820019978dc4ad254ffac40f552b46df
Opcode Fuzzy Hash: 24ccc59dc8be05d3ad45047c77563d8d8049d1a470cd759166529dec6a23700c
Instruction Fuzzy Hash: A721FE31A00058EFCF258F95C888EFE3BB9FF0AB60F504165F9058B1A1C3B99950EB60

Function 00FBDB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FEDC30), ref: 00FBDBA6
GetLastError.KERNEL32 ref: 00FBDBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FBDBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FEDC30), ref: 00FBDC21

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a33cc3afa0cf664ad0a508e24b77746bbd574c81eb77f84c8b79511347fa4ca7
Instruction ID: e5fdc43104c7a8017f17d73d4dd11a9fd3c7b4ce26cf0add448cc90ffa1359fc
Opcode Fuzzy Hash: a33cc3afa0cf664ad0a508e24b77746bbd574c81eb77f84c8b79511347fa4ca7
Instruction Fuzzy Hash: 1921C9715043059F8700DF29C8819ABBBE8EF96764F104A1DF499C72A1E730D94AEF43

Function 00FE321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FE32A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FE32C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FE32CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FE32DC

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c6cc701aeb895e458b974d81776d430853615b34a831f317ce28d1152495adce
Instruction ID: f9dd3daccc0c32f38bd486008931f353fb0a87507afdcde563cbfab06dfcd167
Opcode Fuzzy Hash: c6cc701aeb895e458b974d81776d430853615b34a831f317ce28d1152495adce
Instruction Fuzzy Hash: 2221F131604191AFD7049B25CC4DF6ABB95AF81324F248258F9668B2D2C776EE41D7D0

Function 00FB825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB96E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00FB8271,?,000000FF,?,00FB90BB,00000000,?,0000001C,?,?), ref: 00FB96F3
Part of subcall function 00FB96E4: lstrcpyW.KERNEL32(00000000,?,?,00FB8271,?,000000FF,?,00FB90BB,00000000,?,0000001C,?,?,00000000), ref: 00FB9719
Part of subcall function 00FB96E4: lstrcmpiW.KERNEL32(00000000,?,00FB8271,?,000000FF,?,00FB90BB,00000000,?,0000001C,?,?), ref: 00FB974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00FB90BB,00000000,?,0000001C,?,?,00000000), ref: 00FB828A
lstrcpyW.KERNEL32(00000000,?,?,00FB90BB,00000000,?,0000001C,?,?,00000000), ref: 00FB82B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FB90BB,00000000,?,0000001C,?,?,00000000), ref: 00FB82EB

Strings

cdecl, xrefs: 00FB82E2

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 945ba1e2893b63f51270ff8a693a8d4711445f74c3f36b554d9fb6e76f10219c
Instruction ID: e03613f9c6607ce2e4ef83194f0ca843a57ef95fe0038c1327ba6a4c01e35fa7
Opcode Fuzzy Hash: 945ba1e2893b63f51270ff8a693a8d4711445f74c3f36b554d9fb6e76f10219c
Instruction Fuzzy Hash: 0511293A200341AFCB149F35CC44EBA77E9FF887A0B50402AF942CB250EF759812EB51

Function 00FE60FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00FE615A
_wcslen.LIBCMT ref: 00FE616C
_wcslen.LIBCMT ref: 00FE6177
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FE62B5

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 3f5b4bbb7b443d454e6bf4d8c74df7f718a7afa8d3ea89daecc2de21255e9041
Instruction ID: d13dc951ad55e61400a03e33c1ad549392e60f62de4166e8c80e8133d841cf24
Opcode Fuzzy Hash: 3f5b4bbb7b443d454e6bf4d8c74df7f718a7afa8d3ea89daecc2de21255e9041
Instruction Fuzzy Hash: 5E11D636A0029C9ADB21DF668C84EEF777CEB25BA4F10402BF915D9181EB74C940EB61

Function 00F82079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121d9ecb66ba95c92c7a01180fafc372f79cbe63fdec59f05a2989d2051a9e6a
Instruction ID: f6dd2a8238c1ccc03d32295abeb7c66c140b9c18fde42b6630b0e74a9e1495c5
Opcode Fuzzy Hash: 121d9ecb66ba95c92c7a01180fafc372f79cbe63fdec59f05a2989d2051a9e6a
Instruction Fuzzy Hash: 1101A2B660921A7EF66136786CC0FA7770DDF413B8B344326B521A51D1EE75AC40B360

Function 00FB2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FB2394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FB23A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FB23BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FB23D7

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f5b6ede5c144707cca76605fa3c539ada3fb67dd5c9dac271fb9b197ccc24ddd
Instruction ID: f98f686fd5c4a2d64e9430d50e569373821d214ec89328e305aae01a2bfe0f34
Opcode Fuzzy Hash: f5b6ede5c144707cca76605fa3c539ada3fb67dd5c9dac271fb9b197ccc24ddd
Instruction Fuzzy Hash: 5E11093AD00218FFEB119BA5CD85FDDBBB8FB08750F240091EA01B7290D6716E50EB94

Function 00F51AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F5249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00F524B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00F51AF4
GetClientRect.USER32(?,?), ref: 00F931F9
GetCursorPos.USER32(?), ref: 00F93203
ScreenToClient.USER32(?,?), ref: 00F9320E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: c15e66b51fa9786d86e151089d90721c1d045ec3b658b11eaca432f7ed44d4ee
Instruction ID: b7cd738dd7030230c3149ae558768f81c9465b6ebe3236c28beee9294a65567f
Opcode Fuzzy Hash: c15e66b51fa9786d86e151089d90721c1d045ec3b658b11eaca432f7ed44d4ee
Instruction Fuzzy Hash: C1116632A01119ABDF11EFA8CC85AEF77B8FB05351F100452FA02E6150C739BA85EBA1

Function 00FBEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FBEB14
MessageBoxW.USER32(?,?,?,?), ref: 00FBEB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FBEB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FBEB64

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 662e3bbdb817eae6987c31cdf7e6d126045061beab301b0f233092dacf945d5d
Instruction ID: fa10c3e129ee3dc8cab47c82ebd71176b14ba2bf27939963c3a12b88397e5ac8
Opcode Fuzzy Hash: 662e3bbdb817eae6987c31cdf7e6d126045061beab301b0f233092dacf945d5d
Instruction Fuzzy Hash: EB112676900258BFDB219FA89C45ADE7FACAB45320F14C216F825E3280D6B5C9049BA1

Function 00F7D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F7D369,00000000,00000004,00000000), ref: 00F7D588
GetLastError.KERNEL32 ref: 00F7D594
__dosmaperr.LIBCMT ref: 00F7D59B
ResumeThread.KERNEL32(00000000), ref: 00F7D5B9

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: da4e960b2d6a3ae9b1c852cfb38ae2d33a4b3ccf91b1c9d892b27f68fc8939d8
Instruction ID: a1c3edfefb83f11e88dd86e1b9710d76f08c523476b44171e5eae08761176fd6
Opcode Fuzzy Hash: da4e960b2d6a3ae9b1c852cfb38ae2d33a4b3ccf91b1c9d892b27f68fc8939d8
Instruction Fuzzy Hash: DC01F9328011187BDB106FA5DC05FAA7B79EF81334F548217F92D861E0DB708900F6A3

Function 00F57873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F578B1
GetStockObject.GDI32(00000011), ref: 00F578C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F578CF

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 50d7699ffdb3a24de2749e6b207620f7be6fcfe05cc62fdec80bc2df33367716
Instruction ID: 5c430d8a02b81c9ab46573681564cafd28f81a6f22cc56f4ba00b67c8ee88540
Opcode Fuzzy Hash: 50d7699ffdb3a24de2749e6b207620f7be6fcfe05cc62fdec80bc2df33367716
Instruction Fuzzy Hash: 8111AD72905248BFEF126F90EC98EEABB69FF083A6F140115FE005A110D7359C64FBA0

Function 00F833E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,00F8338D,00000364,00000000,00000000,00000000,?,00F835FE,00000006,FlsSetValue), ref: 00F83418
GetLastError.KERNEL32(?,00F8338D,00000364,00000000,00000000,00000000,?,00F835FE,00000006,FlsSetValue,00FF3260,FlsSetValue,00000000,00000364,?,00F831B9), ref: 00F83424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F8338D,00000364,00000000,00000000,00000000,?,00F835FE,00000006,FlsSetValue,00FF3260,FlsSetValue,00000000), ref: 00F83432

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: af77f9196644f2d81d4f26c1272d8fb5cb6cf7ea49aac73ceb759bbca2209f6e
Instruction ID: 6d213a50f6e14e78e0bb1b7f2c6eaf6412bba0d1ad3eaa69c67c59ad21cd38b4
Opcode Fuzzy Hash: af77f9196644f2d81d4f26c1272d8fb5cb6cf7ea49aac73ceb759bbca2209f6e
Instruction Fuzzy Hash: B201D432A122269BCB22EA799C44A963B58AF05F717210220FA06DB190C730D901E7E0

Function 00FBBA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FBB69A,?,00008000), ref: 00FBBA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FBB69A,?,00008000), ref: 00FBBAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FBB69A,?,00008000), ref: 00FBBABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FBB69A,?,00008000), ref: 00FBBAED

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 66d796fb378338c64d5c91583a105de3e9c75d7a323440394e6d37ea84e190e4
Instruction ID: d673296dcf717ba5b34c99e5c395de1c4b365ee9168bc8acb0c3e196b37d7033
Opcode Fuzzy Hash: 66d796fb378338c64d5c91583a105de3e9c75d7a323440394e6d37ea84e190e4
Instruction Fuzzy Hash: 82115B31C0162DE7DF00EFA6E9897EEBB7CBF09711F104095D941B6180CBB89650EBA5

Function 00FE886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FE888E
ScreenToClient.USER32(?,?), ref: 00FE88A6
ScreenToClient.USER32(?,?), ref: 00FE88CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FE88E5

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4eef37da3b6195fa9bb62483dfa0bcc5dc733336f54c554f5cc1cbc950b208ed
Instruction ID: 2c27e5f5f2eff539172b66a1775003b9f8da4f7c9be2a3de072e7d8f5b30f7de
Opcode Fuzzy Hash: 4eef37da3b6195fa9bb62483dfa0bcc5dc733336f54c554f5cc1cbc950b208ed
Instruction Fuzzy Hash: 471160B9D0024DAFDB01DFA8C884AEEBBB5FB08310F108066E915E6610D735AA51DF50

Function 00FB36F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FB3712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FB3723
GetCurrentThreadId.KERNEL32 ref: 00FB372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FB3731

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 7ea4b99f71191332d45dbc6195d6047003c1a9ff929a764a9229ff85c9901449
Instruction ID: 7d7bbfad9e66cfa52f7601c24d0c0c0d965f037dc629209a0c69c54b4fb9a93d
Opcode Fuzzy Hash: 7ea4b99f71191332d45dbc6195d6047003c1a9ff929a764a9229ff85c9901449
Instruction Fuzzy Hash: F6E06DB25452687ADB201BA39C8DEEB7F6CDB42BA1F100019F105DA480DAA48940EAB0

Function 00FE92BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F51F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F51F87
Part of subcall function 00F51F2D: SelectObject.GDI32(?,00000000), ref: 00F51F96
Part of subcall function 00F51F2D: BeginPath.GDI32(?), ref: 00F51FAD
Part of subcall function 00F51F2D: SelectObject.GDI32(?,00000000), ref: 00F51FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FE92E3
LineTo.GDI32(?,?,?), ref: 00FE92F0
EndPath.GDI32(?), ref: 00FE9300
StrokePath.GDI32(?), ref: 00FE930E

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 23b5ee88be6ea1dc63562bd54920c8989eb549369aba3d2f996a5a19328a62a3
Instruction ID: 9bebc5e43874cf18f9363c2072209ca5fe73c590d48c07a92262721c6d825a5a
Opcode Fuzzy Hash: 23b5ee88be6ea1dc63562bd54920c8989eb549369aba3d2f996a5a19328a62a3
Instruction Fuzzy Hash: 13F05E31105298BADB225F95AC0EFCE3F59AF0A321F148100FB11250E1C7BA5561EBA5

Function 00F521A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F521BC
SetTextColor.GDI32(?,?), ref: 00F521C6
SetBkMode.GDI32(?,00000001), ref: 00F521D9
GetStockObject.GDI32(00000005), ref: 00F521E1

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a0d02d478e9846780c5df514de0d334ff082d6fa38476b716258678edd8e783d
Instruction ID: f83fb8906e8cb438fdd26d5cede2b814767b2f5fde28955b4b4275d6eb7392fa
Opcode Fuzzy Hash: a0d02d478e9846780c5df514de0d334ff082d6fa38476b716258678edd8e783d
Instruction Fuzzy Hash: 52E06D31640684AAEB215B74AC49BE93B21AB16336F08821AF7BA5C0E0C7728640BB10

Function 00FAEC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FAEC36
GetDC.USER32(00000000), ref: 00FAEC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FAEC60
ReleaseDC.USER32(?), ref: 00FAEC81

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 15512e19ac02c061c66ce40be100d6f3bfb1b34879b28ed015d5299ecd74e902
Instruction ID: 5682b2df6535da47df7de28ab164f24e462048ee98411e7098655aee2d8e84c0
Opcode Fuzzy Hash: 15512e19ac02c061c66ce40be100d6f3bfb1b34879b28ed015d5299ecd74e902
Instruction Fuzzy Hash: D6E01AB5800208DFCF409FA0C988A5DBBB5FB48311F108409E91AEB650CB385901FF10

Function 00FAEC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FAEC4A
GetDC.USER32(00000000), ref: 00FAEC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FAEC60
ReleaseDC.USER32(?), ref: 00FAEC81

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 60a8b9212aaefbe1ece62d2f7479cd48ef8ee934e56cefb6825665ba1bd055a1
Instruction ID: 3843275c27ae19c4512138c77f98283b93e8d411d9a80f0d16d9e28978402cce
Opcode Fuzzy Hash: 60a8b9212aaefbe1ece62d2f7479cd48ef8ee934e56cefb6825665ba1bd055a1
Instruction Fuzzy Hash: 01E012B5C00208EFCF409FA0C888A5DBBB1BB48311B108409E91AEB650CB386A01AF00

Function 00FC57CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F541EA: _wcslen.LIBCMT ref: 00F541EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FC5919

Strings

*, xrefs: 00FC5855
LPT, xrefs: 00FC5840

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e0f53bf4cb45c16bc4e44775ac58b761926b8122ca32bdc9468fc6f2bc23a26a
Instruction ID: d6fd6e68104f1749398862a92caebada93301e5e9970347dc79d851a8037d5ea
Opcode Fuzzy Hash: e0f53bf4cb45c16bc4e44775ac58b761926b8122ca32bdc9468fc6f2bc23a26a
Instruction Fuzzy Hash: 2A91AB75A00605DFCB14CF44C986FAABBB1AF44714F18809DE84A9F3A2C775EE85DB90

Function 00F7E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F7E67D

Strings

pow, xrefs: 00F7E655, 00F7E672

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 64c5208309e21fdeee2d4207fb125786a4d03ae4ab79d13c25477c0bb75d6b8d
Instruction ID: ffcc511c82ecbf56743f7285def78b01a61778c5414e02cadb015e6b9edb7e50
Opcode Fuzzy Hash: 64c5208309e21fdeee2d4207fb125786a4d03ae4ab79d13c25477c0bb75d6b8d
Instruction Fuzzy Hash: AE517961E1850686CB157714CD053FA3BA4AB14BA0F708D9BF099422E8EF398C97BB47

Function 00F6A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F6A916

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 742a7e81908bd1de0dba1b034e0bac71bdbb4f66bd2dc7d7e08fbcbe7f04c4eb
Instruction ID: 4a0bca9e3fb40bc93b60391a512d407f0a7d92931ade5f73003cbc9f3dec1efa
Opcode Fuzzy Hash: 742a7e81908bd1de0dba1b034e0bac71bdbb4f66bd2dc7d7e08fbcbe7f04c4eb
Instruction Fuzzy Hash: 2A5134B5904247DFCB25DF28C441ABA7BB0EF1A360F644055FC91AB290DB789D43EB61

Function 00F6F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F6F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F6F6F4

Strings

@, xrefs: 00F6F6E8

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: dd7c7637fa778f47f2c6a3d1aeb05b58eb5c3f8f97f4b59deaf3c5e31f951595
Instruction ID: 1fb82f391b4de14f26410624b02cf0982c8338cb928312b1b56583536d50ebf3
Opcode Fuzzy Hash: dd7c7637fa778f47f2c6a3d1aeb05b58eb5c3f8f97f4b59deaf3c5e31f951595
Instruction Fuzzy Hash: 0B517771918748EBD320AF10DC86BAFBBE8FF84341F81884DF6D951095DB398529CB26

Function 00FD61A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00FD623D
_wcslen.LIBCMT ref: 00FD6249

Strings

CALLARGARRAY, xrefs: 00FD6243, 00FD6248

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 2deb3337c77e0029f96c74a0aa562fc6e372f65a0486b8d2dec4fc864da886b2
Instruction ID: 78b2696c7ed6dea8818d27959b5df1b81107b6184a14e1f9a923f67f19967a21
Opcode Fuzzy Hash: 2deb3337c77e0029f96c74a0aa562fc6e372f65a0486b8d2dec4fc864da886b2
Instruction Fuzzy Hash: 4041AC31E002099FCF00DFA9C8819EEBBB6FF59361B14402AE505E7351D7749981EFA0

Function 00FCDB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FCDB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FCDB7F

Strings

|, xrefs: 00FCDB50

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: cae77e5fcda03ca2de4c94b3cc7f2c9b6f31114c6b88b7e4ae41a420622dc958
Instruction ID: 807b9c9f17dffb43ba018ba3d374e364faf29e3b7f27bc1da9d2848e416852ee
Opcode Fuzzy Hash: cae77e5fcda03ca2de4c94b3cc7f2c9b6f31114c6b88b7e4ae41a420622dc958
Instruction Fuzzy Hash: F3313A72801109ABCF05DFA0CD85EEEBFB9FF04354F100029F915A6262EB759906EB50

Function 00FE4008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FE40BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FE40F8

Strings

static, xrefs: 00FE4058

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 4e36180efdb55351acf006dbd5be548b92212713e21e4b406217080f30da9dd7
Instruction ID: 43a976565e0982ef8bb0e06b3d9cee118d353d4b975cffe8864ed47901a9a4ff
Opcode Fuzzy Hash: 4e36180efdb55351acf006dbd5be548b92212713e21e4b406217080f30da9dd7
Instruction Fuzzy Hash: E7319071510644AEDB24DF79CC80BFB73A9FF48760F10862DFA9587190DA75AC81EB60

Function 00FE4FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00FE50BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FE50D2

Strings

', xrefs: 00FE502C

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c7a21f67512c72e2b69255c062fd394e3d7e2aadb4332a976f69998f067e107a
Instruction ID: 4cd6f5c5e11b04207c42aae6073a4f693d9ee73eb3adffcc871b6c15e9742b65
Opcode Fuzzy Hash: c7a21f67512c72e2b69255c062fd394e3d7e2aadb4332a976f69998f067e107a
Instruction Fuzzy Hash: 95316A75A0074A9FDB14CFAAC880BDEBBB5FF49704F10406AEA04AB381D771A945DF90

Function 00FE3C8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FE3D18
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FE3D23

Strings

Combobox, xrefs: 00FE3CE5

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 108e12524fa52b3b0a8b992ac88e3d2d47137e7bd8b84591a0a7da23368f2bb8
Instruction ID: 1a7ed293eab68c5c9b688f3a61cadc197ebacd8917c2b28e9f524ffd33865830
Opcode Fuzzy Hash: 108e12524fa52b3b0a8b992ac88e3d2d47137e7bd8b84591a0a7da23368f2bb8
Instruction Fuzzy Hash: 4011E271B0024C6FEF219F55DC88FAB3BAAEB843A4F204124F9199B290D675DD51A7A0

Function 00FE41AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F57873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F578B1
Part of subcall function 00F57873: GetStockObject.GDI32(00000011), ref: 00F578C5
Part of subcall function 00F57873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F578CF

GetWindowRect.USER32(00000000,?), ref: 00FE4216
GetSysColor.USER32(00000012), ref: 00FE4230

Strings

static, xrefs: 00FE41F3

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5fb78f295e4072437e2a3ecfb87623dd1bbf5c76f2e0bed5aa22b3db780a1d49
Instruction ID: aabbceafb9bb0c2fd64641d025af2dd9bea3e92095e24e532eb4c7967ab6a9fe
Opcode Fuzzy Hash: 5fb78f295e4072437e2a3ecfb87623dd1bbf5c76f2e0bed5aa22b3db780a1d49
Instruction Fuzzy Hash: CA116472A10249AFDB00DFA9CC45AFA7BF8EB08354F014928FE55E3250E735E850EB60

Function 00FCD763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FCD7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FCD7EB

Strings

<local>, xrefs: 00FCD7AB

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 66688bbf1a07b5b0f98928b63676c84b3d65a06a29b4c2187e5539a9aea65d03
Instruction ID: 3e51ce99ea2b9ae3c0514de0ea68dc40f3ccb60c35a32548c1e8f95011b3bb93
Opcode Fuzzy Hash: 66688bbf1a07b5b0f98928b63676c84b3d65a06a29b4c2187e5539a9aea65d03
Instruction Fuzzy Hash: DF11E37250123379D7344B628D8AFEBBE9CEF127B8F00422EB50992080D2748840E2F0

Function 00FB75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

CharUpperBuffW.USER32(?,?,?), ref: 00FB761D
_wcslen.LIBCMT ref: 00FB7629

Strings

STOP, xrefs: 00FB7623, 00FB7628

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: a11ecd2d4fc13885fb705d78b0e560e2895d669d893a789a5f3f6dfa21ac2cfc
Instruction ID: 9149da1c0c93a8e2996e62c8e53af0da35aaa2f53b50fe4d11a621131d98654b
Opcode Fuzzy Hash: a11ecd2d4fc13885fb705d78b0e560e2895d669d893a789a5f3f6dfa21ac2cfc
Instruction Fuzzy Hash: AE01C832A04B2B8BCB10BEBECC509FF73B6AB907607400524E825D6191FB35D904AA50

Function 00FB262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

Part of subcall function 00FB45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FB2699

Strings

ListBox, xrefs: 00FB2663
ComboBox, xrefs: 00FB2638

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 53db9036be8274a0c4e42b10a4f3f9d35e6c918eb3227f15f721101ff3061205
Instruction ID: a944ad1f0bd6df40c3199828ad8124b0ec3f171173c1610bdfa42059a0bac754
Opcode Fuzzy Hash: 53db9036be8274a0c4e42b10a4f3f9d35e6c918eb3227f15f721101ff3061205
Instruction Fuzzy Hash: 4E01D475A01215ABCB04EBA5CC51DFE7779FF46360B44061AB8726B2C1EA79580CEA50

Function 00FB2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

Part of subcall function 00FB45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FB2593

Strings

ListBox, xrefs: 00FB255D
ComboBox, xrefs: 00FB2532

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 52e60bd29f3b3eaafd38dd7ab0a5321c26c058105c4fe289f20b2ac0734cea41
Instruction ID: c3f2c166c4ded245c414d77be36bb2a439da6e7374b605881d49b151e2daee11
Opcode Fuzzy Hash: 52e60bd29f3b3eaafd38dd7ab0a5321c26c058105c4fe289f20b2ac0734cea41
Instruction Fuzzy Hash: 3101A7B5A411096BCB14E791CD62EFF77A8DF46341F580019790267281DA599E0CAAB1

Function 00FB25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

Part of subcall function 00FB45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FB2615

Strings

ListBox, xrefs: 00FB25E1
ComboBox, xrefs: 00FB25B6

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 00e1cc6bb0464fedde3c707e85037b39430b9c391f420db587d537b95afac57b
Instruction ID: 123ae6fca8a08f25a8166473f81ba93134d4e4969c94c5549341587710f1d9b6
Opcode Fuzzy Hash: 00e1cc6bb0464fedde3c707e85037b39430b9c391f420db587d537b95afac57b
Instruction Fuzzy Hash: 2401A276A4010566CB15F7A1DD51EFF77B89B05340F540029B902B7282DB699E0CBAB2

Function 00FB26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B329: _wcslen.LIBCMT ref: 00F5B333

Part of subcall function 00FB45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00FB4620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00FB2720

Strings

ListBox, xrefs: 00FB26ED
ComboBox, xrefs: 00FB26C2

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9d06dec0aba87a1394cd4820aafaec9451ac7dde0e4c6f56e28c3f5a18b7ff2f
Instruction ID: 5b703e7f1fd1949cb26aee480c9122eb475becfd00196b76dca24716d4d0f0bc
Opcode Fuzzy Hash: 9d06dec0aba87a1394cd4820aafaec9451ac7dde0e4c6f56e28c3f5a18b7ff2f
Instruction Fuzzy Hash: 4FF02875A4021467CB14F3A58C91FFE737CEF02351F540919B862B72C2DF69580CEA60

Function 00FB1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FB146F

Strings

AutoIt, xrefs: 00FB1463
Error allocating memory., xrefs: 00FB1468

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 82832b04f729b3cff96b90ef3b0bfec5b211af58db19d3e29c1397569a8c8a61
Instruction ID: 6ca17ff11eed5f95ad90a87e763d49a8fe668cd3199447fa6ee210703fb32362
Opcode Fuzzy Hash: 82832b04f729b3cff96b90ef3b0bfec5b211af58db19d3e29c1397569a8c8a61
Instruction Fuzzy Hash: 4EE048313447587BD2142795BC03FC97A858F05B61F61842BF78C698C34EE76450769B

Function 00F710B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F6FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F710E2,?,?,?,00F5100A), ref: 00F6FAD9

IsDebuggerPresent.KERNEL32(?,?,?,00F5100A), ref: 00F710E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F5100A), ref: 00F710F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F710F0

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 893de1e739ee30f2586b82eccc01d71600c8ee21fcac64e2cde91f7b885763c3
Instruction ID: aaa8bd21160831dec725e20d061867f731891b5a8f7a72836cf032873109da69
Opcode Fuzzy Hash: 893de1e739ee30f2586b82eccc01d71600c8ee21fcac64e2cde91f7b885763c3
Instruction Fuzzy Hash: D9E06D706003518BD3309F68E844302BBE8BF00301F40895EE989CA692EBB8D448EB92

Function 00FC39D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FC39F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00FC3A05

Strings

aut, xrefs: 00FC39F9

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 8a0bf206bddb9c0c81a70e8731cb41e9d0684259704d236c2f03767ce4b7dcb0
Instruction ID: 525f2bc082695a1a8f34f0e48514341650019cf2c283c981dfd4ec6885687efc
Opcode Fuzzy Hash: 8a0bf206bddb9c0c81a70e8731cb41e9d0684259704d236c2f03767ce4b7dcb0
Instruction Fuzzy Hash: 62D05E729003286BDA20A7A59C4EFCB7A6CDB44610F4002A1BB959A091DAB4DA85CB90

Function 00FE2DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FE2E08
PostMessageW.USER32(00000000), ref: 00FE2E0F

Part of subcall function 00FBF292: Sleep.KERNEL32 ref: 00FBF30A

Strings

Shell_TrayWnd, xrefs: 00FE2E01

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: dd6e09a6a3d00c699b452b124afed63214a5907ad6b66f330567c770227e03fc
Instruction ID: cfcdc77119b797cc953eaf8de65b7314fae707d8c15afe30b29f6f69067b1451
Opcode Fuzzy Hash: dd6e09a6a3d00c699b452b124afed63214a5907ad6b66f330567c770227e03fc
Instruction Fuzzy Hash: 8DD022353C13447BF224B330EC4FFC23B10AB00B00F1048347345AE4D0C8E46800DA44

Function 00FE2DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FE2DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FE2DDB

Part of subcall function 00FBF292: Sleep.KERNEL32 ref: 00FBF30A

Strings

Shell_TrayWnd, xrefs: 00FE2DC1

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e8a118daaefc58203920b2bc09485d1a8a406b2fa36ab7e0e076fd764848608f
Instruction ID: 4350cdc46e121bf09ea5f25c23ce909568bdd1a620e1abbd7151f85358c80906
Opcode Fuzzy Hash: e8a118daaefc58203920b2bc09485d1a8a406b2fa36ab7e0e076fd764848608f
Instruction Fuzzy Hash: 9FD02239380344BBE224B330EC4FFD23B10AF00B00F1048347349AE4D0C8E46800DA40

Function 00F8C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F8C213
GetLastError.KERNEL32 ref: 00F8C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F8C27C

Memory Dump Source

Source File: 0000000C.00000002.2466629985.0000000000F51000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.2466608412.0000000000F50000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000000FED000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466703635.0000000001013000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466756338.000000000101D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2466779476.0000000001025000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_Epson.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 31553b07c561ecb9926cdbbe631f6a6ae9c1d778160bb7647e3355b4b4166957
Instruction ID: 41cf17d3ac5c23d0eea5a5408f7ea5f6afe4f354e9660f0818e4f73c6c6e3c56
Opcode Fuzzy Hash: 31553b07c561ecb9926cdbbe631f6a6ae9c1d778160bb7647e3355b4b4166957
Instruction Fuzzy Hash: 4B41E531A00605AFDB21AFE4CC44BFA7BA5EF11320F244169F9599B1E1DB308D00EBB0

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SoftWare(1).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\250478\Epson.com

C:\Users\user\AppData\Local\Temp\250478\m

C:\Users\user\AppData\Local\Temp\Academy

C:\Users\user\AppData\Local\Temp\Accepting

C:\Users\user\AppData\Local\Temp\Classifieds

C:\Users\user\AppData\Local\Temp\Concern

C:\Users\user\AppData\Local\Temp\Conclude

C:\Users\user\AppData\Local\Temp\Do

C:\Users\user\AppData\Local\Temp\Dodge

C:\Users\user\AppData\Local\Temp\Grand

C:\Users\user\AppData\Local\Temp\Hydraulic

C:\Users\user\AppData\Local\Temp\Katrina

C:\Users\user\AppData\Local\Temp\Loops

C:\Users\user\AppData\Local\Temp\Man

Windows Analysis Report
SoftWare(1).exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre